jamengual
commented
3 years ago this sounds soon to me. if you want send a PR over and we will review it.
Open alexjurkiewicz opened 3 years ago
jamengual
commented
3 years ago this sounds soon to me. if you want send a PR over and we will review it.
dstrates
commented
2 years ago @alexjurkiewicz This module is still in need of a simple policy system. Any chance of getting PR #26 merged?
alexjurkiewicz
commented
2 years ago Sorry, I won't work on this further.
On Sun, 30 Oct 2022 at 18:49, dstrates @.***> wrote:
@alexjurkiewicz https://github.com/alexjurkiewicz This module is still in need of a simple policy system. Any chance of getting PR #26 https://github.com/cloudposse/terraform-aws-kms-key/pull/26 merged?
— Reply to this email directly, view it on GitHub https://github.com/cloudposse/terraform-aws-kms-key/issues/25#issuecomment-1296154121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC4U5NRNAEINSPNWP52XALWFYR6ZANCNFSM4YHNFS2A . You are receiving this because you were mentioned.Message ID: @.***>
This module currently creates KMS keys with a policy stating "any IAM user/role can do anything with this key".
If you want a more restrictive policy, you have to write it yourself.
I think it would be valuable for the module to offer some canned policies that can be used instead.
This is a proposal for giving module users more flexible tools for controlling the key policy.
If you like the design, we can discuss the details, and I am interested in implementing it.
Expected Behavior
var.policytakes precedence over the below. If it is set, the other proposed variables are ignored.var.canned_policyhas a few options, like:aws-service-use(the key can only be attached to AWS resources, like RDS encryption)var.extra_policy_statementslets you provide IAM Policy statements that will be appended to the policy. (It works with the default policy, and with all canned policies). For example: