This module implements an KMS key usable for most scenarios.
Use aws_kms_grant to allow least privilege to this key.
This key contains a lot of open policies by default. This is due to a
limitation in Terraform aws_kms_grant
. See
this issue
as to why.
Generally you online define the var.name
and only use
var.resource_policy_additions
when you use a service or resource that is not
able to access the key using grants. It's generally not recommended to use
var.resource_policy_additions
. For general AWS services we include these
services by default into this module until
this can be
solved using aws_kms_grant
as well. Please UPVOTE this issue.
Check the example how to implement KMS.
- with_extra_iam_user_additions, if you want to give users explicit access
Name | Version |
---|---|
aws | >=4.8.0 |
No modules.
Name | Type |
---|---|
aws_kms_alias.this | resource |
aws_kms_key.this | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.access_role | data source |
aws_iam_policy_document.guarded_roles | data source |
aws_iam_policy_document.kms_policy | data source |
aws_iam_policy_document.kms_standard_policy | data source |
aws_iam_role.kms_access_role | data source |
aws_partition.current | data source |
aws_region.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
guarded_role_access | Defaults to TRUE. This will create a policy that will allow all access based on principal tag landing_zone_usertype with value devops_administrator. Setting tags starting with landing_zone_ is a guarded feature in our landing zone and can only be done from the management account. This setting extends the KMS so that these compliant roles are always able to access any KMS keys. |
bool |
true |
no |
name | Unique name for KMS key and alias. | string |
n/a | yes |
resource_policy_additions | Additional IAM policy statements in Terraform object notation. | any |
null |
no |
role_access | Access for regular roles. Explicitly defined to set compatibility with the move to var.guarded_role_access. Set the role name. | list(string) |
[ |
no |
Name | Description |
---|---|
kms_key_arn | n/a |