Allow users to extend AFT KMS key policy with additional statements #587
Description
Versions
Terraform version: 1.12.2
AWS Provider version: 5.99.1
AFT Version: 1.15.1
Is your feature request related to a problem you are currently experiencing? If so, please describe.
Problem: When implementing S3 bucket replication for the AFT customizations pipeline bucket (aft-customizations-pipeline-<account-id>), we need to add KMS policy statements allowing the S3 service and replication role to use the key.
Currently, the AFT KMS key policy cannot be extended, forcing us to either:
- Use
aws_kms_key_policy resource(causes policy drift between AFT's default and our custom policy on each run) - Use of bash scripts, terragrunt
after_hooks(not declarative, not in Terraform state)
Describe the outcome you'd like
Add a variable to allow users to inject additional policy statements into the AFT KMS key policy without replacing the default policy entirely. Referring to the key with alias "aft".
module "aft" {
source = "github.com/aws-ia/terraform-aws-control_tower_account_factory"
# ... other config ...
aft_kms_key_additional_policy_statements = [
{
Sid = "AllowS3Replication"
Effect = "Allow"
Principal = {
Service = "s3.amazonaws.com"
}
Action = ["kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*"]
Resource = "*"
Condition = { ... }
}
]
}
Additional context