xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity

feat: updated cmk policies with regards to key grants

Browse Source
This commit is contained in:
xpk
2026-02-25 13:23:14 +08:00
parent f6b38e9dbb
commit 89069b105b
1 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
+40
View File
@@ -236,6 +236,26 @@ data "aws_iam_policy_document" "storage" {
] ]
resources = ["*"] resources = ["*"]
} }
statement {
sid = "AllowAttachmentOfPersistentResources"
effect = "Allow"
principals {
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
type = "AWS"
}
actions = [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
resources = ["*"]
condition {
test = "Bool"
values = ["true"]
variable = "kms:GrantIsForAWSResource"
}
}
} }
data "aws_iam_policy_document" "rds" { data "aws_iam_policy_document" "rds" {
@@ -265,6 +285,26 @@ data "aws_iam_policy_document" "rds" {
variable = "kms:ViaService" variable = "kms:ViaService"
} }
} }
statement {
sid = "AllowAttachmentOfPersistentResources"
effect = "Allow"
principals {
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
type = "AWS"
}
actions = [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
resources = ["*"]
condition {
test = "Bool"
values = ["true"]
variable = "kms:GrantIsForAWSResource"
}
}
} }
data "aws_iam_role" "asg-service-linked-role" { data "aws_iam_role" "asg-service-linked-role" {