Conversation
| // Probably worth creating a KMS key module to use here instead | ||
| resource "aws_kms_key" "main" { | ||
| description = "Encryption key for ${var.log_group_name} logs" | ||
| enable_key_rotation = true | ||
| tags = var.tags | ||
| } |
There was a problem hiding this comment.
I believe tfsec raises a warning if you define a key resource without an explicit policy attribute, even though that is perfectly valid Terraform that behaves the way you probably want (i.e. use the default KMS key policy). If/when a KMS key module is created, we should also make the default_kms_key_policy module (that simply exposes the default policy JSON) not just for cases where we want to compose additional policy details onto the key resource without replacing the default and locking ourselves out, but also reference it directly in the key module so that every key we make has an explicit policy attribute. Something like:
resource "aws_kms_key" "main" {
# details elided
policy = data.aws_iam_policy_document.key_policy.json
}
data "aws_iam_policy_document" "key_policy" {
source_json = module.default_kms_key_policy.json
override_json = var.additional_key_policy_statements # JSON, default null
}
There was a problem hiding this comment.
Oh, thanks for that pointer. Hmm...debating whether to go ahead and just make that KMS key module for this PR now or punt it down the road.
3 participants
General purpose module for creating a CloudWatch log group encrypted with a KMS key.
It would probably be better to encapsulate the KMS key and alias creation within its own module, but I figured I would push up what I had now.