Merge pull request #1590 from alphagov/fix_iam_kms

Fix aws_kms_key changes dependency
alphagov · May 20, 2022 · 05c66d0 · 05c66d0
2 parents 6ad3668 + 591c2a4
commit 05c66d0
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 32 deletions.
diff --git a/terraform/projects/infra-security/.terraform.lock.hcl b/terraform/projects/infra-security/.terraform.lock.hcl
diff --git a/terraform/projects/infra-security/README.md b/terraform/projects/infra-security/README.md
@@ -19,7 +19,7 @@ Infrastructure security settings:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.74.2 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 3.25 |
 | <a name="provider_time"></a> [time](#provider\_time) | 0.7.2 |
 
 ## Modules

diff --git a/terraform/projects/infra-security/main.tf b/terraform/projects/infra-security/main.tf
@@ -442,7 +442,7 @@ data "aws_iam_policy_document" "kms_sops_policy" {
 
     principals {
       type        = "AWS"
-      identifiers = [for role, arn in module.gds_role_admin.roles_and_arns : arn]
+      identifiers = jsondecode(time_sleep.wait_30_seconds.triggers["gds_admin_roles_and_arns"])
     }
   }
 
@@ -461,7 +461,7 @@ data "aws_iam_policy_document" "kms_sops_policy" {
 
     principals {
       type        = "AWS"
-      identifiers = [for role, arn in module.gds_role_admin.roles_and_arns : arn]
+      identifiers = jsondecode(time_sleep.wait_30_seconds.triggers["gds_admin_roles_and_arns"])
     }
   }
 
@@ -478,7 +478,7 @@ data "aws_iam_policy_document" "kms_sops_policy" {
 
     principals {
       type        = "AWS"
-      identifiers = [for role, arn in module.gds_role_admin.roles_and_arns : arn]
+      identifiers = jsondecode(time_sleep.wait_30_seconds.triggers["gds_admin_roles_and_arns"])
     }
   }
 }
@@ -494,15 +494,16 @@ See issues:
 2. https://discuss.hashicorp.com/t/terraform-malformed-policy/11281/2
 */
 resource "time_sleep" "wait_30_seconds" {
-  depends_on = [module.gds_role_admin]
-
   create_duration = "30s"
+
+  triggers = {
+    gds_admin_roles_and_arns = jsonencode([for role, arn in module.gds_role_admin.roles_and_arns : arn])
+  }
 }
 
 resource "aws_kms_key" "sops" {
   description = "Encryption key for govuk-aws-data"
   policy      = data.aws_iam_policy_document.kms_sops_policy.json
-  depends_on  = [time_sleep.wait_30_seconds]
 }
 
 resource "aws_kms_alias" "sops" {
@@ -513,13 +514,11 @@ resource "aws_kms_alias" "sops" {
 resource "aws_kms_key" "licensify_documentdb" {
   description = "Encryption key for Licensify DocumentDB"
   policy      = data.aws_iam_policy_document.kms_sops_policy.json
-  depends_on  = [time_sleep.wait_30_seconds]
 }
 
 resource "aws_kms_key" "shared_documentdb" {
   description = "Encryption key for Shared DocumentDB"
   policy      = data.aws_iam_policy_document.kms_sops_policy.json
-  depends_on  = [time_sleep.wait_30_seconds]
 }
 
 # Outputs