| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
- locals {
- #account_arns = sort(
- # concat(
- # [ for account in concat(var.customer_account_list,local.account_list):
- # "arn:${var.aws_partition}:iam::${account}:root" if account != "*"
- # ],
- # [ for account in concat(var.customer_account_list,local.account_list):
- # "*" if account == "*"
- # ]
- #))
- # LCP AMI Key should allow anyone and everyone to use it. Rationale:
- # * The AMIs themselves only get shared with specific AWS accounts
- # * Only two IAM Actions are permitted by the policy defined in the
- # submodule: kms:ReEncryptFrom and kms:DescribeKey.
- # *Giving these limited rights to "anyone" should be fine, given the only way
- # to see the volumes encrypted using this key is by launching the AMI
- # which you have to be whitelisted to
- #
- # It is, however, incumbent on us to not use this particular KMS for any
- # other purpose other than the LCP AMI(s) EBS volume(s).
- account_arns = ["*"]
- terraformer_arns = sort([
- for account in local.account_list :
- "arn:${var.aws_partition}:iam::${account}:role/user/mdr_terraformer"
- ])
- all_keys = concat([module.shared_ami_key.key_arn])
- }
- output "other" {
- value = local.account_arns
- }
- module "shared_ami_key" {
- source = "../../submodules/kms/ami-key"
- name = "lcp_ami_key"
- alias = "alias/lcp_ami_key"
- description = "Key for encrypting the LCP AMIs to be shared with external clients."
- tags = merge(local.standard_tags, var.tags)
- key_admin_arns = []
- key_user_arns = []
- #key_attacher_arns = local.account_arns
- key_attacher_arns = local.terraformer_arns
- #key_attacher_arns = [ ]
- standard_tags = local.standard_tags
- aws_account_id = var.aws_account_id
- aws_partition = var.aws_partition
- remote_account_arns = local.account_arns
- }
|
