Update module to support conditions and modernize frameworks

ben-vaughan-nttd · ben-vaughan-nttd · commit 6d8b558198fa · 2025-11-25T10:27:15.000-06:00
- update policy object to support condition statements
- update tests to validate condition application
- update github workflows to latest versions
- update go modules
- update pre-commit configuration
diff --git a/.github/workflows/pull-request-label.yml b/.github/workflows/pull-request-label.yml
@@ -11,5 +11,5 @@ jobs:
       contents: read
       issues: write
       pull-requests: write
-    uses: launchbynttdata/launch-workflows/.github/workflows/reusable-pr-label-by-branch.yml@0.8.0
+    uses: launchbynttdata/launch-workflows/.github/workflows/reusable-pr-label-by-branch.yml@0.11.0
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/pull-request-terraform-check.yml b/.github/workflows/pull-request-terraform-check.yml
@@ -15,7 +15,7 @@ jobs:
     permissions:
       contents: read
       id-token: write
-    uses: launchbynttdata/launch-workflows/.github/workflows/reusable-terraform-check-aws.yml@0.8.0
+    uses: launchbynttdata/launch-workflows/.github/workflows/reusable-terraform-check-aws.yml@0.11.0
     with:
       assume_role_arn: ${{ vars.TERRAFORM_CHECK_AWS_ASSUME_ROLE_ARN }}
       region: ${{ vars.TERRAFORM_CHECK_AWS_REGION }}
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
@@ -14,5 +14,5 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
-    uses: launchbynttdata/launch-workflows/.github/workflows/reusable-release-on-merge.yml@0.8.0
+    uses: launchbynttdata/launch-workflows/.github/workflows/reusable-release-on-merge.yml@0.11.0
     secrets: inherit # pragma: allowlist secret
diff --git a/.gitignore b/.gitignore
@@ -2,8 +2,6 @@ terraform.*
 .repo/
 components/
 .semverbot.toml
-.tflint.hcl
-.golangci.yaml
 
 .idea
 !examples/*.tfvars
@@ -59,10 +57,7 @@ terraform.rc
 # Files from common modules
 azure_env.sh
 .releaserc.json
-.tflint.hcl
 
-# Pre-commit hook
-.pre-commit-config.yaml
 
 # VS Code
 .vscode/
@@ -75,3 +70,7 @@ azure_env.sh
 **/*.egg-info
 
 vendor/
+
+.envrc
+.env.local
+.env
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -0,0 +1,5 @@
+version: "2"
+run:
+  # Timeout for analysis, e.g. 30s, 5m.
+  timeout: 5m
+  allow-parallel-runners: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,61 @@
+# .pre-commit-config.yaml
+repos:
+  - repo: local
+    hooks:
+      - id: forbidden-files
+        name: forbidden files
+        entry:
+          found Copier update rejection files; review and remove them before
+          merging.
+        language: fail
+        files: "\\.rej$"
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: check-case-conflict
+      - id: check-executables-have-shebangs
+      - id: check-json
+      - id: check-merge-conflict
+        args: [--assume-in-merge]
+      - id: check-shebang-scripts-are-executable
+      - id: check-yaml
+        args:
+          - --allow-multiple-documents
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+        args:
+          - --fix=auto
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.99.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_docs
+        args:
+          - --hook-config=--path-to-file=README.md
+          - --hook-config=--add-to-existing-file=true
+          - --hook-config=--create-file-if-not-exist=true
+          - --args=--sort=false
+  - repo: https://github.com/golangci/golangci-lint
+    rev: v2.6.2
+    hooks:
+      - id: golangci-lint
+        name: golangci-lint
+        description: Fast linters runner for Go.
+        entry: golangci-lint run --fix
+        types: [go]
+        language: golang
+        pass_filenames: false
+  - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+    rev: v9.22.0
+    hooks:
+      - id: commitlint
+        stages: [commit-msg]
+        additional_dependencies: ["@commitlint/config-conventional"]
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: ["--baseline", ".secrets.baseline"]
+        exclude: package.lock.json
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -0,0 +1,4 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
diff --git a/.tool-versions b/.tool-versions
@@ -1,5 +1,5 @@
 conftest 0.56.0
-golang 1.24.2
+golang 1.24.10
 golangci-lint 2.2.1
 pre-commit 4.2.0
 regula 3.2.1 # https://github.com/launchbynttdata/asdf-regula
diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_key_id"></a> [key\_id](#input\_key\_id) | (Required) The ID of the KMS Key to attach the policy. | `string` | n/a | yes |
-| <a name="input_policy"></a> [policy](#input\_policy) | A JSON-formatted string that represents the key policy to attach to the KMS key. | <pre>map(object({<br/>    sid        = string<br/>    effect     = string<br/>    principals = map(list(string))<br/>    actions    = list(string)<br/>    resources  = list(string)<br/>  }))</pre> | `null` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | A JSON-formatted string that represents the key policy to attach to the KMS key. | <pre>map(object({<br/>    sid        = string<br/>    effect     = string<br/>    principals = map(list(string))<br/>    actions    = list(string)<br/>    resources  = list(string)<br/>    condition = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })))<br/>  }))</pre> | n/a | yes |
 | <a name="input_bypass_policy_lockout_safety_check"></a> [bypass\_policy\_lockout\_safety\_check](#input\_bypass\_policy\_lockout\_safety\_check) | (Optional) A boolean flag to indicate whether to bypass the KMS key policy lockout safety check. Defaults to false. | `bool` | `false` | no |
 
 ## Outputs
diff --git a/examples/simple/README.md b/examples/simple/README.md
@@ -18,14 +18,16 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_kms_key"></a> [kms\_key](#module\_kms\_key) | terraform.registry.launch.nttdata.com/module_primitive/kms_key/aws | ~> 0.1 |
 | <a name="module_kms_key_policy"></a> [kms\_key\_policy](#module\_kms\_key\_policy) | ../../ | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_kms_key.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_roles.administrator_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
@@ -38,4 +40,7 @@
 | Name | Description |
 |------|-------------|
 | <a name="output_policy_id"></a> [policy\_id](#output\_policy\_id) | The ID of the KMS Key Policy resource. |
+| <a name="output_kms_key_region"></a> [kms\_key\_region](#output\_kms\_key\_region) | Region where the KMS key and policy are managed. |
+| <a name="output_key_id"></a> [key\_id](#output\_key\_id) | The ID of the KMS Key associated with the policy. |
+| <a name="output_key_arn"></a> [key\_arn](#output\_key\_arn) | The ARN of the KMS Key associated with the policy. |
 <!-- END_TF_DOCS -->
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -1,5 +1,12 @@
 data "aws_caller_identity" "current" {}
 
+data "aws_region" "current" {}
+
+data "aws_iam_roles" "administrator_access" {
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+  name_regex  = "^AWSReservedSSO_AdministratorAccess_.*$"
+}
+
 locals {
   ## Construct the policy to include the current account root as a principal. Useful for testing. Not useful in production.
   policy = {
@@ -14,16 +21,30 @@ locals {
         "AWS" = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
       }
     }
+    "AllowAccountKeyManagement" = {
+      sid    = "AllowAccountKeyManagement"
+      effect = "Allow"
+      actions = [
+        "kms:*"
+      ]
+      resources = ["arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*"]
+      principals = {
+        "AWS" = tolist(data.aws_iam_roles.administrator_access.arns)
+      }
+    }
   }
 }
 
-resource "aws_kms_key" "example" {
+module "kms_key" {
+  # checkov:skip=CKV_TF_1: trusted registry source
+  source                  = "terraform.registry.launch.nttdata.com/module_primitive/kms_key/aws"
+  version                 = "~> 0.1"
   description             = "Terratest KMS Key"
   key_usage               = "ENCRYPT_DECRYPT"
-  policy                  = ""
   enable_key_rotation     = true
   rotation_period_in_days = 365
   multi_region            = false
+  deletion_window_in_days = 7
   tags = {
     "Environment" = "Test"
   }
@@ -32,7 +53,7 @@ resource "aws_kms_key" "example" {
 module "kms_key_policy" {
   source = "../../"
 
-  key_id                             = aws_kms_key.example.key_id
+  key_id                             = module.kms_key.key_id
   policy                             = local.policy
   bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
 
diff --git a/examples/simple/outputs.tf b/examples/simple/outputs.tf
@@ -2,3 +2,18 @@ output "policy_id" {
   description = "The ID of the KMS Key Policy resource."
   value       = module.kms_key_policy.id
 }
+
+output "kms_key_region" {
+  description = "Region where the KMS key and policy are managed."
+  value       = data.aws_region.current.name
+}
+
+output "key_id" {
+  description = "The ID of the KMS Key associated with the policy."
+  value       = module.kms_key.key_id
+}
+
+output "key_arn" {
+  description = "The ARN of the KMS Key associated with the policy."
+  value       = module.kms_key.arn
+}
diff --git a/examples/with_condition/README.md b/examples/with_condition/README.md
@@ -0,0 +1,46 @@
+# simple
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.100.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kms_key"></a> [kms\_key](#module\_kms\_key) | terraform.registry.launch.nttdata.com/module_primitive/kms_key/aws | ~> 0.1 |
+| <a name="module_kms_key_policy"></a> [kms\_key\_policy](#module\_kms\_key\_policy) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_roles.administrator_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_bypass_policy_lockout_safety_check"></a> [bypass\_policy\_lockout\_safety\_check](#input\_bypass\_policy\_lockout\_safety\_check) | (Optional) A boolean flag to indicate whether to bypass the KMS key policy lockout safety check. Defaults to false. | `bool` | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_policy_id"></a> [policy\_id](#output\_policy\_id) | The ID of the KMS Key Policy resource. |
+| <a name="output_kms_key_region"></a> [kms\_key\_region](#output\_kms\_key\_region) | Region where the KMS key and policy are managed. |
+| <a name="output_key_id"></a> [key\_id](#output\_key\_id) | The ID of the KMS Key associated with the policy. |
+| <a name="output_key_arn"></a> [key\_arn](#output\_key\_arn) | The ARN of the KMS Key associated with the policy. |
+<!-- END_TF_DOCS -->
diff --git a/examples/with_condition/main.tf b/examples/with_condition/main.tf
@@ -0,0 +1,79 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_iam_roles" "administrator_access" {
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+  name_regex  = "^AWSReservedSSO_AdministratorAccess_.*$"
+}
+
+locals {
+  ## Construct the policy to include the current account root as a principal. Useful for testing. Not useful in production.
+  policy = {
+    "EnableIAMUserPermissions" = {
+      sid    = "EnableIAMUserPermissions"
+      effect = "Allow"
+      actions = [
+        "kms:*"
+      ]
+      resources = ["*"]
+      principals = {
+        "AWS" = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      }
+      condition = [
+        {
+          test     = "ArnEquals"
+          variable = "aws:PrincipalArn"
+          values   = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+        }
+      ]
+    }
+    "AllowAccountKeyManagement" = {
+      sid    = "AllowAccountKeyManagement"
+      effect = "Allow"
+      actions = [
+        "kms:*"
+      ]
+      resources = ["arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*"]
+      principals = {
+        "AWS" = tolist(data.aws_iam_roles.administrator_access.arns)
+      }
+      condition = [
+        {
+          test     = "StringEquals"
+          variable = "aws:PrincipalAccount"
+          values   = [data.aws_caller_identity.current.account_id]
+        },
+        {
+          test     = "ArnEquals"
+          variable = "aws:PrincipalArn"
+          values   = tolist(data.aws_iam_roles.administrator_access.arns)
+        }
+      ]
+    }
+  }
+}
+
+module "kms_key" {
+  # checkov:skip=CKV_TF_1: trusted registry source
+  source                  = "terraform.registry.launch.nttdata.com/module_primitive/kms_key/aws"
+  version                 = "~> 0.1"
+  description             = "Terratest KMS Key"
+  key_usage               = "ENCRYPT_DECRYPT"
+  enable_key_rotation     = true
+  rotation_period_in_days = 365
+  multi_region            = true
+  deletion_window_in_days = 7
+  tags = {
+    "Environment" = "Test"
+  }
+}
+
+module "kms_key_policy" {
+  source = "../../"
+
+  key_id                             = module.kms_key.key_id
+  policy                             = local.policy
+  bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
+
+}
diff --git a/examples/with_condition/outputs.tf b/examples/with_condition/outputs.tf
@@ -0,0 +1,19 @@
+output "policy_id" {
+  description = "The ID of the KMS Key Policy resource."
+  value       = module.kms_key_policy.id
+}
+
+output "kms_key_region" {
+  description = "Region where the KMS key and policy are managed."
+  value       = data.aws_region.current.name
+}
+
+output "key_id" {
+  description = "The ID of the KMS Key associated with the policy."
+  value       = module.kms_key.key_id
+}
+
+output "key_arn" {
+  description = "The ARN of the KMS Key associated with the policy."
+  value       = module.kms_key.arn
+}
diff --git a/examples/with_condition/test.tfvars b/examples/with_condition/test.tfvars
@@ -0,0 +1 @@
+bypass_policy_lockout_safety_check = false
diff --git a/examples/with_condition/variables.tf b/examples/with_condition/variables.tf
@@ -0,0 +1,5 @@
+variable "bypass_policy_lockout_safety_check" {
+  description = "(Optional) A boolean flag to indicate whether to bypass the KMS key policy lockout safety check. Defaults to false."
+  type        = bool
+  default     = false
+}
diff --git a/examples/with_condition/versions.tf b/examples/with_condition/versions.tf
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/main.tf b/main.tf
diff --git a/tests/testimpl/test_impl.go b/tests/testimpl/test_impl.go
diff --git a/variables.tf b/variables.tf
