From c822507e91aee3d8722571912d57264639374a38 Mon Sep 17 00:00:00 2001
From: westonplatter <westonplatter@gmail.com>
Date: Sat, 5 Dec 2020 14:31:57 -0700
Subject: [PATCH 1/3] feat: enable users to set KMS session logging alias.

---
 main.tf      | 8 +++++---
 variables.tf | 7 +++++++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 35b3782..9e0f4e7 100644
--- a/main.tf
+++ b/main.tf
@@ -39,8 +39,10 @@ data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
 locals {
-  region     = coalesce(var.region, data.aws_region.current.name)
-  account_id = data.aws_caller_identity.current.account_id
+  region                        = coalesce(var.region, data.aws_region.current.name)
+  account_id                    = data.aws_caller_identity.current.account_id
+  session_logging_kms_key_alias = var.session_logging_kms_key_alias
+
 }
 
 #####################
@@ -171,7 +173,7 @@ module "kms_key" {
   description             = "KMS key for encrypting Session Logs in S3 and CloudWatch."
   deletion_window_in_days = 10
   enable_key_rotation     = true
-  alias                   = "alias/session_logging_key"
+  alias                   = local.session_logging_kms_key_alias
 
   policy = <<DOC
 {
diff --git a/variables.tf b/variables.tf
index 76636b1..97e2864 100644
--- a/variables.tf
+++ b/variables.tf
@@ -125,6 +125,13 @@ variable "session_logging_kms_key_arn" {
   description = "BYO KMS Key instead of using the created KMS Key. The session_logging_encryption_enabled variable must still be `true` for this to be applied."
 }
 
+variable "session_logging_kms_key_alias" {
+  default     = "alias/session_logging"
+  type        = string
+  description = "Alias name for `session_logging` KMS Key. The session_logging_encryption_enabled variable must still be `true` for this to be applied."
+}
+
+
 variable "session_logging_bucket_name" {
   default     = ""
   type        = string

From badf2cb233e8e3b85d6ed26ed25676024fc2c579 Mon Sep 17 00:00:00 2001
From: westonplatter <westonplatter@gmail.com>
Date: Sat, 5 Dec 2020 14:38:51 -0700
Subject: [PATCH 2/3] readme. add session_logging_kms_key_alias var to readme.

---
 README.md    | 3 ++-
 variables.tf | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 07b5339..05addc8 100644
--- a/README.md
+++ b/README.md
@@ -99,7 +99,8 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 | session\_logging\_enabled | To enable CloudWatch and S3 session logging or not. Note this does not apply to SSH sessions as AWS cannot log those sessions. | `bool` | `true` | no |
 | session\_logging\_encryption\_enabled | To enable CloudWatch and S3 session logging encryption or not. | `bool` | `true` | no |
 | session\_logging\_kms\_key\_arn | BYO KMS Key instead of using the created KMS Key. The session\_logging\_encryption\_enabled variable must still be `true` for this to be applied. | `string` | `""` | no |
-| stage | The environment that this infrastrcuture is being deployed to e.g. dev, stage, or prod | `string` | `""` | no |
+| session\_logging\_kms\_key\_alias | "Alias name for `session_logging` KMS Key. This is only applied if 2 conditions are met: (1) `session_logging_kms_key_arn` is unset, (2) `session_logging_encryption_enabled` = true." | `string` | `"alias/session_logging"` | no |
+| stage | The environment that this infrastructure is being deployed to e.g. dev, stage, or prod | `string` | `""` | no |
 | subnet\_ids | The Subnet IDs which the SSM Agent will run in. These *should* be private subnets. | `list(string)` | n/a | yes |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
 | user\_data | The user\_data to use for the SSM Agent EC2 instance. You can use this to automate installation of psql or other required command line tools. | `string` | `"#!/bin/bash\n# NOTE: Since we're using a latest Amazon Linux AMI, we shouldn't need this,\n# but we'll update it to be sure.\ncd /tmp\nsudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpmnsudo systemctl enable amazon-ssm-agent\nsudo systemctl start amazon-ssm-agent\n"` | no |
diff --git a/variables.tf b/variables.tf
index 97e2864..21f4b46 100644
--- a/variables.tf
+++ b/variables.tf
@@ -128,7 +128,7 @@ variable "session_logging_kms_key_arn" {
 variable "session_logging_kms_key_alias" {
   default     = "alias/session_logging"
   type        = string
-  description = "Alias name for `session_logging` KMS Key. The session_logging_encryption_enabled variable must still be `true` for this to be applied."
+  description = "Alias name for `session_logging` KMS Key. This is only applied if 2 conditions are met: (1) `session_logging_kms_key_arn` is unset, (2) `session_logging_encryption_enabled` = true."
 }
 
 

From c0536c15fbf32bdf700dec5b20e8d59b6dd5a6f2 Mon Sep 17 00:00:00 2001
From: westonplatter <westonplatter@gmail.com>
Date: Fri, 11 Dec 2020 13:34:15 -0700
Subject: [PATCH 3/3] pull alias name from var.

---
 main.tf | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/main.tf b/main.tf
index 9e0f4e7..1b644d4 100644
--- a/main.tf
+++ b/main.tf
@@ -39,10 +39,8 @@ data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
 locals {
-  region                        = coalesce(var.region, data.aws_region.current.name)
-  account_id                    = data.aws_caller_identity.current.account_id
-  session_logging_kms_key_alias = var.session_logging_kms_key_alias
-
+  region     = coalesce(var.region, data.aws_region.current.name)
+  account_id = data.aws_caller_identity.current.account_id
 }
 
 #####################
@@ -173,7 +171,7 @@ module "kms_key" {
   description             = "KMS key for encrypting Session Logs in S3 and CloudWatch."
   deletion_window_in_days = 10
   enable_key_rotation     = true
-  alias                   = local.session_logging_kms_key_alias
+  alias                   = var.session_logging_kms_key_alias
 
   policy = <<DOC
 {