From ce6c05131ace02b8e77c0ce9b8a1014136340c13 Mon Sep 17 00:00:00 2001
From: Don Badrak <donald.e.badrak.ii@census.gov>
Date: Fri, 12 Apr 2019 11:01:25 -0400
Subject: [PATCH] enable secret key, update comments

---
 README.md    |  2 +-
 main.tf      | 13 ++++++-------
 outputs.tf   | 10 ++++++----
 variables.tf |  3 ++-
 4 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index c2b63d8..d7f40cd 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ module "scanner" {
   group = "g-audit-group"
   users = [ "s-ois-scan" ]
   create_access_keys = true
-  pgp_key = ""
+  pgp_key = "${file("gpg-key.b64)}"
 }
 ```
 
diff --git a/main.tf b/main.tf
index dadbd00..7de8d62 100644
--- a/main.tf
+++ b/main.tf
@@ -7,7 +7,7 @@
 *   group = "g-audit-group"
 *   users = [ "s-ois-scan" ]
 *   create_access_keys = true
-*   pgp_key = ""
+*   pgp_key = "${file(filename.b64)}"
 * }
 */
 
@@ -71,8 +71,8 @@ data "aws_iam_policy" "aws-managed-security-audit" {
 }
 
 locals {
-#  security-audit-policies = ["${data.aws_iam_policy.aws-managed-security-audit.arn}", "$(aws_iam_policy.audit.arn}"]
-  enable_access_keys      = "${var.create_access_keys ? length(var.users) : 0 }"
+  #  security-audit-policies = ["${data.aws_iam_policy.aws-managed-security-audit.arn}", "$(aws_iam_policy.audit.arn}"]
+  enable_access_keys = "${var.create_access_keys ? length(var.users) : 0 }"
 }
 
 #resource "aws_iam_group_policy_attachment" "audit" {
@@ -96,8 +96,7 @@ resource "aws_iam_group_policy_attachment" "audit-1" {
 #---
 resource "aws_iam_access_key" "audit" {
   #  count = "${length(var.users)}"
-  count = "${local.enable_access_keys}"
-  user  = "${aws_iam_user.audit.*.name[count.index]}"
-
-  #  pgp_key = "${file("setup/terraform.gpg.b64")}"
+  count   = "${local.enable_access_keys}"
+  user    = "${aws_iam_user.audit.*.name[count.index]}"
+  pgp_key = "${var.pgp_key}"
 }
diff --git a/outputs.tf b/outputs.tf
index 4550e68..bc5f828 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -9,10 +9,12 @@ output "aws_access_key_id" {
 }
 
 locals {
-#  encrypted_secret    = "${join(",",aws_iam_access_key.audit.*.encrypted_secret)}"
-  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
-  notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
-  secret              = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
+  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.encrypted_secret)}"
+
+  #  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
+  #  notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
+  #  secret              = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
+  secret = "${local.encrypted_secret}"
 }
 
 output "aws_secret_access_key" {
diff --git a/variables.tf b/variables.tf
index e3588b0..7794a18 100644
--- a/variables.tf
+++ b/variables.tf
@@ -24,5 +24,6 @@ variable "create_access_keys" {
 // Typical use to use "${file("filename.b64")}"
 variable "pgp_key" {
   description = "PGP key used to encrypt access key"
-  default     = ""
+
+  #  default     = ""
 }