* 2.4.13 -- 2023-11-08

  - iam-general-policies
    - add cloudforms_kms_key_arns to be added at run-time

CHANGELOG.md

@@ -317,3 +317,7 @@
   - iam-general-policies
     - add 10/8 and 172.16/12 to the allowed VPC cidr blocks and remove it from from the base cid (only public IPs)
     - add network-prod s3 interface endpoints
+
+* 2.4.13 -- 2023-11-08
+  - iam-general-policies
+    - add cloudforms_kms_key_arns to be added at run-time

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.12"
+  _module_version = "2.4.13"
 }

iam-general-policies/README.md

@@ -290,6 +290,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_cloudforms_kms_key_arns"></a> [cloudforms\_kms\_key\_arns](#input\_cloudforms\_kms\_key\_arns) | List of additional KMS Key ARNs for use by CloudForms policy (recommended to get alias/aws/ebs in each region) | `list` | `[]` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (policy) | `map(map(string))` | <pre>{<br>  "policy": {}<br>}</pre> | no |
 | <a name="input_ipr_additional_cidr_blocks"></a> [ipr\_additional\_cidr\_blocks](#input\_ipr\_additional\_cidr\_blocks) | Additional CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
 | <a name="input_ipr_base_cidr_blocks"></a> [ipr\_base\_cidr\_blocks](#input\_ipr\_base\_cidr\_blocks) | Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6; public IPs only) | `list(string)` | <pre>[<br>  "148.129.0.0/16",<br>  "2610:20:2000::0/38"<br>]</pre> | no |

iam-general-policies/policy.cloudforms.tf

@@ -146,6 +146,12 @@ locals {
   }
 }
 
+locals {
+  _cfkeys1 = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? local.cloudforms_ami_kms_keys[data.aws_arn.current.partition] : []
+  _cfkeys2 = var.cloudforms_kms_key_arns
+  cf_keys  = distinct(compact(concat(local._cfkeys1, local._cfkeys2)))
+}
+
 data "aws_iam_policy_document" "cloudforms_ami" {
   # need this statement to be able to generate some policy document
   statement {
@@ -162,7 +168,7 @@ data "aws_iam_policy_document" "cloudforms_ami" {
   }
   # for access to remote AMI key
   dynamic "statement" {
-    for_each = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? { (data.aws_arn.current.partition) = local.cloudforms_ami_kms_keys[data.aws_arn.current.partition] } : {}
+    for_each = length(local.cf_keys) > 0 ? { "keys" = local.cf_keys } : {}
     iterator = c
     content {
       sid       = "AWSCloudformsAMIKeyAccess"
@@ -173,6 +179,7 @@ data "aws_iam_policy_document" "cloudforms_ami" {
         "kms:ReEncrypt*",
         "kms:CreateGrant",
         "kms:Decrypt",
+        "kms:GenerateDataKey*",
       ]
     }
   }

iam-general-policies/variables.tf

@@ -68,3 +68,9 @@ variable "regions" {
   type        = list(string)
   default     = []
 }
+
+variable "cloudforms_kms_key_arns" {
+  description = "List of additional KMS Key ARNs for use by CloudForms policy (recommended to get alias/aws/ebs in each region)"
+  value       = list(string)
+  default     = []
+}