fix: remove ViaService condition from KMS alias creation policy

johncblandii · claude · johncblandii · commit be815717eba0 · 2025-11-12T14:14:57.000-06:00
The ViaService condition restricting alias creation to EC2 would prevent Terraform from creating the KMS alias. Keeping only the CallerAccount condition allows principals in the account to create aliases while maintaining proper account scoping. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/kms.tf b/src/kms.tf
@@ -96,11 +96,6 @@ data "aws_iam_policy_document" "cloudtrail_kms_key_policy" {
       variable = "kms:CallerAccount"
       values   = [local.aws_account_id]
     }
-    condition {
-      test     = "StringEquals"
-      variable = "kms:ViaService"
-      values   = ["ec2.${var.region}.amazonaws.com"]
-    }
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -96,11 +96,6 @@ data "aws_iam_policy_document" "cloudtrail_kms_key_policy" {`
`96`	`96`	`variable = "kms:CallerAccount"`
`97`	`97`	`values = [local.aws_account_id]`
`98`	`98`	`}`
`99`		`- condition {`
`100`		`- test = "StringEquals"`
`101`		`- variable = "kms:ViaService"`
`102`		`- values = ["ec2.${var.region}.amazonaws.com"]`
`103`		`- }`
`104`	`99`	`}`
`105`	`100`	`}`
`106`	`101`