# tflint-ignore: terraform_standard_module_structure
variable "enable_kms_glue" {
description = "Enable customer managed key that can be used to encrypt/decrypt AWS Glue"
type = bool
default = false
}
# tflint-ignore: terraform_standard_module_structure
variable "enable_key_rotation_glue" {
description = "Enable key rotation for AWS Glue CMK"
type = bool
default = true
}
# tflint-ignore: terraform_standard_module_structure
variable "enable_multi_region_glue" {
description = "Enable multi-region for AWS Glues CMK"
type = bool
default = false
}
# tflint-ignore: terraform_standard_module_structure
variable "override_policy_glue" {
description = "A valid KMS key policy JSON document. If not specified, a canonical key policy will be used."
type = string
default = null
}
data "aws_iam_policy_document" "glue" {
# checkov:skip=CKV_AWS_109: Not applicable, using condition
# checkov:skip=CKV_AWS_111: Not applicable, using condition
source_policy_documents = [data.aws_iam_policy_document.admin_kms_policy.json]
statement {
sid = "Allow access through Glue for all principals in the account that are authorized to use Glue"
principals {
type = "AWS"
identifiers = ["*"]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:DescribeKey"
]
resources = ["*"]
condition {
test = "StringEquals"
variable = "kms:ViaService"
values = [
"glue.${var.region}.amazonaws.com"
]
}
condition {
test = "StringEquals"
variable = "kms:CallerAccount"
values = local.allowed_accounts_via_service
}
}
# Is this access needed for cross-account? Owner account has *.* access
# dynamic "statement" {
# for_each = local.enable_cross_account_access
# content {
# sid = "Allow direct access to key metadata to the cross-accounts"
# principals {
# type = "AWS"
# identifiers = local.kms_cross_account_roots
# }
# actions = [
# "kms:Describe*",
# "kms:Get*",
# "kms:List*",
# "kms:RevokeGrant"
# ]
# resources = ["*"]
# }
# }
}