diff --git a/modules/kms/README.md b/modules/kms/README.md
index a2662f33a..21f694084 100644
--- a/modules/kms/README.md
+++ b/modules/kms/README.md
@@ -33,21 +33,21 @@ components:
| Name | Version |
| ------------------------------------------------------------------------ | -------- |
| [terraform](#requirement_terraform) | >= 1.0.0 |
-| [aws](#requirement_aws) | ~> 4.0 |
+| [aws](#requirement_aws) | >= 4.0 |
## Providers
| Name | Version |
| ------------------------------------------------ | ------- |
-| [aws](#provider_aws) | ~> 4.0 |
+| [aws](#provider_aws) | >= 4.0 |
## Modules
| Name | Source | Version |
| ----------------------------------------------------------------------------------- | ------------------------------------------ | ------- |
-| [allowed_role_map](#module_allowed_role_map) | ../account-map/modules/roles-to-principals | |
-| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | |
-| [kms_key](#module_kms_key) | cloudposse/kms-key/aws | 0.12.1 |
+| [allowed_role_map](#module_allowed_role_map) | ../account-map/modules/roles-to-principals | n/a |
+| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a |
+| [kms_key](#module_kms_key) | cloudposse/kms-key/aws | 0.12.2 |
| [this](#module_this) | cloudposse/label/null | 0.25.0 |
## Resources
@@ -56,6 +56,7 @@ components:
| ---------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
@@ -70,14 +71,12 @@ components:
| [customer_master_key_spec](#input_customer_master_key_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. | `string` | `"SYMMETRIC_DEFAULT"` | no |
| [deletion_window_in_days](#input_deletion_window_in_days) | Duration in days after which the key is deleted after destruction of the resource | `number` | `10` | no |
| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
-| [description](#input_description) | The description for the KMS Key. | `string` | `null` | no |
+| [description](#input_description) | The description for the KMS Key. | `string` | `"Parameter Store KMS master key"` | no |
| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| [enable_key_rotation](#input_enable_key_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no |
| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
-| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
-| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
| [key_usage](#input_key_usage) | Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. | `string` | `"ENCRYPT_DECRYPT"` | no |
| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
diff --git a/modules/kms/main.tf b/modules/kms/main.tf
index 3cb0c5d98..1429c591b 100644
--- a/modules/kms/main.tf
+++ b/modules/kms/main.tf
@@ -1,10 +1,6 @@
locals {
account_id = data.aws_caller_identity.current.account_id
- account_principal = "arn:aws:iam::${local.account_id}:root"
-
- administration_principals = [
- local.account_principal
- ]
+ account_principal = "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:root"
principals = sort(distinct(concat(
var.allowed_principal_arns,
@@ -14,6 +10,8 @@ locals {
data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
module "allowed_role_map" {
source = "../account-map/modules/roles-to-principals"
@@ -25,7 +23,7 @@ module "allowed_role_map" {
module "kms_key" {
source = "cloudposse/kms-key/aws"
- version = "0.12.1"
+ version = "0.12.2"
alias = var.alias == null ? "alias/${module.this.id}" : var.alias
description = var.description == null ? "${module.this.id} KMS Key. Managed by Terraform." : var.description
@@ -54,7 +52,7 @@ data "aws_iam_policy_document" "key_policy" {
principals {
type = "AWS"
- identifiers = local.administration_principals
+ identifiers = [local.account_principal]
}
}
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
index b2c6cfd9d..71f320dac 100644
--- a/modules/kms/variables.tf
+++ b/modules/kms/variables.tf
@@ -11,8 +11,8 @@ variable "alias" {
variable "description" {
type = string
+ default = "Parameter Store KMS master key"
description = "The description for the KMS Key."
- default = null
}
variable "deletion_window_in_days" {
@@ -31,6 +31,11 @@ variable "key_usage" {
type = string
default = "ENCRYPT_DECRYPT"
description = "Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`."
+
+ validation {
+ condition = contains(["ENCRYPT_DECRYPT", "SIGN_VERIFY"], var.key_usage)
+ error_message = "Invalid key_usage. Valid values are `ENCRYPT_DECRYPT` or `SIGN_VERIFY`."
+ }
}
variable "multi_region" {
@@ -43,6 +48,11 @@ variable "customer_master_key_spec" {
type = string
default = "SYMMETRIC_DEFAULT"
description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`."
+
+ validation {
+ condition = contains(["SYMMETRIC_DEFAULT", "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"], var.customer_master_key_spec)
+ error_message = "Invalid customer_master_key_spec. Valid values are `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`."
+ }
}
variable "policy" {