Updated KMS

CSVD · Jul 31, 2024 · f300a8c · f300a8c
1 parent bfe71ee
commit f300a8c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 44 deletions.
diff --git a/kms.tf b/kms.tf
@@ -1,25 +1,22 @@
 locals {
-  kms_key_name        = "rhel-x86-codepipeline-key" # Name for the KMS key alias
-  account_id          = "229685449397"              # Replace with your AWS account ID
-  partition           = "aws-us-gov"
-  region              = "us-gov-west-1"         
+  kms_key_name = "rhel-x86-codepipeline-key" # Name for the KMS key alias
+  account_id   = "229685449397"              # Replace with your AWS account ID
+  partition    = "aws-us-gov"
+  region       = "us-gov-west-1"
 }
 
-# Define the KMS Key resource
 resource "aws_kms_key" "rhel_x86_codepipeline_key" {
   description         = "KMS key for RHEL x86 CodePipeline"
   enable_key_rotation = true
 
   policy = data.aws_iam_policy_document.key_policy_combined.json
 }
 
-# Define the KMS Key Alias
 resource "aws_kms_alias" "rhel_x86_codepipeline_alias" {
   name          = "alias/${local.kms_key_name}"
   target_key_id = aws_kms_key.rhel_x86_codepipeline_key.key_id
 }
 
-# Define the key policy document
 data "aws_iam_policy_document" "key_policy_combined" {
   statement {
     sid       = "Enable IAM User Permissions"
@@ -32,46 +29,13 @@ data "aws_iam_policy_document" "key_policy_combined" {
     resources = ["*"]
   }
 
-  statement {
-    sid       = "Allow access for Key Administrators"
-    effect    = "Allow"
-    principals {
-      type        = "AWS"
-      identifiers = [
-        "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role",
-        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role",
-        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role"
-      ]
-    }
-    actions   = [
-      "kms:Create*",
-      "kms:Describe*",
-      "kms:Enable*",
-      "kms:List*",
-      "kms:Put*",
-      "kms:Update*",
-      "kms:Revoke*",
-      "kms:Disable*",
-      "kms:Get*",
-      "kms:Delete*",
-      "kms:TagResource",
-      "kms:UntagResource",
-      "kms:ScheduleKeyDeletion",
-      "kms:CancelKeyDeletion",
-      "kms:RotateKeyOnDemand"
-    ]
-    resources = ["*"]
-  }
-
   statement {
     sid       = "Allow use of the key"
     effect    = "Allow"
     principals {
       type        = "AWS"
       identifiers = [
-        "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role",
-        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role",
-        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role"
+        "arn:${local.partition}:iam::${local.account_id}:user/tf-pipeline/rhel-image-pipeline-demo"
       ]
     }
     actions   = [
@@ -90,9 +54,7 @@ data "aws_iam_policy_document" "key_policy_combined" {
     principals {
       type        = "AWS"
       identifiers = [
-        "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role",
-        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role",
-        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role"
+        "arn:${local.partition}:iam::${local.account_id}:user/tf-pipeline/rhel-image-pipeline-demo"
       ]
     }
     actions   = [

diff --git a/playbook.yml b/playbook.yml