feat: added policy data description

clouddrove · Jun 14, 2023 · f7cffa3 · f7cffa3
1 parent dd64c5c
commit f7cffa3
Showing 1 changed file with 8 additions and 82 deletions.
diff --git a/README.yaml b/README.yaml
@@ -47,88 +47,14 @@ usage : |-
       name        = "kms"
       environment = "test"
       label_order = ["name", "environment"]
-      enabled     = true
-      description             = "KMS key for cloudtrail"
-      deletion_window_in_days = 7
-      enable_key_rotation     = true
-      alias                   = "alias/cloudtrail"
-      policy                  = data.aws_iam_policy_document.default.json
-    }
-
-    data "aws_iam_policy_document" "default" {
-      version = "2012-10-17"
-      statement {
-        sid    = "Enable IAM User Permissions"
-        effect = "Allow"
-        principals {
-          type        = "AWS"
-          identifiers = ["*"]
-        }
-        actions   = ["kms:*"]
-        resources = ["*"]
-      }
-      statement {
-        sid    = "Allow CloudTrail to encrypt logs"
-        effect = "Allow"
-        principals {
-          type        = "Service"
-          identifiers = ["cloudtrail.amazonaws.com"]
-        }
-        actions   = ["kms:GenerateDataKey*"]
-        resources = ["*"]
-        condition {
-          test     = "StringLike"
-          variable = "kms:EncryptionContext:aws:cloudtrail:arn"
-          values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
-        }
-      }
-
-      statement {
-        sid    = "Allow CloudTrail to describe key"
-        effect = "Allow"
-        principals {
-          type        = "Service"
-          identifiers = ["cloudtrail.amazonaws.com"]
-        }
-        actions   = ["kms:DescribeKey"]
-        resources = ["*"]
-      }
 
-      statement {
-        sid    = "Allow principals in the account to decrypt log files"
-        effect = "Allow"
-        principals {
-          type        = "AWS"
-          identifiers = ["*"]
-        }
-        actions = [
-          "kms:Decrypt",
-          "kms:ReEncryptFrom"
-        ]
-        resources = ["*"]
-        condition {
-          test     = "StringEquals"
-          variable = "kms:CallerAccount"
-          values = [
-          "XXXXXXXXXXXX"]
-        }
-        condition {
-          test     = "StringLike"
-          variable = "kms:EncryptionContext:aws:cloudtrail:arn"
-          values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
-        }
-      }
-
-      statement {
-        sid    = "Allow alias creation during setup"
-        effect = "Allow"
-        principals {
-          type        = "AWS"
-          identifiers = ["*"]
-        }
-        actions   = ["kms:CreateAlias"]
-        resources = ["*"]
-      }
+      deletion_window_in_days = 7
+      alias                   = "alias/cloudtrail_Name"
+      enabled                 = true
+      kms_key_enabled         = true
+      multi_region            = true
+      create_external_enabled = true
+      valid_to                = "2023-11-21T23:20:50Z"
+      key_material_base64     = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
     }
-
   ```