Skip to content
This repository was archived by the owner on May 3, 2023. It is now read-only.

Commit d9d274d

Browse files
aarongorkaaarongorka
committed
Always grant deployer access to KMS key
1 parent fa57eef commit d9d274d

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

cloudtrail.tf

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,12 @@ resource "aws_kms_alias" "cloudtrail" {
4242
target_key_id = "${aws_kms_key.cloudtrail.key_id}"
4343
}
4444

45+
# KMS requires that the creator has access to the key so you don't lock yourself out
46+
locals {
47+
my_role_name = "${split("/", data.aws_caller_identity.master.arn)[1]}"
48+
my_role_arn = "arn:aws:iam::${data.aws_caller_identity.master.account_id}:role/${local.my_role_name}"
49+
}
50+
4551
resource "aws_kms_key" "cloudtrail" {
4652
provider = aws.master
4753

@@ -55,7 +61,8 @@ resource "aws_kms_key" "cloudtrail" {
5561
"Effect": "Allow",
5662
"Principal": {
5763
"AWS": [
58-
"arn:aws:iam::${data.aws_caller_identity.master.account_id}:role/${var.client_name}-role-console-breakglass"
64+
"arn:aws:iam::${data.aws_caller_identity.master.account_id}:role/${var.client_name}-role-console-breakglass",
65+
"${local.my_role_arn}"
5966
]
6067
},
6168
"Action": [

0 commit comments

Comments
 (0)