4 年之前 · 8c58383fce
--- a/base/lcp_ami_key/main.tf
+++ b/base/lcp_ami_key/main.tf
@@ -0,0 +1,53 @@
 
				+locals {
			
 
				+
			
 
				+  #account_arns = sort(
			
 
				+  #  concat(
			
 
				+  #   [ for account in concat(var.customer_account_list,var.account_list):
			
 
				+  #     "arn:${var.aws_partition}:iam::${account}:root" if account != "*"
			
 
				+  #   ],
			
 
				+  #   [ for account in concat(var.customer_account_list,var.account_list):
			
 
				+  #     "*" if account == "*" 
			
 
				+  #   ]
			
 
				+  #))
			
 
				+
			
 
				+  # LCP AMI Key should allow anyone and everyone to use it.  Rationale:
			
 
				+  #     * The AMIs themselves only get shared with specific AWS accounts
			
 
				+  #     * Only two IAM Actions are permitted by the policy defined in the
			
 
				+  #       submodule:  kms:ReEncryptFrom and kms:DescribeKey.  
			
 
				+  #     *Giving these limited rights to "anyone" should be fine, given the only way
			
 
				+  #       to see the volumes encrypted using this key is by launching the AMI
			
 
				+  #       which you have to be whitelisted to
			
 
				+  #
			
 
				+  # It is, however, incumbent on us to not use this particular KMS for any
			
 
				+  # other purpose other than the LCP AMI(s) EBS volume(s).
			
 
				+  account_arns = [ "*" ]
			
 
				+
			
 
				+  terraformer_arns = sort([
			
 
				+    for account in var.account_list:
			
 
				+      "arn:${var.aws_partition}:iam::${account}:role/user/mdr_terraformer"
			
 
				+  ])
			
 
				+
			
 
				+  all_keys = concat([ module.shared_ami_key.key_arn ])
			
 
				+}
			
 
				+
			
 
				+output other {
			
 
				+  value = local.account_arns
			
 
				+}
			
 
				+
			
 
				+module "shared_ami_key" {
			
 
				+  source = "../../submodules/kms/ami-key"
			
 
				+
			
 
				+  name = "lcp_ami_key"
			
 
				+  alias = "alias/lcp_ami_key"
			
 
				+  description = "Key for encrypting the LCP AMIs to be shared with external clients."
			
 
				+  tags = merge(var.standard_tags, var.tags)
			
 
				+  key_admin_arns = [ ]
			
 
				+  key_user_arns = [ ]
			
 
				+  #key_attacher_arns = local.account_arns
			
 
				+  key_attacher_arns = local.terraformer_arns
			
 
				+  #key_attacher_arns = [ ]
			
 
				+  standard_tags = var.standard_tags
			
 
				+  aws_account_id = var.aws_account_id
			
 
				+  aws_partition = var.aws_partition
			
 
				+  remote_account_arns = local.account_arns
			
 
				+}
			
--- a/base/lcp_ami_key/outputs.tf
+++ b/base/lcp_ami_key/outputs.tf
@@ -0,0 +1,3 @@
 
				+output key_arn { 
			
 
				+  value = module.shared_ami_key.key_arn
			
 
				+}
			
--- a/base/lcp_ami_key/vars.tf
+++ b/base/lcp_ami_key/vars.tf
@@ -0,0 +1,14 @@
 
				+# variables from terragrunt.hcl
			
 
				+variable tags { type = map }
			
 
				+
			
 
				+
			
 
				+# inherited variables
			
 
				+variable standard_tags { type = map }
			
 
				+variable aws_account_id { type = string }
			
 
				+variable aws_partition { type = string }
			
 
				+
			
 
				+variable customer_account_list { 
			
 
				+  type = list 
			
 
				+  default = []
			
 
				+}
			
 
				+variable account_list { type = list }