cloudposse / terraform-aws-kms-key Goto Github PK

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Describe the Feature

A clear and concise description of what the bug is.

Expected Behavior

Enable key replication across regions when 'multi_region' option is selected

Use Case

KMS supports key replication. It is logical to support it from this module as it already support creation of multi-region key.

Describe Ideal Solution

This module should use below Terraform recourse and create replication https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key

Alternatives Considered

If i have to use 'multi-region' now i have to implement on top myself using https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

what

• Add example invocation

why

• We need this so we can soon enable automated continuous integration testing of module

Found a bug? Maybe our Slack Community can help.

Describe the Bug

I started with this - https://github.com/cloudposse/terraform-aws-kms-key/tree/0.12.1/examples/complete

Expected Behavior

I expected the KMS Key to be generated

Steps to Reproduce

Steps to reproduce the behavior:

1. Download - https://github.com/cloudposse/terraform-aws-kms-key/tree/0.12.1/examples/complete
2. Terraform init
3. Terraform plan
4. See error

Admin:~/environment/ModuleTemplate/LearnModules/modules/kms-key (aws-s3-bucket2) $ terraform plan
var.region
Enter a value: us-east-1

╷
│ Error: "name" must begin with 'alias/' and be comprised of only [a-zA-Z0-9/_-]
│
│ with module.kms_key.aws_kms_alias.default[0],
│ on .terraform/modules/kms_key/main.tf line 15, in resource "aws_kms_alias" "default":
│ 15: name = coalesce(var.alias, format("alias/%v", module.this.id))
│

When I hard coded the value on line 15 to be alias/123 it Worked!

Also running the simplified example works as well....

Screenshots

If applicable, add screenshots or logs to help explain your problem.

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

• OS: AWS Linux ec2 box
• Version [e.g. 10.15]

Additional Context

Add any other context about the problem here.

This module currently creates KMS keys with a policy stating "any IAM user/role can do anything with this key".

If you want a more restrictive policy, you have to write it yourself.

I think it would be valuable for the module to offer some canned policies that can be used instead.

This is a proposal for giving module users more flexible tools for controlling the key policy.

If you like the design, we can discuss the details, and I am interested in implementing it.

Expected Behavior

var.policy takes precedence over the below. If it is set, the other proposed variables are ignored.

var.canned_policy has a few options, like:

• aws-service-use (the key can only be attached to AWS resources, like RDS encryption)

var.extra_policy_statements lets you provide IAM Policy statements that will be appended to the policy. (It works with the default policy, and with all canned policies). For example:

extra_policy_statements = [
    {
        Sid = "Allow encryption by userupload app"
        Principal = {
            AWS = "arn:aws:iam...:role/userupload"
        }
        Action = "kms:Encrypt"
        Resource = "*"
    },
    {
        Sid = "Allow decryption by userdownload app"
        Principal = {
            AWS = "arn:aws:iam...:role/userdownload"
        }
        Action = "kms:Decrypt"
        Resource = "*"
    },
]

Describe the Feature

AWS Provider 3.x has been released.

Expected Behavior

This module supports the new provider version.

Terraform AWS Provider Version 3 Upgrade Guide