| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 | locals {  #account_arns = sort(  #  concat(  #   [ for account in concat(var.customer_account_list,local.account_list):  #     "arn:${var.aws_partition}:iam::${account}:root" if account != "*"  #   ],  #   [ for account in concat(var.customer_account_list,local.account_list):  #     "*" if account == "*"   #   ]  #))  # LCP AMI Key should allow anyone and everyone to use it.  Rationale:  #     * The AMIs themselves only get shared with specific AWS accounts  #     * Only two IAM Actions are permitted by the policy defined in the  #       submodule:  kms:ReEncryptFrom and kms:DescribeKey.    #     *Giving these limited rights to "anyone" should be fine, given the only way  #       to see the volumes encrypted using this key is by launching the AMI  #       which you have to be whitelisted to  #  # It is, however, incumbent on us to not use this particular KMS for any  # other purpose other than the LCP AMI(s) EBS volume(s).  account_arns = ["*"]  terraformer_arns = sort([    for account in local.account_list :    "arn:${var.aws_partition}:iam::${account}:role/user/mdr_terraformer"  ])  all_keys = concat([module.shared_ami_key.key_arn])}output "other" {  value = local.account_arns}module "shared_ami_key" {  source = "../../submodules/kms/ami-key"  name           = "lcp_ami_key"  alias          = "alias/lcp_ami_key"  description    = "Key for encrypting the LCP AMIs to be shared with external clients."  tags           = merge(local.standard_tags, var.tags)  key_admin_arns = []  key_user_arns  = []  #key_attacher_arns = local.account_arns  key_attacher_arns = local.terraformer_arns  #key_attacher_arns = [ ]  standard_tags       = local.standard_tags  aws_account_id      = var.aws_account_id  aws_partition       = var.aws_partition  remote_account_arns = local.account_arns}
 |