locals {

  #account_arns = sort(
  #  concat(
  #   [ for account in concat(var.customer_account_list,local.account_list):
  #     "arn:${var.aws_partition}:iam::${account}:root" if account != "*"
  #   ],
  #   [ for account in concat(var.customer_account_list,local.account_list):
  #     "*" if account == "*" 
  #   ]
  #))

  # LCP AMI Key should allow anyone and everyone to use it.  Rationale:
  #     * The AMIs themselves only get shared with specific AWS accounts
  #     * Only two IAM Actions are permitted by the policy defined in the
  #       submodule:  kms:ReEncryptFrom and kms:DescribeKey.  
  #     *Giving these limited rights to "anyone" should be fine, given the only way
  #       to see the volumes encrypted using this key is by launching the AMI
  #       which you have to be whitelisted to
  #
  # It is, however, incumbent on us to not use this particular KMS for any
  # other purpose other than the LCP AMI(s) EBS volume(s).
  account_arns = ["*"]

  terraformer_arns = sort([
    for account in local.account_list :
    "arn:${var.aws_partition}:iam::${account}:role/user/mdr_terraformer"
  ])

  all_keys = concat([module.shared_ami_key.key_arn])
}

output "other" {
  value = local.account_arns
}

module "shared_ami_key" {
  source = "../../submodules/kms/ami-key"

  name           = "lcp_ami_key"
  alias          = "alias/lcp_ami_key"
  description    = "Key for encrypting the LCP AMIs to be shared with external clients."
  tags           = merge(local.standard_tags, var.tags)
  key_admin_arns = []
  key_user_arns  = []
  #key_attacher_arns = local.account_arns
  key_attacher_arns = local.terraformer_arns
  #key_attacher_arns = [ ]
  standard_tags       = local.standard_tags
  aws_account_id      = var.aws_account_id
  aws_partition       = var.aws_partition
  remote_account_arns = local.account_arns
}