data "aws_iam_policy_document" "iam_admin_kms" {
  # checkov:skip=CKV_AWS_109: see tfsec aws-iam-no-policy-wildcard ignore comment
  # checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
  # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
  statement {
    sid    = "AllowKMSthings"
    effect = "Allow"
    actions = [
      "kms:Create*",
      "kms:Describe*",
      "kms:Enable*",
      "kms:List*",
      "kms:Put*",
      "kms:Update*",
      "kms:Revoke*",
      "kms:Disable*",
      "kms:Get*",
      "kms:Delete*",
      "kms:TagResource",
      "kms:UntagResource",
      "kms:ScheduleKeyDeletion",
      "kms:CancelKeyDeletion"
    ]
    resources = ["*"]
  }

}

resource "aws_iam_policy" "iam_admin_kms" {
  name        = "iam_admin_kms"
  path        = "/user/"
  description = "KMS access for IAM admins"
  policy      = data.aws_iam_policy_document.iam_admin_kms.json
}