fix: Modify key_service_principals to be generic to support conditions for confused deputy problem (#7)

Co-authored-by: Anton Babenko <[email protected]>

Author: bryantbiggs

README.md

@@ -195,8 +195,8 @@ No modules.
 | <a name="input_key_hmac_users"></a> [key\_hmac\_users](#input\_key\_hmac\_users) | A list of IAM ARNs for [key HMAC users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
 | <a name="input_key_material_base64"></a> [key\_material\_base64](#input\_key\_material\_base64) | Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only | `string` | `null` | no |
 | <a name="input_key_owners"></a> [key\_owners](#input\_key\_owners) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
-| <a name="input_key_service_principals"></a> [key\_service\_principals](#input\_key\_service\_principals) | A map of IAM Services for [key principals](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html) | `map(any)` | `{}` | no |
 | <a name="input_key_service_users"></a> [key\_service\_users](#input\_key\_service\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |
+| <a name="input_key_statements"></a> [key\_statements](#input\_key\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
 | <a name="input_key_symmetric_encryption_users"></a> [key\_symmetric\_encryption\_users](#input\_key\_symmetric\_encryption\_users) | A list of IAM ARNs for [key symmetric encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
 | <a name="input_key_usage"></a> [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. Defaults to `ENCRYPT_DECRYPT` | `string` | `null` | no |
 | <a name="input_key_users"></a> [key\_users](#input\_key\_users) | A list of IAM ARNs for [key users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users) | `list(string)` | `[]` | no |

examples/complete/main.tf

@@ -15,7 +15,6 @@ locals {
 }
 
 data "aws_caller_identity" "current" {}
-
 data "aws_region" "current" {}
 
 ################################################################################
@@ -42,20 +41,36 @@ module "kms_complete" {
   key_hmac_users                         = [local.current_identity]
   key_asymmetric_public_encryption_users = [local.current_identity]
   key_asymmetric_sign_verify_users       = [local.current_identity]
-  key_service_principals = {
-    "aws-logs" = {
-      sid = "aws-logs"
+  key_statements = [
+    {
+      sid = "CloudWatchLogs"
       actions = [
         "kms:Encrypt*",
         "kms:Decrypt*",
         "kms:ReEncrypt*",
         "kms:GenerateDataKey*",
         "kms:Describe*"
       ]
-      resources  = ["*"]
-      principals = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+      resources = ["*"]
+
+      principals = [
+        {
+          type        = "Service"
+          identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+        }
+      ]
+
+      conditions = [
+        {
+          test     = "ArnLike"
+          variable = "kms:EncryptionContext:aws:logs:arn"
+          values = [
+            "arn:aws:logs:${local.region}:${data.aws_caller_identity.current.account_id}:log-group:*",
+          ]
+        }
+      ]
     }
-  }
+  ]
 
   # Aliases
   aliases = ["one", "foo/bar"]

main.tf

@@ -244,16 +244,42 @@ data "aws_iam_policy_document" "this" {
   }
 
   dynamic "statement" {
-    for_each = var.key_service_principals
+    for_each = var.key_statements
 
     content {
-      sid       = statement.value.sid
-      actions   = statement.value.actions
-      resources = statement.value.resources
+      sid           = try(statement.value.sid, null)
+      actions       = try(statement.value.actions, null)
+      not_actions   = try(statement.value.not_actions, null)
+      effect        = try(statement.value.effect, null)
+      resources     = try(statement.value.resources, null)
+      not_resources = try(statement.value.not_resources, null)
+
+      dynamic "principals" {
+        for_each = try(statement.value.principals, [])
+
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
 
-      principals {
-        type        = "Service"
-        identifiers = statement.value.principals
+      dynamic "not_principals" {
+        for_each = try(statement.value.not_principals, [])
+
+        content {
+          type        = not_principals.value.type
+          identifiers = not_principals.value.identifiers
+        }
+      }
+
+      dynamic "condition" {
+        for_each = try(statement.value.conditions, [])
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
       }
     }
   }

variables.tf

@@ -110,12 +110,6 @@ variable "key_users" {
   default     = []
 }
 
-variable "key_service_principals" {
-  description = "A map of IAM Services for [key principals](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html)"
-  type        = map(any)
-  default     = {}
-}
-
 variable "key_service_users" {
   description = "A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration)"
   type        = list(string)
@@ -146,6 +140,12 @@ variable "key_asymmetric_sign_verify_users" {
   default     = []
 }
 
+variable "key_statements" {
+  description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
+  type        = any
+  default     = {}
+}
+
 variable "source_policy_documents" {
   description = "List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s"
   type        = list(string)
@@ -158,6 +158,7 @@ variable "override_policy_documents" {
   default     = []
 }
 
+
 ################################################################################
 # Alias
 ################################################################################