chore: Updates from testing

bryantbiggs · bryantbiggs · commit 4d85ad84ab0e · 2025-07-05T11:18:13.000-05:00
diff --git a/README.md b/README.md
@@ -192,7 +192,7 @@ No modules.
 | <a name="input_enable_default_policy"></a> [enable\_default\_policy](#input\_enable\_default\_policy) | Specifies whether to enable the default key policy. Defaults to `true` | `bool` | `true` | no |
 | <a name="input_enable_key_rotation"></a> [enable\_key\_rotation](#input\_enable\_key\_rotation) | Specifies whether key rotation is enabled. Defaults to `true` | `bool` | `true` | no |
 | <a name="input_enable_route53_dnssec"></a> [enable\_route53\_dnssec](#input\_enable\_route53\_dnssec) | Determines whether the KMS policy used for Route53 DNSSEC signing is enabled | `bool` | `false` | no |
-| <a name="input_grants"></a> [grants](#input\_grants) | A map of grant definitions to create | <pre>map(object({<br/>    constraints = optional(object({<br/>      encryption_context_equals = optional(map(string))<br/>      encryption_context_subset = optional(map(string))<br/>    }))<br/>    grant_creation_tokens = optional(string)<br/>    grantee_principal     = string<br/>    name                  = optional(string) # Will fall back to use map key<br/>    operations            = list(string)<br/>    retire_on_delete      = optional(bool)<br/>    retiring_principal    = optional(string)<br/>  }))</pre> | `null` | no |
+| <a name="input_grants"></a> [grants](#input\_grants) | A map of grant definitions to create | <pre>map(object({<br/>    constraints = optional(list(object({<br/>      encryption_context_equals = optional(map(string))<br/>      encryption_context_subset = optional(map(string))<br/>    })))<br/>    grant_creation_tokens = optional(list(string))<br/>    grantee_principal     = string<br/>    name                  = optional(string) # Will fall back to use map key<br/>    operations            = list(string)<br/>    retire_on_delete      = optional(bool)<br/>    retiring_principal    = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_is_enabled"></a> [is\_enabled](#input\_is\_enabled) | Specifies whether the key is enabled. Defaults to `true` | `bool` | `null` | no |
 | <a name="input_key_administrators"></a> [key\_administrators](#input\_key\_administrators) | A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators) | `list(string)` | `[]` | no |
 | <a name="input_key_asymmetric_public_encryption_users"></a> [key\_asymmetric\_public\_encryption\_users](#input\_key\_asymmetric\_public\_encryption\_users) | A list of IAM ARNs for [key asymmetric public encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -5,12 +5,16 @@ provider "aws" {
 data "aws_caller_identity" "current" {}
 
 locals {
-  region = "us-east-1"
-  name   = "kms-ex-${basename(path.cwd)}"
+  region           = "us-east-1"
+  region_secondary = "eu-west-1"
+  name             = "kms-ex-${basename(path.cwd)}"
 
   account_id       = data.aws_caller_identity.current.account_id
   current_identity = data.aws_caller_identity.current.arn
 
+  # Removes noise from hh:mm:ss in the timestamp
+  valid_to = replace(timeadd(plantimestamp(), "4380h"), "/T.*/", "T00:00:00Z") # 6 months
+
   tags = {
     Name       = local.name
     Example    = "complete"
@@ -62,7 +66,7 @@ module "kms_complete" {
         }
       ]
 
-      conditions = [
+      condition = [
         {
           test     = "ArnLike"
           variable = "kms:EncryptionContext:aws:logs:arn"
@@ -93,11 +97,11 @@ module "kms_complete" {
     lambda = {
       grantee_principal = aws_iam_role.lambda.arn
       operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]
-      constraints = {
+      constraints = [{
         encryption_context_equals = {
           Department = "Finance"
         }
-      }
+      }]
     }
   }
 
@@ -113,7 +117,7 @@ module "kms_external" {
   is_enabled              = true
   key_material_base64     = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
   multi_region            = false
-  valid_to                = "2023-11-21T23:20:50Z"
+  valid_to                = local.valid_to
 
   tags = local.tags
 }
@@ -171,17 +175,10 @@ module "kms_primary" {
   tags = local.tags
 }
 
-provider "aws" {
-  region = "eu-west-1"
-  alias  = "replica"
-}
-
 module "kms_replica" {
   source = "../.."
 
-  providers = {
-    aws = aws.replica
-  }
+  region = local.region_secondary
 
   deletion_window_in_days = 7
   description             = "Replica key example showing various configurations available"
@@ -211,11 +208,11 @@ module "kms_replica" {
     lambda = {
       grantee_principal = aws_iam_role.lambda.arn
       operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]
-      constraints = {
+      constraints = [{
         encryption_context_equals = {
           Department = "Finance"
         }
-      }
+      }]
     }
   }
 
@@ -235,7 +232,7 @@ module "kms_primary_external" {
   create_external         = true
   key_material_base64     = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
   multi_region            = true
-  valid_to                = "2023-11-21T23:20:50Z"
+  valid_to                = local.valid_to
 
   aliases = ["primary-external"]
 
@@ -245,9 +242,7 @@ module "kms_primary_external" {
 module "kms_replica_external" {
   source = "../.."
 
-  providers = {
-    aws = aws.replica
-  }
+  region = local.region_secondary
 
   deletion_window_in_days = 7
   description             = "Replica external key example showing various configurations available"
@@ -256,7 +251,7 @@ module "kms_replica_external" {
   # key material must be the same as the primary's
   key_material_base64      = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
   primary_external_key_arn = module.kms_primary_external.key_arn
-  valid_to                 = "2023-11-21T23:20:50Z"
+  valid_to                 = local.valid_to
 
   aliases = ["replica-external"]
 
@@ -265,11 +260,11 @@ module "kms_replica_external" {
     lambda = {
       grantee_principal = aws_iam_role.lambda.arn
       operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]
-      constraints = {
+      constraints = [{
         encryption_context_equals = {
           Department = "Finance"
         }
-      }
+      }]
     }
   }
 
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -40,6 +40,7 @@ output "complete_aliases" {
 output "complete_grants" {
   description = "A map of grants created and their attributes"
   value       = module.kms_complete.grants
+  sensitive   = true
 }
 
 ################################################################################
@@ -84,6 +85,7 @@ output "external_aliases" {
 output "external_grants" {
   description = "A map of grants created and their attributes"
   value       = module.kms_external.grants
+  sensitive   = true
 }
 
 ################################################################################
@@ -128,9 +130,9 @@ output "default_aliases" {
 output "default_grants" {
   description = "A map of grants created and their attributes"
   value       = module.kms_default.grants
+  sensitive   = true
 }
 
-
 ################################################################################
 # Replica
 ################################################################################
@@ -173,9 +175,9 @@ output "replica_aliases" {
 output "replica_grants" {
   description = "A map of grants created and their attributes"
   value       = module.kms_replica.grants
+  sensitive   = true
 }
 
-
 ################################################################################
 # Replica External
 ################################################################################
@@ -218,4 +220,5 @@ output "replica_external_aliases" {
 output "replica_external_grants" {
   description = "A map of grants created and their attributes"
   value       = module.kms_replica_external.grants
+  sensitive   = true
 }
diff --git a/main.tf b/main.tf
@@ -438,7 +438,7 @@ data "aws_iam_policy_document" "this" {
       }
 
       dynamic "condition" {
-        for_each = statement.value.conditions != null ? statement.value.conditions : []
+        for_each = statement.value.condition != null ? statement.value.condition : []
 
         content {
           test     = condition.value.test
diff --git a/variables.tf b/variables.tf
@@ -280,11 +280,11 @@ variable "aliases_use_name_prefix" {
 variable "grants" {
   description = "A map of grant definitions to create"
   type = map(object({
-    constraints = optional(object({
+    constraints = optional(list(object({
       encryption_context_equals = optional(map(string))
       encryption_context_subset = optional(map(string))
-    }))
-    grant_creation_tokens = optional(string)
+    })))
+    grant_creation_tokens = optional(list(string))
     grantee_principal     = string
     name                  = optional(string) # Will fall back to use map key
     operations            = list(string)

Original file line number	Diff line number	Diff line change
`@@ -438,7 +438,7 @@ data "aws_iam_policy_document" "this" {`
`438`	`438`	`}`
`439`	`439`
`440`	`440`	`dynamic "condition" {`
`441`		`- for_each = statement.value.conditions != null ? statement.value.conditions : []`
	`441`	`+ for_each = statement.value.condition != null ? statement.value.condition : []`
`442`	`442`
`443`	`443`	`content {`
`444`	`444`	`test = condition.value.test`