| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 | resource "aws_kms_key" "key" {  description         = var.description  enable_key_rotation = true  policy              = data.aws_iam_policy_document.kms_policy.json  tags = merge(    var.standard_tags,    { "Name" = var.name },    var.tags  )}resource "aws_kms_alias" "alias" {  name          = var.alias  target_key_id = aws_kms_key.key.key_id}data "aws_iam_policy_document" "kms_policy" {  policy_id = "${var.name}-policy"  statement {    sid    = "Enable IAM User Permissions"    effect = "Allow"    principals {      type = "AWS"      identifiers = [        # The 'root' account is the entire account, we don't want that        #"arn:${var.aws_partition}:iam::${var.aws_account_id}:root"         "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",            # MDRAdmin as a break glass        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" # Terraformer always gets full access      ]    }    actions   = ["kms:*"]    resources = ["*"]  }  statement {    sid    = "Allow access for Key Administrators"    effect = "Allow"    principals {      type        = "AWS"      identifiers = concat(var.key_admin_arns, ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer"])    }    actions = [      "kms:Create*",      "kms:Describe*",      "kms:Enable*",      "kms:List*",      "kms:Put*",      "kms:Update*",      "kms:Revoke*",      "kms:Disable*",      "kms:Get*",      "kms:Delete*",      "kms:TagResource",      "kms:UntagResource",      "kms:ScheduleKeyDeletion",      "kms:CancelKeyDeletion"    ]    resources = ["*"]  }  statement {    sid    = "Allow use of the key"    effect = "Allow"    principals {      type        = "AWS"      identifiers = concat(var.key_user_arns, ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer"])    }    actions = [      "kms:Encrypt",      "kms:Decrypt",      "kms:ReEncrypt*",      "kms:GenerateDataKey*",      "kms:DescribeKey"    ]    resources = ["*"]  }  statement {    sid    = "Allow attachment of persistent resources"    effect = "Allow"    principals {      type        = "AWS"      identifiers = concat(var.key_attacher_arns, ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer"])    }    actions = [      "kms:CreateGrant",      "kms:ListGrants",      "kms:RevokeGrant"    ]    resources = ["*"]    # This condition is great, but means terraformer can't grant to the asg service    #    condition {    #  test = "Bool"    #  variable =  "kms:GrantIsForAWSResource"    #  values = [ "true" ]    #}  }  #statement {  # sid = "Allow vmimport to decrypt SSE-KMS key"  # effect = "Allow"  # principals {  #   type = "AWS"  #   identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/vmimport" ]  # }  # actions = [ "kms:*" ]  # resources = [ "*" ]  #}  statement {    sid    = "Allow use of the key by external accounts"    effect = "Allow"    principals {      type        = "AWS"      identifiers = var.remote_account_arns    }    actions = [      "kms:ReEncryptFrom",      "kms:DescribeKey"    ]    resources = ["*"]  }}
 |