I was trying to provision AWS kms key using terraform, added the code which I am using. In this kms resource I need to add a AWS kinesis firehose role to access the kms key. For that in the code I added kms key as hardcorded (after provisioning). To add this role as part of the terraform apply I tried the below options
* in the Resource field key/* and got the error "malformed policy document exception"aws_kms_key.key.arn Configuration for aws_kms_key.key may not refer to itselfresource "aws_kms_key" "key" {
description = var.description
key_usage = var.key_usage
is_enabled = true
policy = jsonencode({
Version = "2012-10-17",
Id = "key-default-1",
Statement = [
{
Sid = "Enable IAM User Permissions",
Effect = "Allow",
Principal = { AWS = "*" },
Action = [
"kms:Create*",
..............
"kms:CancelKeyDeletion",
],
Resource = "*",
},
{
"Sid": "Allow firehose role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${local.account_id}:role/${var.somerole}"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:eu-central-1:${local.account_id}:key/111-111-111"
},
.
.
.
}
As mentioned in my comment, I would prefer using a separate resource for the key instead of adding the policy to the resource used for key creation. Here is what the code would look like if you were to decide to use that approach:
resource "aws_kms_key" "kms" {
description = var.description
key_usage = var.key_usage
is_enabled = true
}
resource "aws_kms_key_policy" "kms_key" {
key_id = aws_kms_key.kms.key_id
policy = jsonencode({
Id = "kms-key-policy",
Version = "2012-10-17",
Statement = [
{
Sid = "Allow administration of the key",
Effect = "Allow",
Principal = {
"AWS" = "arn:aws:iam::<your account id>:root"
},
Action = [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDelEetion"
],
Resource = "*"
}
{
Sid = "Enable IAM User Permissions",
Effect = "Allow",
Principal = { AWS = "*" },
Action = [
"kms:Create*",
..............
"kms:CancelKeyDeletion",
],
Resource = "*",
},
Sid = "Allow firehose role",
Effect = "Allow",
Principal = {
AWS = "arn:aws:iam::${local.account_id}:role/${var.somerole}"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
Resource = [aws_kms_key.kms.arn]
}
]
})
}
Additionally, you could use the aws_iam_policy_document data source to avoid some of the pitfalls of creating the policy inline. That part could then be done like the following:
data "aws_iam_policy_document" "kms_key_policy" {
statement {
sid = "Allow administration of the key"
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::<your account id>:root"
]
}
actions = [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDelEetion"
]
resources = [
"*"
]
}
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["*"]
}
actions = [
"kms:Create*",
"kms:CancelKeyDeletion",
# add whatever is missing from the actions
]
resources = ["*"]
}
statement {
sid = "Allow firehose role"
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${local.account_id}:role/${var.somerole}"
]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = [
aws_kms_key.kms_key.arn
]
}
}
resource "aws_kms_key" "kms" {
description = var.description
key_usage = var.key_usage
is_enabled = true
}
resource "aws_kms_key_policy" "kms_key" {
key_id = aws_kms_key.kms.key_id
policy = data.aws_iam_policy_document.kms_key_policy.json
}