From 02d93592c93fe6c69eef030e86a832080f268400 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 11 May 2021 13:55:55 -0400 Subject: [PATCH 1/8] v2.1.0: add kms policy and admin roles --- CHANGELOG.md | 3 +++ common/README.md | 7 +++++++ common/data.tf | 7 +++++++ common/resources.tf | 34 +++++++++++++++++++++++++++++++++- common/variables.tf | 12 ++++++++++++ common/version.tf | 2 +- 6 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 common/data.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 38e21b5..4f42716 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,3 +28,6 @@ * v2.0.1 -- 20210325 - make bucket policies denying missing encryption header optional - add variable: `require_explicit_encryption` default = false + +* v2.1.0 -- 20210511 + - add kms_policy to be used for custom kms key policy and kms_admin_roles diff --git a/common/README.md b/common/README.md index 93e771d..3f9c08f 100644 --- a/common/README.md +++ b/common/README.md @@ -24,7 +24,12 @@ No modules. | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs @@ -37,7 +42,9 @@ No modules. | [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no | | [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes | | [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no | +| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no | | [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no | +| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | | [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | diff --git a/common/data.tf b/common/data.tf new file mode 100644 index 0000000..16506e6 --- /dev/null +++ b/common/data.tf @@ -0,0 +1,7 @@ +data "aws_caller_identity" "current" {} + +data "aws_arn" "current" { + arn = data.aws_caller_identity.current.arn +} + +data "aws_region" "current" {} diff --git a/common/resources.tf b/common/resources.tf index 6d5394a..7a9fc7f 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -1,3 +1,11 @@ +locals { + + account_id = data.aws_caller_identity.current.account_id + current_user_arn = data.aws_caller_identity.current.arn + partition = data.aws_arn.current.partition + region = data.aws_region.current.name +} + locals { name = replace(var.bucket_name, local._prefixes["s3"], "") bucket_name = format("%s%s", local._prefixes["s3"], local.name) @@ -6,6 +14,9 @@ locals { kms_key_arn = aws_kms_key.key.arn kms_key_name = format("%s%s", local._prefixes["kms"], local.name) + kms_admin_root = format("arn:%v:iam::%v:root", local.partition, local.account_id) + kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles)) + condition_allowed_cidr = { "test" : "NotIpAddress" "variable" : "aws:sourceIp" @@ -210,7 +221,7 @@ resource "aws_s3_bucket_object" "this_objects" { resource "aws_kms_key" "key" { description = "KMS CMK for S3 bucket ${local.name}" enable_key_rotation = true - # policy = data.aws_iam_policy_document.key.json + policy = data.aws_iam_policy_document.key_policy_combined.json tags = merge( local.base_tags, @@ -224,3 +235,24 @@ resource "aws_kms_alias" "key" { name = "alias/${local.kms_key_name}" target_key_id = aws_kms_key.key.key_id } + +# auto includes root +data "aws_iam_policy_document" "key_admin" { + statement { + sid = "KMSAdminRoles" + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + principals { + type = "AWS" + identifiers = local.kms_admin_roles + } + } +} + +data "aws_iam_policy_document" "key_policy_combined" { + source_policy_documents = [ + data.aws_iam_policy_document.key_admin.json, + var.kms_policy_document + ] +} diff --git a/common/variables.tf b/common/variables.tf index 1e97786..6b35a7c 100644 --- a/common/variables.tf +++ b/common/variables.tf @@ -15,6 +15,18 @@ variable "kms_key_id" { default = "" } +variable "kms_policy_document" { + description = "AWS KMS Key Policy Document JSON, merged with admin policy document" + type = string + default = "" +} + +variable "kms_admin_roles" { + description = "AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default." + type = list(string) + default = [] +} + variable "tags" { description = "AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data_safeguard field for such things." type = map(string) diff --git a/common/version.tf b/common/version.tf index 100daf2..55a44df 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.0.1" + _module_version = "2.1.0" } From 2298bdb3b37e144a39593bf9628273221c1e0318 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 11 May 2021 13:58:59 -0400 Subject: [PATCH 2/8] add data.tf --- standard/data.tf | 1 + title26/data.tf | 1 + 2 files changed, 2 insertions(+) create mode 120000 standard/data.tf create mode 120000 title26/data.tf diff --git a/standard/data.tf b/standard/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/standard/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/title26/data.tf b/title26/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/title26/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file From 7264f5d6bd5890a83563c61dcd4ba226b05d1ae2 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 11 May 2021 14:03:08 -0400 Subject: [PATCH 3/8] fix --- common/resources.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/resources.tf b/common/resources.tf index 7a9fc7f..5ef47d1 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -15,7 +15,7 @@ locals { kms_key_name = format("%s%s", local._prefixes["kms"], local.name) kms_admin_root = format("arn:%v:iam::%v:root", local.partition, local.account_id) - kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles)) + kms_admin_roles = compact(concat(tolist(local.kms_admin_root), var.kms_admin_roles)) condition_allowed_cidr = { "test" : "NotIpAddress" From cca497b11c40f81e25ed1a145aa0af76f8c0c325 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 11 May 2021 14:04:42 -0400 Subject: [PATCH 4/8] fix --- common/resources.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/resources.tf b/common/resources.tf index 5ef47d1..be47cd3 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -14,8 +14,8 @@ locals { kms_key_arn = aws_kms_key.key.arn kms_key_name = format("%s%s", local._prefixes["kms"], local.name) - kms_admin_root = format("arn:%v:iam::%v:root", local.partition, local.account_id) - kms_admin_roles = compact(concat(tolist(local.kms_admin_root), var.kms_admin_roles)) + kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)] + kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles)) condition_allowed_cidr = { "test" : "NotIpAddress" From a49e74a386d6f03afe0d018a8c94ecee450c3283 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 11 May 2021 14:10:25 -0400 Subject: [PATCH 5/8] fix --- common/README.md | 1 + common/resources.tf | 11 +++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/common/README.md b/common/README.md index 3f9c08f..392d60f 100644 --- a/common/README.md +++ b/common/README.md @@ -26,6 +26,7 @@ No modules. | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | diff --git a/common/resources.tf b/common/resources.tf index be47cd3..b3aba4e 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -14,8 +14,9 @@ locals { kms_key_arn = aws_kms_key.key.arn kms_key_name = format("%s%s", local._prefixes["kms"], local.name) - kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)] - kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles)) + kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)] + kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles)) + kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json condition_allowed_cidr = { "test" : "NotIpAddress" @@ -239,7 +240,7 @@ resource "aws_kms_alias" "key" { # auto includes root data "aws_iam_policy_document" "key_admin" { statement { - sid = "KMSAdminRoles" + sid = "BuiltinKMSAdminRoles" effect = "Allow" actions = ["kms:*"] resources = ["*"] @@ -253,6 +254,8 @@ data "aws_iam_policy_document" "key_admin" { data "aws_iam_policy_document" "key_policy_combined" { source_policy_documents = [ data.aws_iam_policy_document.key_admin.json, - var.kms_policy_document + local.kms_policy_document ] } + +data "aws_iam_policy_document" "empty" {} From be82f0fa00ea5c54c6bdea3528c4b70eb7983ce5 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 11 May 2021 14:13:09 -0400 Subject: [PATCH 6/8] fix tag --- common/resources.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/common/resources.tf b/common/resources.tf index b3aba4e..55ccf14 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -7,6 +7,7 @@ locals { } locals { + base_name = var.bucket_name name = replace(var.bucket_name, local._prefixes["s3"], "") bucket_name = format("%s%s", local._prefixes["s3"], local.name) @@ -228,7 +229,7 @@ resource "aws_kms_key" "key" { local.base_tags, var.tags, local.enforced_tags, - map("Name", local.bucket_name) + map("Name", local.kms_key_name) ) } From 0dff47e2b80ab5013536caa18c8a0f768a75b58f Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 11 May 2021 14:14:58 -0400 Subject: [PATCH 7/8] add placeholder for read, write arn --- common/variables.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/variables.tf b/common/variables.tf index 6b35a7c..79f4a84 100644 --- a/common/variables.tf +++ b/common/variables.tf @@ -74,3 +74,7 @@ variable "require_explicit_encryption" { type = bool default = false } + +# TBD +# variable "kms_policy_read_arns" { } +# variable "kms_policy_write_arns" { } From 3271d5f55a7a105667a58ee198e007a6a7ed483a Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 11 May 2021 14:24:53 -0400 Subject: [PATCH 8/8] add more docs --- standard/README.md | 23 +++++++++++++++++++++++ standard/main.tf | 15 +++++++++++++++ title26/README.md | 23 +++++++++++++++++++++++ title26/main.tf | 15 +++++++++++++++ 4 files changed, 76 insertions(+) diff --git a/standard/README.md b/standard/README.md index 5536841..580a312 100644 --- a/standard/README.md +++ b/standard/README.md @@ -14,11 +14,26 @@ module "mybucket" { bucket_name = "mynormalbucket" access_log_bucket = "mylogbucket" + kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] + + ## optional + # kms_policy_document = data.aws_iam_policy_document.mypolicy.json +} + +data "aws_iam_policy_document" "mypolicy" { + statement { } } ``` This automaticaly creates an AWS KMS key used just for this bucket. +It will set a key usage/management policy by default with the `root` account, along with any other +roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key. + +If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage, +such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be +to provide variables granting read and write access to the key. + ## Requirements No requirements. @@ -45,7 +60,13 @@ No modules. | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs @@ -60,7 +81,9 @@ No modules. | [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no | | [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no | | [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no | +| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no | | [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no | +| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | | [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | diff --git a/standard/main.tf b/standard/main.tf index b7ea135..7892b35 100644 --- a/standard/main.tf +++ b/standard/main.tf @@ -15,10 +15,25 @@ * * bucket_name = "mynormalbucket" * access_log_bucket = "mylogbucket" +* kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] +* +* ## optional +* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json +* } +* +* data "aws_iam_policy_document" "mypolicy" { +* statement { } * } * ``` * * This automaticaly creates an AWS KMS key used just for this bucket. +* +* It will set a key usage/management policy by default with the `root` account, along with any other +* roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key. +* +* If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage, +* such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be +* to provide variables granting read and write access to the key. */ locals { diff --git a/title26/README.md b/title26/README.md index fbc2a0c..8037d57 100644 --- a/title26/README.md +++ b/title26/README.md @@ -15,6 +15,14 @@ module "mybucket" { bucket_name = "myt26bucket" access_log_bucket = "mylogbucket" # enable_title26 = true + kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] + + ## optional + # kms_policy_document = data.aws_iam_policy_document.mypolicy.json +} + +data "aws_iam_policy_document" "mypolicy" { + statement { } } ``` @@ -24,6 +32,13 @@ to make a comma separated list. This automaticaly creates an AWS KMS key used just for this bucket. +It will set a key usage/management policy by default with the `root` account, along with any other +roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key. + +If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage, +such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be +to provide variables granting read and write access to the key. + ## Requirements No requirements. @@ -50,7 +65,13 @@ No modules. | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs @@ -65,7 +86,9 @@ No modules. | [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | 
[
  "title26"
]
| no | | [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no | | [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no | +| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no | | [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no | +| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | | [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | diff --git a/title26/main.tf b/title26/main.tf index aa2c325..e21add0 100644 --- a/title26/main.tf +++ b/title26/main.tf @@ -16,6 +16,14 @@ * bucket_name = "myt26bucket" * access_log_bucket = "mylogbucket" * # enable_title26 = true +* kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] +* +* ## optional +* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json +* } +* +* data "aws_iam_policy_document" "mypolicy" { +* statement { } * } * ``` * @@ -24,6 +32,13 @@ * to make a comma separated list. * * This automaticaly creates an AWS KMS key used just for this bucket. +* +* It will set a key usage/management policy by default with the `root` account, along with any other +* roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key. +* +* If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage, +* such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be +* to provide variables granting read and write access to the key. */ locals {