enable secret key, update comments

terraform-modules · Apr 12, 2019 · ce6c051 · ce6c051
1 parent 2b607be
commit ce6c051
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ module "scanner" {
   group = "g-audit-group"
   users = [ "s-ois-scan" ]
   create_access_keys = true
-  pgp_key = ""
+  pgp_key = "${file("gpg-key.b64)}"
 }
 ```
 

diff --git a/main.tf b/main.tf
@@ -7,7 +7,7 @@
 *   group = "g-audit-group"
 *   users = [ "s-ois-scan" ]
 *   create_access_keys = true
-*   pgp_key = ""
+*   pgp_key = "${file(filename.b64)}"
 * }
 */
 
@@ -71,8 +71,8 @@ data "aws_iam_policy" "aws-managed-security-audit" {
 }
 
 locals {
-#  security-audit-policies = ["${data.aws_iam_policy.aws-managed-security-audit.arn}", "$(aws_iam_policy.audit.arn}"]
-  enable_access_keys      = "${var.create_access_keys ? length(var.users) : 0 }"
+  #  security-audit-policies = ["${data.aws_iam_policy.aws-managed-security-audit.arn}", "$(aws_iam_policy.audit.arn}"]
+  enable_access_keys = "${var.create_access_keys ? length(var.users) : 0 }"
 }
 
 #resource "aws_iam_group_policy_attachment" "audit" {
@@ -96,8 +96,7 @@ resource "aws_iam_group_policy_attachment" "audit-1" {
 #---
 resource "aws_iam_access_key" "audit" {
   #  count = "${length(var.users)}"
-  count = "${local.enable_access_keys}"
-  user  = "${aws_iam_user.audit.*.name[count.index]}"
-
-  #  pgp_key = "${file("setup/terraform.gpg.b64")}"
+  count   = "${local.enable_access_keys}"
+  user    = "${aws_iam_user.audit.*.name[count.index]}"
+  pgp_key = "${var.pgp_key}"
 }
diff --git a/outputs.tf b/outputs.tf
@@ -9,10 +9,12 @@ output "aws_access_key_id" {
 }
 
 locals {
-#  encrypted_secret    = "${join(",",aws_iam_access_key.audit.*.encrypted_secret)}"
-  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
-  notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
-  secret              = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
+  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.encrypted_secret)}"
+
+  #  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
+  #  notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
+  #  secret              = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
+  secret = "${local.encrypted_secret}"
 }
 
 output "aws_secret_access_key" {

diff --git a/variables.tf b/variables.tf
@@ -24,5 +24,6 @@ variable "create_access_keys" {
 // Typical use to use "${file("filename.b64")}"
 variable "pgp_key" {
   description = "PGP key used to encrypt access key"
-  default     = ""
+
+  #  default     = ""
 }