feat: added description and update example.tf

clouddrove · Jun 15, 2023 · 0d2a455 · 0d2a455
1 parent 9e6a893
commit 0d2a455
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 102 deletions.
diff --git a/_example/example.tf b/_example/example.tf
@@ -26,4 +26,105 @@ module "kms_key" {
   create_external_enabled = true
   valid_to                = "2023-11-21T23:20:50Z"
   key_material_base64     = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
+  policy                  = data.aws_iam_policy_document.default.json
+}
+
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
+##----------------------------------------------------------------------------------
+## Data block called to get Permissions that will be used in creating policy.
+##----------------------------------------------------------------------------------
+data "aws_iam_policy_document" "default" {
+  version = "2012-10-17"
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          join("", data.aws_partition.current.*.partition),
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "Allow CloudTrail to encrypt logs"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    actions   = ["kms:GenerateDataKey*"]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
+    }
+  }
+
+  statement {
+    sid    = "Allow CloudTrail to describe key"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    actions   = ["kms:DescribeKey"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow principals in the account to decrypt log files"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          join("", data.aws_partition.current.*.partition),
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    actions = [
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values = [
+      "XXXXXXXXXXXX"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
+    }
+  }
+
+  statement {
+    sid    = "Allow alias creation during setup"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          join("", data.aws_partition.current.*.partition),
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    actions   = ["kms:CreateAlias"]
+    resources = ["*"]
+  }
 }
diff --git a/main.tf b/main.tf
@@ -11,9 +11,6 @@ module "labels" {
   label_order = var.label_order
 }
 
-data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
-
 ####----------------------------------------------------------------------------------
 ## This terraform resource creates a KMS Customer Master Key (CMK) and its alias.
 ####----------------------------------------------------------------------------------
@@ -26,7 +23,7 @@ resource "aws_kms_key" "default" {
   is_enabled               = var.is_enabled
   enable_key_rotation      = var.enable_key_rotation
   customer_master_key_spec = var.customer_master_key_spec
-  policy                   = data.aws_iam_policy_document.default.json
+  policy                   = var.policy
   multi_region             = var.multi_region
   tags                     = module.labels.tags
 }
@@ -43,7 +40,7 @@ resource "aws_kms_external_key" "external" {
   enabled                            = var.is_enabled
   key_material_base64                = var.key_material_base64
   multi_region                       = var.multi_region
-  policy                             = data.aws_iam_policy_document.default.json
+  policy                             = var.policy
   valid_to                           = var.valid_to
 
   tags = module.labels.tags
@@ -57,101 +54,4 @@ resource "aws_kms_alias" "default" {
 
   name          = coalesce(var.alias, format("alias/%v", module.labels.id))
   target_key_id = join("", aws_kms_key.default.*.id)
-}
-
-##----------------------------------------------------------------------------------
-## Data block called to get Permissions that will be used in creating policy.
-##----------------------------------------------------------------------------------
-data "aws_iam_policy_document" "default" {
-  version = "2012-10-17"
-  statement {
-    sid    = "Enable IAM User Permissions"
-    effect = "Allow"
-    principals {
-      type = "AWS"
-      identifiers = [
-        format(
-          "arn:%s:iam::%s:root",
-          join("", data.aws_partition.current.*.partition),
-          data.aws_caller_identity.current.account_id
-        )
-      ]
-    }
-    actions   = ["kms:*"]
-    resources = ["*"]
-  }
-  statement {
-    sid    = "Allow CloudTrail to encrypt logs"
-    effect = "Allow"
-    principals {
-      type        = "Service"
-      identifiers = ["cloudtrail.amazonaws.com"]
-    }
-    actions   = ["kms:GenerateDataKey*"]
-    resources = ["*"]
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
-      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
-    }
-  }
-
-  statement {
-    sid    = "Allow CloudTrail to describe key"
-    effect = "Allow"
-    principals {
-      type        = "Service"
-      identifiers = ["cloudtrail.amazonaws.com"]
-    }
-    actions   = ["kms:DescribeKey"]
-    resources = ["*"]
-  }
-
-  statement {
-    sid    = "Allow principals in the account to decrypt log files"
-    effect = "Allow"
-    principals {
-      type = "AWS"
-      identifiers = [
-        format(
-          "arn:%s:iam::%s:root",
-          join("", data.aws_partition.current.*.partition),
-          data.aws_caller_identity.current.account_id
-        )
-      ]
-    }
-    actions = [
-      "kms:Decrypt",
-      "kms:ReEncryptFrom"
-    ]
-    resources = ["*"]
-    condition {
-      test     = "StringEquals"
-      variable = "kms:CallerAccount"
-      values = [
-      "XXXXXXXXXXXX"]
-    }
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
-      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
-    }
-  }
-
-  statement {
-    sid    = "Allow alias creation during setup"
-    effect = "Allow"
-    principals {
-      type = "AWS"
-      identifiers = [
-        format(
-          "arn:%s:iam::%s:root",
-          join("", data.aws_partition.current.*.partition),
-          data.aws_caller_identity.current.account_id
-        )
-      ]
-    }
-    actions   = ["kms:CreateAlias"]
-    resources = ["*"]
-  }
 }