diff --git a/common/base_settings.tf b/common/base_settings.tf
index 4e852ac..7d17c3d 100644
--- a/common/base_settings.tf
+++ b/common/base_settings.tf
@@ -4,3 +4,20 @@ locals {
partition = data.aws_arn.current.partition
region = data.aws_region.current.name
}
+
+# enforced tags
+locals {
+ # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults
+ add_safeguard_tags = local.enable_title26 ? ["title26"] : []
+ _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d }
+ safeguard_tags = sort(distinct(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags))))
+ add_tags = {
+ safeguard = {
+ "exists" = { "boc:safeguard" = join(",", local.safeguard_tags) }
+ "not_exists" = {}
+ }
+ }
+ enforced_tags = merge(
+ local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"]
+ )
+}
diff --git a/common/resources.tf b/common/resources.tf
index d1410ec..23caa0c 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -24,22 +24,6 @@ locals {
s3_bucket_conditions_list = list(local.condition_allowed_cidr, local.condition_allowed_endpoints)
s3_bucket_conditions = [for x in local.s3_bucket_conditions_list : x if length(x.values) > 0]
- # enforced_tags = {
- # "boc:safeguard" = "title26"
- # }
- # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults
- add_safeguard_tags = local.enable_title26 ? ["title26"] : []
- _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d }
- safeguard_tags = sort(distinct(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags))))
- add_tags = {
- safeguard = {
- "exists" = { "boc:safeguard" = join(",", local.safeguard_tags) }
- "not_exists" = {}
- }
- }
- enforced_tags = merge(
- local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"]
- )
metadata_tags = merge(
var.metadata_tags,
{ for k, v in local.enforced_tags : format("x-amzn-meta-%v", replace(k, "/\\W/", "_")) => v }
diff --git a/kms_key/README.md b/kms_key/README.md
index 3359374..6d323d1 100644
--- a/kms_key/README.md
+++ b/kms_key/README.md
@@ -37,7 +37,6 @@ No modules.
| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/kms_key/main.tf b/kms_key/main.tf
index 6f47c84..60dd993 100644
--- a/kms_key/main.tf
+++ b/kms_key/main.tf
@@ -19,5 +19,6 @@
locals {
- name = var.key_name
+ name = var.key_name
+ enable_title26 = var.enable_title26 ? true : false
}
diff --git a/standard/README.md b/standard/README.md
index c6739b3..0e39c1c 100644
--- a/standard/README.md
+++ b/standard/README.md
@@ -133,7 +133,8 @@ No modules.
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
-| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no |
+| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
+| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no |
| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
| [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
diff --git a/standard/main.tf b/standard/main.tf
index d21c81b..ca24540 100644
--- a/standard/main.tf
+++ b/standard/main.tf
@@ -89,6 +89,3 @@ locals {
enable_title26 = var.enable_title26 ? true : false
versioning = false
}
-
-
-