-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please consider implementing an aws_kms_key_policy_attachment #464
Comments
This is a tad more important now considering the upcoming changes enforcing service role utilisation on March 26th; especially where external CMK's are in use. Attaching a policy to a key that exists outside of Terraform's state will become less of an edge case. |
I'd be more than happy to take this on, should have a free Sunday afternoon. |
Any word on this, or potential workarounds? We're trying to create a key policy that allows access to our kinesis resources. Unfortunately the kinesis resources need the ARN of the KMS key, and the KMS Key Policy now needs the ARNs of the kinesis resources, and terraform errors out with a cycle detection issue. |
Anyone have workaround with assigning policy which allow A service to use this KMS? Current {
"Id": "key-consolepolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow GuardDuty to use the key",
"Effect": "Allow",
"Principal": {"Service": "guardduty.amazonaws.com"},
"Action": "kms:GenerateDataKey",
"Resource": "arn:aws:kms:[region]:111122223333:key/[KMSKeyId]"
}
]
} |
@guitarrapc you can use an UPDATE: Ah, just realized everyone is talking about updating the key policy after the key has been created. Does updating the |
This is an important feature for e.g. cloudwatch log groups. |
Agreed with all the above. I was trying to follow the policy recommendations for setting up a secure bucket for cloudtrail logging, but they want the key_id for some of the rules. So I can't create the policy doc without the key or the key without the policy doc. |
I have another use-case that requires this. Some keys must have custom policies due to the way some AWS services work (notably CloudWatch Logs and AWS AutoScaling). If your TF code is structured something like this: a) Create KMS keys. then you'd naturally want to have the following continuation: y) Create KMS custom key policies that reference IAM principals from x). As the feature is missing, you have a problem: you are tied to creating KMS keys together with their policies in a). From here you have 2 options:
For the time being I implemented a workaround using the
|
I am encountering the same circular dependency issue explained within this thread: the KMS policy requires entries from another resource, while the latter needs the KMS ARN to be created. Being able to leverage the PutKeyPolicy endpoint of AWS KMS API would be great to break the circle, something like:
Wonder how we can raise the attention on this issue to the right owners: from this document, AWS seems to have a dedicated channel to escalate issues and prioritize them. |
Hi everyone, was just looking at this and wanted to share my initial thoughts - Unlike other resources, like S3 Buckets, where a bucket policy does not exist for a bucket unless you define one, KMS keys will automatically generate and assign a default policy, even if you do not specify one during creation. Creating a resource such as It's also worth noting that the CloudFormation implementation of this is the same as Terraform today. I was puzzled as to why I myself haven't run into this issue in the past, and it seems like I have been creating KMS Key Policies as templates and filing them in with the
I'm wondering what the community's thoughts are on the problem statement above and the proposed solution. |
Good point, on top of that, if A possible solution could be using By doing so, we will break the circular dependency and cover an additional provisioning scenario through terraform as well. |
This functionality has been released in v4.59.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
This issue was originally opened by @kojiromike as hashicorp/terraform#11137. It was migrated here as part of the provider split. The original body of the issue is below.
Terraform Version
0.8.3
Affected Resource(s)
Terraform Configuration Files
Perhaps something like
Important Factoids
The AWS API supports modifying the policy for a key after it's created. Sometimes it's important to do this to get ordering right in Terraform, particularly if the key itself is unmanaged or in a migration.
The text was updated successfully, but these errors were encountered: