fix

iam-general-policies/custom_policies.tf

@@ -68,7 +68,8 @@ locals {
       path        = "/"
       description = "Policy for INF CSVD CloudForms Access shared AMIs"
       #      policy        = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? data.aws_iam_policy_document.cloudforms_ami.json : data.aws_iam_policy_document.empty.json
-      policy        = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? data.aws_iam_policy_document.cloudforms_ami.json : null
+      # policy        = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? data.aws_iam_policy_document.cloudforms_ami.json : null
+      policy        = data.aws_iam_policy_document.cloudforms_ami.json
       create_policy = true
     }
 

iam-general-policies/main.tf

@@ -154,7 +154,7 @@ resource "aws_iam_policy" "general" {
   name        = format("%vinf-%v", lookup(local._prefixes, "policy", ""), each.value["name"])
   path        = lookup(each.value, "path", "/")
   description = lookup(each.value, "description", "${each.key} policy")
-  policy      = lookup(each.value, "policy", null)
+  policy      = lookup(each.value, "policy", data.aws_iam_policy_document.empty.json)
 
   tags = merge(
     var.tags,

iam-general-policies/policy.cloudforms.tf

@@ -147,6 +147,19 @@ locals {
 }
 
 data "aws_iam_policy_document" "cloudforms_ami" {
+  # need this statement to be able to generate some policy document
+  statement {
+    sid       = "KMSReadOnlyAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "kms:ListKeys",
+      "kms:ListKeyPolicies",
+      "kms:ListAliases",
+      "kms:DescribeKey"
+    ]
+  }
   # for access to remote AMI key
   dynamic "statement" {
     for_each = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? { (data.aws_arn.current.partition) = local.cloudforms_ami_kms_keys[data.aws_arn.current.partition] } : {}