fix

public/kms.tf

@@ -0,0 +1,65 @@
+# data "aws_kms_key" "incoming_key" {
+#   count = var.kms_key_arn != null ? 1 : 0
+#   key_id = var.kms_key_arn
+# }
+# 
+locals {
+  kms_key_arn  = var.kms_key_arn == null ? try(aws_kms_key.key[0].arn, "") : var.kms_key_arn
+  kms_key_name = format("%s%s", local.__prefixes["kms"], local.name)
+
+  kms_admin_root      = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
+  kms_admin_roles     = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+  kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+}
+
+#---
+# create a key and alias if not specified
+#---
+resource "aws_kms_key" "key" {
+  count               = local.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
+  description         = "KMS CMK for S3 bucket ${local.name}"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.key_policy_combined.json
+  multi_region        = var.multi_region
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    local.enforced_tags,
+    { "Name" = local.kms_key_name }
+  )
+}
+
+resource "aws_kms_alias" "key" {
+  count         = local.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
+  name          = "alias/${local.kms_key_name}"
+  target_key_id = var.kms_key_arn == null ? aws_kms_key.key[0].key_id : null
+}
+
+# auto includes root
+data "aws_iam_policy_document" "key_admin" {
+  statement {
+    sid       = "BuiltinKMSAdminRoles"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = local.kms_admin_roles
+    }
+  }
+}
+
+data "aws_iam_policy_document" "key_policy_combined" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.key_admin.json,
+    local.kms_policy_document
+  ]
+}
+
+data "aws_iam_policy_document" "empty" {}
+
+data "aws_kms_key" "incoming_key" {
+  count  = 0
+  key_id = var.kms_key_arn
+}