locals {
  # For the default EBS key, we allow the entire account access
  root_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:root"
}

module "rhsso_key" {
  source = "../../submodules/kms/ebs-key"

  name = "rhsso_key"
  alias = "alias/rhsso"
  description = "encrypt and decrypt the rhsso RDS" 
  tags = merge(var.standard_tags, var.tags)
  key_admin_arns = [ ]
  key_user_arns = concat([ local.root_arn ], var.extra_key_users)
  key_attacher_arns = concat([ local.root_arn ], var.extra_key_attachers)
  standard_tags = var.standard_tags
  aws_account_id = var.aws_account_id
  aws_partition = var.aws_partition
}