feat: updates kms comp with embedded policy creation

[Gowiem]

what

• Updates the KMS module to support embedded policy creation

why

• This allows for easy wiring in of aws-team-role roles into the KMS policy, so we do something like "Admins in the dev account have access to use this Key"

references

• N/A

[bridgecrew]

Bridgecrew has found errors in this PR ⬇️

[nitrocode]

Let's use the data source here for govcloud

Suggested change

	account_principal = "arn:aws:iam::${local.account_id}:root"
	account_principal = "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:root"

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition

[nitrocode]

Suggested change

	identifiers = local.administration_principals
	identifiers = [local.account_principal]

[nitrocode]

This local doesn't seem very useful

Suggested change

	administration_principals = [
	local.account_principal
	]

[nitrocode]

Suggested change

	data "aws_caller_identity" "current" {}
	data "aws_caller_identity" "current" {}
	data "aws_partition" "current" {}

[nitrocode]

If the description isn't set to the original value of Parameter Store KMS master key, won't that cause people's kms keys to be recreated?

[Gowiem]

I'm not sure honestly as it has been a long time, but updated regardless 😅

[nitrocode]

Should we add a validation rule here or is this already done by the upstream module?

[nitrocode]

Is this a breaking change or is this the normal default and we're just being explicit?

[Gowiem]

This is the downstream child module default. I believe all is good on this one, not a breaking change. I've added validation.

[nitrocode]

It would be good to allow overriding the resources here so users of this component can give granular permissions to kms. These would also allay warnings by bridgecrew shown above.

[Gowiem]

resources in this case is just the key that is being attached to, so I don't believe it is ever needed to be overwritten. If it is not supposed, AWS states that the policy will not work. In AWS docs, this is always * in their examples. See docs here.

[nitrocode]

Instead of hard coding this policy here, can we utilize this module and expose the inputs as variables so we can be as flexible as possible from the YAML?

https://github.com/cloudposse/terraform-aws-iam-policy

e.g.

components:
  terraform:
    kms:
      vars:
        policy:
          iam_policy_statements:
            KeyAdministration:
              effect: "Allow"
              actions:
              - "kms:*"
              resources:
              - "*"
              principals:
                type: "AWS"
                # This may be something we can contribute to the upstream module to dynamically fill these %s in
                # or it can be added by the HCL for this component
                identifiers:
                - "arn:%s:iam::%s:root"
            KeyUsage:
              effect: "Allow"
              actions:
              - "kms:Encrypt"
              - "kms:Decrypt"
              - "kms:ReEncrypt*"
              - "kms:GenerateDataKey*"
              - "kms:DescribeKey"
              resources:
              - "*"
              principals:
                type: "AWS"
                # Same here, these can be provided by the HCL unless this `identifiers` key is provided
                identifiers:
                - "..."

[Gowiem]

While this is totally valid, it's non-trivial and others haven't done this work / needed this yet, so to move this PR along I'm going to consider this out of scope. If we decide we need this to merge, I can make the changes necessary 👍

[Gowiem]

@nitrocode thanks for the review! Sorry it took me so long to circle back to it 😄

I couldn't complete this PR since I can't push to the branch I started here due to lack of permissions to push to origin. I've opened #1136 as a result. Closing this and we'll continue in the newer PR.

cc @goruha