From 5af33d3e9ccad2b63f646ba80e20f3d5e8281f16 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 7 Dec 2021 10:13:25 -0500 Subject: [PATCH 1/4] r/aws_kms_key: Add acceptance test for policy with boolean condition. --- internal/service/kms/key_test.go | 65 ++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/internal/service/kms/key_test.go b/internal/service/kms/key_test.go index 8e314ad653e..af6cd7dfeaa 100644 --- a/internal/service/kms/key_test.go +++ b/internal/service/kms/key_test.go @@ -315,6 +315,27 @@ func TestAccKMSKey_Policy_iamServiceLinkedRole(t *testing.T) { }) } +func TestAccKMSKey_Policy_booleanCondition(t *testing.T) { + var key kms.KeyMetadata + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + resourceName := "aws_kms_key.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(t) }, + ErrorCheck: acctest.ErrorCheck(t, kms.EndpointsID), + Providers: acctest.Providers, + CheckDestroy: testAccCheckKeyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccKeyPolicyBooleanConditionConfig(rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckKeyExists(resourceName, &key), + ), + }, + }, + }) +} + func TestAccKMSKey_isEnabled(t *testing.T) { var key1, key2, key3 kms.KeyMetadata rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) @@ -826,6 +847,50 @@ resource "aws_kms_key" "test" { `, rName) } +func testAccKeyPolicyBooleanConditionConfig(rName string) string { + return fmt.Sprintf(` +data "aws_caller_identity" "current" {} + +resource "aws_kms_key" "test" { + description = %[1]q + deletion_window_in_days = 7 + + policy = jsonencode({ + Id = %[1]q + Statement = [ + { + Sid = "Enable IAM User Permissions" + Effect = "Allow" + Principal = { + AWS = "*" + } + Action = "kms:*" + Resource = "*" + }, + { + Action = [ + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant" + ] + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + } + Condition = { + Bool = { + "kms:GrantIsForAWSResource" = true + } + } + Resource = "*" + Sid = "Allow attachment of persistent resources" + }] + Version = "2012-10-17" + }) +} +`, rName) +} + func testAccKey_removedPolicy(rName string) string { return fmt.Sprintf(` resource "aws_kms_key" "test" { From 22eda7eec662c94a1532c848b7648997a38b3090 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 7 Dec 2021 10:26:29 -0500 Subject: [PATCH 2/4] Fix terrafmt errors. --- internal/service/kms/key_test.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/service/kms/key_test.go b/internal/service/kms/key_test.go index af6cd7dfeaa..d76658dd1fa 100644 --- a/internal/service/kms/key_test.go +++ b/internal/service/kms/key_test.go @@ -864,6 +864,7 @@ resource "aws_kms_key" "test" { Principal = { AWS = "*" } + Action = "kms:*" Resource = "*" }, @@ -873,15 +874,19 @@ resource "aws_kms_key" "test" { "kms:ListGrants", "kms:RevokeGrant" ] + Effect = "Allow" + Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" } + Condition = { Bool = { "kms:GrantIsForAWSResource" = true } } + Resource = "*" Sid = "Allow attachment of persistent resources" }] From 82c3e79ae92494d09773a70608f559765e141219 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 7 Dec 2021 10:35:09 -0500 Subject: [PATCH 3/4] Fix terrafmt errors. --- internal/service/kms/key_test.go | 57 ++++++++++++++++---------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/internal/service/kms/key_test.go b/internal/service/kms/key_test.go index d76658dd1fa..4cb7b7e3e93 100644 --- a/internal/service/kms/key_test.go +++ b/internal/service/kms/key_test.go @@ -858,38 +858,39 @@ resource "aws_kms_key" "test" { policy = jsonencode({ Id = %[1]q Statement = [ - { - Sid = "Enable IAM User Permissions" - Effect = "Allow" - Principal = { - AWS = "*" - } - - Action = "kms:*" - Resource = "*" - }, - { - Action = [ - "kms:CreateGrant", - "kms:ListGrants", - "kms:RevokeGrant" - ] + { + Action = "kms:*" + Effect = "Allow" + Principal = { + AWS = "*" + } - Effect = "Allow" + Resource = "*" + Sid = "Enable IAM User Permissions" + }, + { + Action = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + ] + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + } - Principal = { - AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" - } + Resource = "*" + Sid = "Enable IAM User Permissions" - Condition = { - Bool = { - "kms:GrantIsForAWSResource" = true + Condition = { + Bool = { + "kms:GrantIsForAWSResource" = true + } } - } - - Resource = "*" - Sid = "Allow attachment of persistent resources" - }] + }, + ] Version = "2012-10-17" }) } From 50499077f383f711ab8c64c38f4125336c2a0869 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 7 Dec 2021 11:50:48 -0500 Subject: [PATCH 4/4] Fix providerlint error: 'AWSAT005: avoid hardcoded ARN AWS partitions, use aws_partition data source'. --- internal/service/kms/key_test.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/service/kms/key_test.go b/internal/service/kms/key_test.go index 4cb7b7e3e93..b0c22951bad 100644 --- a/internal/service/kms/key_test.go +++ b/internal/service/kms/key_test.go @@ -851,6 +851,8 @@ func testAccKeyPolicyBooleanConditionConfig(rName string) string { return fmt.Sprintf(` data "aws_caller_identity" "current" {} +data "aws_partition" "current" {} + resource "aws_kms_key" "test" { description = %[1]q deletion_window_in_days = 7 @@ -878,7 +880,7 @@ resource "aws_kms_key" "test" { ] Effect = "Allow" Principal = { - AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root" } Resource = "*"