Skip to content

Support configuring storage module for service principal access#997

Merged
laurencegoolsby merged 3 commits intomainfrom
lgoolsby/update-storage-module-kms-settings
Feb 12, 2026
Merged

Support configuring storage module for service principal access#997
laurencegoolsby merged 3 commits intomainfrom
lgoolsby/update-storage-module-kms-settings

Conversation

@laurencegoolsby
Copy link
Copy Markdown
Contributor

@laurencegoolsby laurencegoolsby commented Feb 10, 2026
edited
Loading

Ticket

Related to

Changes

  • Add explicit KMS key policy with root account admin access
  • Add optional service principal access via service_principals_with_access variable
  • Add checkov skips for CKV_AWS_109, CKV_AWS_111, CKV_AWS_356

Context for reviewers

A subset of AWS services (e.g., Bedrock Data Automation) need KMS key permissions to access S3 buckets.
Added the service_principals_with_access variable to the storage module to grant specific AWS services access to S3 objects via KMS.

Testing

Tested in navapbc/platform-test#254

@laurencegoolsby
Add KMS key policy with root account access and service principal sup…
1fd781d 
…port

- Add explicit KMS key policy with root account admin access
- Add optional service principal access via service_principals_with_access variable
- Add modules/storage/kms_key_arn output
- Add checkov skips for CKV_AWS_109, CKV_AWS_111, CKV_AWS_356
@laurencegoolsby laurencegoolsby requested a review from a team as a code owner February 10, 2026 01:54
doshitan
doshitan reviewed Feb 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@doshitan doshitan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly just need to tighten up comments and documentation, but biggest question I think is do we need the kms_key_arn output at the moment? If not we should drop it.

I feel like the title could be more better phrased as well, maybe more like "Support configuring storage module for service principal access"

@laurencegoolsby
Address PR feedback re: storage module KMS changes
3caf2d7 
- Remove kms_key_arn output (not needed)
- Improve variable description with usage context
- Update checkov skip comments for clarity
- Add context re: root account policy is AWS default
doshitan
doshitan reviewed Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@doshitan doshitan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple things from previous review still unadressed:

  • Calling out the first statement of the key policy is the same as the default AWS generated policy
  • Updating the title to mention this change is related to the storage module

@doshitan
Copy link
Copy Markdown
Contributor

doshitan commented Feb 11, 2026
edited
Loading

Just connecting some work together for future record, related to #515 as well.

@laurencegoolsby laurencegoolsby changed the title Add KMS key policy with root account access and service principal support Support configuring storage module for service principal access Feb 11, 2026
@laurencegoolsby
Clarify KMS key policy uses AWS default
0a87c4b 
 - Add comment explicitly stating the root account statement matches AWS's default key policy for programmatically generated KMS keys.
doshitan
doshitan approved these changes Feb 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@doshitan doshitan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description is inaccurate (there is no longer a kms_key_arn output), so update that before merging.

@laurencegoolsby
Copy link
Copy Markdown
Contributor Author

laurencegoolsby commented Feb 12, 2026

The PR description is inaccurate (there is no longer a kms_key_arn output), so update that before merging.

Done!

@laurencegoolsby laurencegoolsby merged commit 1bd73a7 into main Feb 12, 2026
9 checks passed
@laurencegoolsby laurencegoolsby deleted the lgoolsby/update-storage-module-kms-settings branch February 12, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@doshitan doshitan doshitan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@laurencegoolsby @doshitan