diff --git a/CHANGELOG.md b/CHANGELOG.md
index 13462c2..68c377d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -317,3 +317,7 @@
- iam-general-policies
- add 10/8 and 172.16/12 to the allowed VPC cidr blocks and remove it from from the base cid (only public IPs)
- add network-prod s3 interface endpoints
+
+* 2.4.13 -- 2023-11-08
+ - iam-general-policies
+ - add cloudforms_kms_key_arns to be added at run-time
diff --git a/common/version.tf b/common/version.tf
index a7d3afb..ae971c9 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.4.12"
+ _module_version = "2.4.13"
}
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
index 911c20e..96d2384 100644
--- a/iam-general-policies/README.md
+++ b/iam-general-policies/README.md
@@ -290,6 +290,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [cloudforms\_kms\_key\_arns](#input\_cloudforms\_kms\_key\_arns) | List of additional KMS Key ARNs for use by CloudForms policy (recommended to get alias/aws/ebs in each region) | `list` | `[]` | no |
| [component\_tags](#input\_component\_tags) | Additional tags for Components (policy) | `map(map(string))` | {
"policy": {}
} | no |
| [ipr\_additional\_cidr\_blocks](#input\_ipr\_additional\_cidr\_blocks) | Additional CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
| [ipr\_base\_cidr\_blocks](#input\_ipr\_base\_cidr\_blocks) | Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6; public IPs only) | `list(string)` | [
"148.129.0.0/16",
"2610:20:2000::0/38"
]
| no |
diff --git a/iam-general-policies/policy.cloudforms.tf b/iam-general-policies/policy.cloudforms.tf
index a5eab31..f31cca3 100644
--- a/iam-general-policies/policy.cloudforms.tf
+++ b/iam-general-policies/policy.cloudforms.tf
@@ -146,6 +146,12 @@ locals {
}
}
+locals {
+ _cfkeys1 = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? local.cloudforms_ami_kms_keys[data.aws_arn.current.partition] : []
+ _cfkeys2 = var.cloudforms_kms_key_arns
+ cf_keys = distinct(compact(concat(local._cfkeys1, local._cfkeys2)))
+}
+
data "aws_iam_policy_document" "cloudforms_ami" {
# need this statement to be able to generate some policy document
statement {
@@ -162,7 +168,7 @@ data "aws_iam_policy_document" "cloudforms_ami" {
}
# for access to remote AMI key
dynamic "statement" {
- for_each = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? { (data.aws_arn.current.partition) = local.cloudforms_ami_kms_keys[data.aws_arn.current.partition] } : {}
+ for_each = length(local.cf_keys) > 0 ? { "keys" = local.cf_keys } : {}
iterator = c
content {
sid = "AWSCloudformsAMIKeyAccess"
@@ -173,6 +179,7 @@ data "aws_iam_policy_document" "cloudforms_ami" {
"kms:ReEncrypt*",
"kms:CreateGrant",
"kms:Decrypt",
+ "kms:GenerateDataKey*",
]
}
}
diff --git a/iam-general-policies/variables.tf b/iam-general-policies/variables.tf
index 64e4eed..3a060ca 100644
--- a/iam-general-policies/variables.tf
+++ b/iam-general-policies/variables.tf
@@ -68,3 +68,9 @@ variable "regions" {
type = list(string)
default = []
}
+
+variable "cloudforms_kms_key_arns" {
+ description = "List of additional KMS Key ARNs for use by CloudForms policy (recommended to get alias/aws/ebs in each region)"
+ value = list(string)
+ default = []
+}