Refactor KMS key policy to format principals and conditions for better readability

ben-vaughan-nttd · ben-vaughan-nttd · commit aff67f1d393b · 2025-11-25T11:34:49.000-06:00
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -29,7 +29,10 @@ locals {
       ]
       resources = ["arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*"]
       principals = {
-        "AWS" = concat(tolist(data.aws_iam_roles.administrator_access.arns), ["arn:aws:iam::020127659860:role/github-actions-deploy-role-terraform"])
+        "AWS" = concat(
+          tolist(data.aws_iam_roles.administrator_access.arns),
+          ["arn:aws:iam::020127659860:role/github-actions-deploy-role-terraform"],
+        )
       }
     }
   }
diff --git a/examples/with_condition/main.tf b/examples/with_condition/main.tf
@@ -36,7 +36,10 @@ locals {
       ]
       resources = ["arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*"]
       principals = {
-        "AWS" = concat(tolist(data.aws_iam_roles.administrator_access.arns), ["arn:aws:iam::020127659860:role/github-actions-deploy-role-terraform"])
+        "AWS" = concat(
+          tolist(data.aws_iam_roles.administrator_access.arns),
+          ["arn:aws:iam::020127659860:role/github-actions-deploy-role-terraform"],
+        )
       }
       condition = [
         {
@@ -47,7 +50,10 @@ locals {
         {
           test     = "ArnEquals"
           variable = "aws:PrincipalArn"
-          values   = tolist(data.aws_iam_roles.administrator_access.arns)
+          values = concat(
+            tolist(data.aws_iam_roles.administrator_access.arns),
+            ["arn:aws:iam::020127659860:role/github-actions-deploy-role-terraform"],
+          )
         }
       ]
     }

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,10 @@ locals {`
`29`	`29`	`]`
`30`	`30`	`resources = ["arn:aws:kms::${data.aws_caller_identity.current.account_id}:key/"]`
`31`	`31`	`principals = {`
`32`		`- "AWS" = concat(tolist(data.aws_iam_roles.administrator_access.arns), ["arn:aws:iam::020127659860:role/github-actions-deploy-role-terraform"])`
	`32`	`+ "AWS" = concat(`
	`33`	`+ tolist(data.aws_iam_roles.administrator_access.arns),`
	`34`	`+ ["arn:aws:iam::020127659860:role/github-actions-deploy-role-terraform"],`
	`35`	`+ )`
`33`	`36`	`}`
`34`	`37`	`}`
`35`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,10 @@ locals {`
`36`	`36`	`]`
`37`	`37`	`resources = ["arn:aws:kms::${data.aws_caller_identity.current.account_id}:key/"]`
`38`	`38`	`principals = {`
`39`		`- "AWS" = concat(tolist(data.aws_iam_roles.administrator_access.arns), ["arn:aws:iam::020127659860:role/github-actions-deploy-role-terraform"])`
	`39`	`+ "AWS" = concat(`
	`40`	`+ tolist(data.aws_iam_roles.administrator_access.arns),`
	`41`	`+ ["arn:aws:iam::020127659860:role/github-actions-deploy-role-terraform"],`
	`42`	`+ )`
`40`	`43`	`}`
`41`	`44`	`condition = [`
`42`	`45`	`{`
`@@ -47,7 +50,10 @@ locals {`
`47`	`50`	`{`
`48`	`51`	`test = "ArnEquals"`
`49`	`52`	`variable = "aws:PrincipalArn"`
`50`		`- values = tolist(data.aws_iam_roles.administrator_access.arns)`
	`53`	`+ values = concat(`
	`54`	`+ tolist(data.aws_iam_roles.administrator_access.arns),`
	`55`	`+ ["arn:aws:iam::020127659860:role/github-actions-deploy-role-terraform"],`
	`56`	`+ )`
`51`	`57`	`}`
`52`	`58`	`]`
`53`	`59`	`}`