fix: Ensure KMS key policy includes IAM role path (#979)

mkkatica · bryantbiggs · web-flow · commit 8fa9a62d6e08 · 2022-10-28T21:05:08.000-04:00
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/data.tf b/data.tf
@@ -1,7 +1,5 @@
 data "aws_partition" "current" {}
-
 data "aws_caller_identity" "current" {}
-
 data "aws_region" "current" {}
 
 data "aws_eks_cluster" "cluster" {
@@ -106,7 +104,7 @@ data "aws_iam_policy_document" "eks_key" {
     principals {
       type = "AWS"
       identifiers = [
-        local.cluster_iam_role_arn
+        local.cluster_iam_role_pathed_arn
       ]
     }
   }
@@ -126,7 +124,7 @@ data "aws_iam_policy_document" "eks_key" {
     principals {
       type = "AWS"
       identifiers = [
-        local.cluster_iam_role_arn
+        local.cluster_iam_role_pathed_arn
       ]
     }
 
diff --git a/locals.tf b/locals.tf
@@ -142,6 +142,7 @@ locals {
     }
   ] : []
 
-  cluster_iam_role_name = var.iam_role_name == null ? "${var.cluster_name}-cluster-role" : var.iam_role_name
-  cluster_iam_role_arn  = var.create_iam_role ? "arn:${local.context.aws_partition_id}:iam::${local.context.aws_caller_identity_account_id}:role/${local.cluster_iam_role_name}" : var.iam_role_arn
+  cluster_iam_role_name        = var.iam_role_name == null ? "${var.cluster_name}-cluster-role" : var.iam_role_name
+  cluster_iam_role_pathed_name = var.iam_role_path == null ? local.cluster_iam_role_name : "${trimprefix(var.iam_role_path, "/")}${local.cluster_iam_role_name}"
+  cluster_iam_role_pathed_arn  = var.create_iam_role ? "arn:${local.context.aws_partition_id}:iam::${local.context.aws_caller_identity_account_id}:role/${local.cluster_iam_role_pathed_name}" : var.iam_role_arn
 }

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,5 @@`
`1`	`1`	`data "aws_partition" "current" {}`
`2`		`-`
`3`	`2`	`data "aws_caller_identity" "current" {}`
`4`		`-`
`5`	`3`	`data "aws_region" "current" {}`
`6`	`4`
`7`	`5`	`data "aws_eks_cluster" "cluster" {`
`@@ -106,7 +104,7 @@ data "aws_iam_policy_document" "eks_key" {`
`106`	`104`	`principals {`
`107`	`105`	`type = "AWS"`
`108`	`106`	`identifiers = [`
`109`		`- local.cluster_iam_role_arn`
	`107`	`+ local.cluster_iam_role_pathed_arn`
`110`	`108`	`]`
`111`	`109`	`}`
`112`	`110`	`}`
`@@ -126,7 +124,7 @@ data "aws_iam_policy_document" "eks_key" {`
`126`	`124`	`principals {`
`127`	`125`	`type = "AWS"`
`128`	`126`	`identifiers = [`
`129`		`- local.cluster_iam_role_arn`
	`127`	`+ local.cluster_iam_role_pathed_arn`
`130`	`128`	`]`
`131`	`129`	`}`
`132`	`130`
Original file line number	Diff line number	Diff line change
`@@ -142,6 +142,7 @@ locals {`
`142`	`142`	`}`
`143`	`143`	`] : []`
`144`	`144`
`145`		`- cluster_iam_role_name = var.iam_role_name == null ? "${var.cluster_name}-cluster-role" : var.iam_role_name`
`146`		`- cluster_iam_role_arn = var.create_iam_role ? "arn:${local.context.aws_partition_id}:iam::${local.context.aws_caller_identity_account_id}:role/${local.cluster_iam_role_name}" : var.iam_role_arn`
	`145`	`+ cluster_iam_role_name = var.iam_role_name == null ? "${var.cluster_name}-cluster-role" : var.iam_role_name`
	`146`	`+ cluster_iam_role_pathed_name = var.iam_role_path == null ? local.cluster_iam_role_name : "${trimprefix(var.iam_role_path, "/")}${local.cluster_iam_role_name}"`
	`147`	`+ cluster_iam_role_pathed_arn = var.create_iam_role ? "arn:${local.context.aws_partition_id}:iam::${local.context.aws_caller_identity_account_id}:role/${local.cluster_iam_role_pathed_name}" : var.iam_role_arn`
`147`	`148`	`}`