data "aws_kms_key" "shared_ami_key" {
  key_id = "alias/shared_ami_key"
  provider = aws.common
}

resource "aws_iam_service_linked_role" "AWSServiceRoleForAutoScaling" {
  aws_service_name = "autoscaling.amazonaws.com"
}

resource "aws_kms_grant" "ASG_access_to_Shared_AMI" {
  name              = "ASG_access_to_Shared_AMI"
  key_id            = data.aws_kms_key.shared_ami_key.arn
  grantee_principal = aws_iam_service_linked_role.AWSServiceRoleForAutoScaling.arn
  operations        = [
    "Decrypt",
    "Encrypt",
    "GenerateDataKey",
    "GenerateDataKeyWithoutPlaintext",
    "ReEncryptFrom",
    "ReEncryptTo",
    "CreateGrant",
    "RetireGrant",
    "DescribeKey",
  ]

  depends_on = [ aws_iam_service_linked_role.AWSServiceRoleForAutoScaling ]
}