fix policy

kayman-mk · kayman-mk · commit b1e9515d137d · 2025-03-03T22:15:52.000+01:00
diff --git a/modules/terminate-agent-hook/iam.tf b/modules/terminate-agent-hook/iam.tf
@@ -32,19 +32,38 @@ resource "aws_iam_role" "lambda" {
   tags                  = var.tags
 }
 
+resource "aws_iam_role_policy_attachment" "lambda_kms" {
+  count = var.kms_key_id != "" ? 1 : 0
+
+  role       = aws_iam_role.lambda.name
+  policy_arn = aws_iam_policy.lambda_kms.arn
+}
+
+resource "aws_iam_policy" "lambda_kms" {
+  count = var.kms_key_id != "" ? 1 : 0
+
+  name   = "${var.name_iam_objects}-${var.name}-lambda-kms"
+  path   = "/"
+  policy = data.aws_iam_policy_document.kms_key.json
+
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "kms_key" {
+  count = var.kms_key_id != "" ? 1 : 0
 
-# This IAM policy is used by the Lambda function.
-data "aws_iam_policy_document" "lambda" {
   # checkov:skip=CKV_AWS_111:Write access is limited to the resources needed
   statement {
     sid = "AllowKmsAccess"
     actions = [
       "kms:Decrypt", # to decrypt the Lambda environment variables
     ]
     resources = [var.kms_key_id]
-    effect    = "Allow"
+    effect = "Allow"
   }
+}
 
+data "aws_iam_policy_document" "lambda" {
   # Permit the function to get a list of instances
   statement {
     sid = "GitLabRunnerLifecycleGetInstances"
diff --git a/modules/terminate-agent-hook/variables.tf b/modules/terminate-agent-hook/variables.tf
@@ -57,7 +57,7 @@ variable "name_docker_machine_runners" {
 }
 
 variable "kms_key_id" {
-  description = "KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..."
+  description = "(optional) KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..."
   type        = string
 }
 

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ variable "name_docker_machine_runners" {`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`variable "kms_key_id" {`
`60`		`- description = "KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..."`
	`60`	`+ description = "(optional) KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..."`
`61`	`61`	`type = string`
`62`	`62`	`}`
`63`	`63`