fix: kms policy fixed (#55)

dverma-cd · web-flow · commit a95d8c8ce420 · 2023-09-15T13:55:00.000-04:00
* fix: kms policy fixed

* tflint error fixed
diff --git a/_example/complete/example.tf b/_example/complete/example.tf
@@ -2,7 +2,7 @@
 ## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS.
 ####----------------------------------------------------------------------------------
 provider "aws" {
-  region = "eu-west-1"
+  region = "us-west-1"
 }
 
 locals {
@@ -31,7 +31,7 @@ module "public_subnets" {
   name               = "public-subnet"
   environment        = local.environment
   label_order        = local.label_order
-  availability_zones = ["eu-west-1b", "eu-west-1c"]
+  availability_zones = ["us-west-1b", "us-west-1c"]
   vpc_id             = module.vpc.vpc_id
   cidr_block         = module.vpc.vpc_cidr_block
   type               = "public"
@@ -91,7 +91,7 @@ module "ec2" {
   ssh_allowed_ports = [22]
   #Instance
   instance_count = 1
-  ami            = "ami-08d658f84a6d84a80"
+  ami            = "ami-0f8e81a3da6e2510a"
   instance_type  = "t2.nano"
 
   #Keypair
diff --git a/main.tf b/main.tf
@@ -120,6 +120,8 @@ resource "aws_kms_key" "default" {
   tags                     = module.labels.tags
 }
 
+data "aws_caller_identity" "this" {}
+
 resource "aws_kms_alias" "default" {
   count         = var.enable && var.kms_key_enabled && var.kms_key_id == "" ? 1 : 0
   name          = coalesce(var.alias, format("alias/%v", module.labels.id))
@@ -133,12 +135,11 @@ data "aws_iam_policy_document" "kms" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["*"]
+      identifiers = [format("arn:aws:iam::%s:root", data.aws_caller_identity.this.account_id)]
     }
     actions   = ["kms:*"]
     resources = ["*"]
   }
-
 }
 
 ##----------------------------------------------------------------------------------
diff --git a/variables.tf b/variables.tf
@@ -234,7 +234,7 @@ variable "cpu_core_count" {
 
 variable "iam_instance_profile" {
   type        = string
-  default     = ""
+  default     = null
   description = "The IAM Instance Profile to launch the instance with. Specified as the name of the Instance Profile."
 }
 
@@ -495,12 +495,6 @@ variable "public_key" {
   sensitive   = true
 }
 
-variable "key_path" {
-  type        = string
-  default     = ""
-  description = "Name  (e.g. `~/.ssh/id_rsa.pub`)."
-}
-
 ###### spot
 variable "spot_instance_enabled" {
   type        = bool

Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,8 @@ resource "aws_kms_key" "default" {`
`120`	`120`	`tags = module.labels.tags`
`121`	`121`	`}`
`122`	`122`
	`123`	`+data "aws_caller_identity" "this" {}`
	`124`	`+`
`123`	`125`	`resource "aws_kms_alias" "default" {`
`124`	`126`	`count = var.enable && var.kms_key_enabled && var.kms_key_id == "" ? 1 : 0`
`125`	`127`	`name = coalesce(var.alias, format("alias/%v", module.labels.id))`
`@@ -133,12 +135,11 @@ data "aws_iam_policy_document" "kms" {`
`133`	`135`	`effect = "Allow"`
`134`	`136`	`principals {`
`135`	`137`	`type = "AWS"`
`136`		`- identifiers = ["*"]`
	`138`	`+ identifiers = [format("arn:aws:iam::%s:root", data.aws_caller_identity.this.account_id)]`
`137`	`139`	`}`
`138`	`140`	`actions = ["kms:*"]`
`139`	`141`	`resources = ["*"]`
`140`	`142`	`}`
`141`		`-`
`142`	`143`	`}`
`143`	`144`
`144`	`145`	`##----------------------------------------------------------------------------------`