Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide canned policies #25

Open
alexjurkiewicz opened this issue Feb 25, 2021 · 3 comments
Open

Provide canned policies #25

alexjurkiewicz opened this issue Feb 25, 2021 · 3 comments

Comments

@alexjurkiewicz
Copy link
Contributor

This module currently creates KMS keys with a policy stating "any IAM user/role can do anything with this key".

If you want a more restrictive policy, you have to write it yourself.

I think it would be valuable for the module to offer some canned policies that can be used instead.

This is a proposal for giving module users more flexible tools for controlling the key policy.

If you like the design, we can discuss the details, and I am interested in implementing it.

Expected Behavior

var.policy takes precedence over the below. If it is set, the other proposed variables are ignored.

var.canned_policy has a few options, like:

  • aws-service-use (the key can only be attached to AWS resources, like RDS encryption)

var.extra_policy_statements lets you provide IAM Policy statements that will be appended to the policy. (It works with the default policy, and with all canned policies). For example:

extra_policy_statements = [
    {
        Sid = "Allow encryption by userupload app"
        Principal = {
            AWS = "arn:aws:iam...:role/userupload"
        }
        Action = "kms:Encrypt"
        Resource = "*"
    },
    {
        Sid = "Allow decryption by userdownload app"
        Principal = {
            AWS = "arn:aws:iam...:role/userdownload"
        }
        Action = "kms:Decrypt"
        Resource = "*"
    },
]
@jamengual
Copy link
Contributor

this sounds soon to me.
if you want send a PR over and we will review it.

alexjurkiewicz added a commit to alexjurkiewicz/terraform-aws-kms-key that referenced this issue Mar 2, 2021
@alexjurkiewicz
Add an easy-to-use default policy system
8bddcdf 
Instead of relying on KMS to generate a default policy, generate one
ourselves, and expose some new variables for users to easily modify it.

Now users can explicitly specify who (if anyone) should be key admins,
users and grantors. Additionally, they can add custom statements to the
default policy to simplify adding small grants.

Closes cloudposse#25.
@alexjurkiewicz alexjurkiewicz mentioned this issue Mar 2, 2021
Closed
alexjurkiewicz added a commit to alexjurkiewicz/terraform-aws-kms-key that referenced this issue Mar 4, 2021
@alexjurkiewicz
Add an easy-to-use default policy system
062c40f 
Instead of relying on KMS to generate a default policy, generate one
ourselves, and expose some new variables for users to easily modify it.

Now users can explicitly specify who (if anyone) should be key admins,
users and grantors. Additionally, they can add custom statements to the
default policy to simplify adding small grants.

Closes cloudposse#25.
@dstrates
Copy link

@alexjurkiewicz This module is still in need of a simple policy system. Any chance of getting PR #26 merged?

@alexjurkiewicz
Copy link
Contributor Author

alexjurkiewicz commented Oct 30, 2022 via email

@nitrocode nitrocode mentioned this issue Oct 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add an easy-to-use default policy system alexjurkiewicz/terraform-aws-kms-key
3 participants
@alexjurkiewicz @jamengual @dstrates