cloudposse
Provide canned policies
This module currently creates KMS keys with a policy stating "any IAM user/role can do anything with this key".
If you want a more restrictive policy, you have to write it yourself.
I think it would be valuable for the module to offer some canned policies that can be used instead.
This is a proposal for giving module users more flexible tools for controlling the key policy.
If you like the design, we can discuss the details, and I am interested in implementing it.
Expected Behavior
var.policy takes precedence over the below. If it is set, the other proposed variables are ignored.
var.canned_policy has a few options, like:
aws-service-use(the key can only be attached to AWS resources, like RDS encryption)
var.extra_policy_statements lets you provide IAM Policy statements that will be appended to the policy. (It works with the default policy, and with all canned policies). For example:
extra_policy_statements = [
{
Sid = "Allow encryption by userupload app"
Principal = {
AWS = "arn:aws:iam...:role/userupload"
}
Action = "kms:Encrypt"
Resource = "*"
},
{
Sid = "Allow decryption by userdownload app"
Principal = {
AWS = "arn:aws:iam...:role/userdownload"
}
Action = "kms:Decrypt"
Resource = "*"
},
]
this sounds soon to me. if you want send a PR over and we will review it.
@alexjurkiewicz This module is still in need of a simple policy system. Any chance of getting PR #26 merged?
Sorry, I won't work on this further.
On Sun, 30 Oct 2022 at 18:49, dstrates @.***> wrote:
@alexjurkiewicz https://github.com/alexjurkiewicz This module is still in need of a simple policy system. Any chance of getting PR #26 https://github.com/cloudposse/terraform-aws-kms-key/pull/26 merged?
— Reply to this email directly, view it on GitHub https://github.com/cloudposse/terraform-aws-kms-key/issues/25#issuecomment-1296154121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC4U5NRNAEINSPNWP52XALWFYR6ZANCNFSM4YHNFS2A . You are receiving this because you were mentioned.Message ID: @.***>