- Más nuevo
- Más votos
- Más comentarios
Merged the 2 options together with updating the resource as well. for our specific case, it still failed until i added the standed role for admin on it and then access to all the s3 buckets as well.
Thanks for the help!
Hello, I agree that it is probably because because KMS does not exist. Problem here is within terraform, because when i did a proper configuration I get the following error: Error: Cycle: aws_kms_key.cloudtrail, data.aws_iam_policy_document.kmspolicy
It gets a Cycle error as the resources are referencing each-other.
So what I suggest you do is that if you want these resources reference each-other (policy and kms resource), you need to create them separately. If you want to do it in an automated way you can create the KMS resource in one module then reference it in another. The policy can not be deployed as it needs a resource to reference.
There is nothing wrong with the AWS documentation, however, in this case is it not as easy when dealing with IaC tools like terraform.
Here is what i tried to deploy when getting the Cycle
Error:
resource "aws_kms_key" "cloudtrail" {
description = "KMS for cloudtrail"
deletion_window_in_days = 7
is_enabled = true
enable_key_rotation = true
policy = data.aws_iam_policy_document.kmspolicy.json
}
data "aws_iam_policy_document" "kmspolicy" {
statement {
sid = "Enable CloudTrail Encrypt Permissions"
effect = "Allow"
principals {
type = "Service"
identifiers = "cloudtrail.amazonaws.com"
}
actions = ["kms:GenerateDataKey*"]
resources = ["${aws_kms_key.cloudtrail.arn}"]
condition {
test = "StringEquals"
variable = "aws:SourceArn"
vaclues = ["arn:aws:cloudtrail:eu-west-2:xxx:trail/organization_trail"]
}
}
}
Hey, im getting the cycle error with this
│ Error: Cycle: data.aws_iam_policy_document.cloudtrailkms, aws_kms_key.cloudtrail
Hello,
Try setting the following on the line that fails: "Resource": "*"
Since this is (presumably) a KMS key policy and refers only to the key that the policy is associated with, it is standard practice to use a wildcard for the resource field. You can see here that the CloudTrail documentation uses a wildcard in their KMS key policy too: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html#create-kms-key-policy-for-cloudtrail-encrypt
You'll also want to update the policy resource statement to be a "aws_kms_key_policy"
resource as per this documentation:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
Could you try the following in your code:
"Resource": "*"
Keep in mind (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) Note Do not set the Principal to an asterisk (*) in any key policy statement that allows permissions unless you use conditions to limit the key policy. An asterisk gives every identity in every AWS account permission to use the KMS key, unless another policy statement explicitly denies it. Users in other AWS accounts just need corresponding IAM permissions in their own accounts to use the KMS key.