Merge pull request #6 from westonplatter/master

masterpointio · Dec 14, 2020 · b1057ea · b1057ea
2 parents d7935b4 + c0536c1
commit b1057ea
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -99,7 +99,8 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 | session\_logging\_enabled | To enable CloudWatch and S3 session logging or not. Note this does not apply to SSH sessions as AWS cannot log those sessions. | `bool` | `true` | no |
 | session\_logging\_encryption\_enabled | To enable CloudWatch and S3 session logging encryption or not. | `bool` | `true` | no |
 | session\_logging\_kms\_key\_arn | BYO KMS Key instead of using the created KMS Key. The session\_logging\_encryption\_enabled variable must still be `true` for this to be applied. | `string` | `""` | no |
-| stage | The environment that this infrastrcuture is being deployed to e.g. dev, stage, or prod | `string` | `""` | no |
+| session\_logging\_kms\_key\_alias | "Alias name for `session_logging` KMS Key. This is only applied if 2 conditions are met: (1) `session_logging_kms_key_arn` is unset, (2) `session_logging_encryption_enabled` = true." | `string` | `"alias/session_logging"` | no |
+| stage | The environment that this infrastructure is being deployed to e.g. dev, stage, or prod | `string` | `""` | no |
 | subnet\_ids | The Subnet IDs which the SSM Agent will run in. These *should* be private subnets. | `list(string)` | n/a | yes |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
 | user\_data | The user\_data to use for the SSM Agent EC2 instance. You can use this to automate installation of psql or other required command line tools. | `string` | `"#!/bin/bash\n# NOTE: Since we're using a latest Amazon Linux AMI, we shouldn't need this,\n# but we'll update it to be sure.\ncd /tmp\nsudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpmnsudo systemctl enable amazon-ssm-agent\nsudo systemctl start amazon-ssm-agent\n"` | no |

diff --git a/main.tf b/main.tf
@@ -171,7 +171,7 @@ module "kms_key" {
   description             = "KMS key for encrypting Session Logs in S3 and CloudWatch."
   deletion_window_in_days = 10
   enable_key_rotation     = true
-  alias                   = "alias/session_logging_key"
+  alias                   = var.session_logging_kms_key_alias
 
   policy = <<DOC
 {

diff --git a/variables.tf b/variables.tf
@@ -125,6 +125,13 @@ variable "session_logging_kms_key_arn" {
   description = "BYO KMS Key instead of using the created KMS Key. The session_logging_encryption_enabled variable must still be `true` for this to be applied."
 }
 
+variable "session_logging_kms_key_alias" {
+  default     = "alias/session_logging"
+  type        = string
+  description = "Alias name for `session_logging` KMS Key. This is only applied if 2 conditions are met: (1) `session_logging_kms_key_arn` is unset, (2) `session_logging_encryption_enabled` = true."
+}
+
+
 variable "session_logging_bucket_name" {
   default     = ""
   type        = string