locals {
  # For the default EBS key, we allow the entire account access
  root_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:root"
}

module "jira_key" {
  source = "../../../submodules/kms/ebs-key"

  name              = "${var.identifier}_key"
  alias             = "alias/${var.identifier}"
  description       = "encrypt and decrypt the ${var.identifier} RDS" # updated to match legacy
  tags              = merge(var.standard_tags, var.tags)
  key_admin_arns    = []
  key_user_arns     = concat([local.root_arn], var.extra_key_users)
  key_attacher_arns = concat([local.root_arn], var.extra_key_attachers)
  standard_tags     = var.standard_tags
  aws_account_id    = var.aws_account_id
  aws_partition     = var.aws_partition
  is_legacy         = var.is_legacy
}