Modify IAM permissions block to allow for KMS GenerateRandom. (#64)

* Modify IAM permissions block to allow for KMS GenerateRandom. Signed-off-by: Dipack <dipack@transcend.io> * Modify IAM permissions block to allow for KMS GenerateRandom. Signed-off-by: Dipack <dipack@transcend.io> --------- Signed-off-by: Dipack <dipack@transcend.io>
transcend-io · Jun 6, 2024 · 0c435dc · 0c435dc
1 parent 2d79deb
commit 0c435dc
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 6 deletions.
diff --git a/main.tf b/main.tf
@@ -139,7 +139,7 @@ locals {
 module "service" {
   source  = "transcend-io/fargate-service/aws"
   version = "0.9.0"
-  
+
   name         = "${var.deploy_env}-${var.project_id}-sombra-service"
   cpu          = var.cpu
   memory       = var.memory
@@ -231,6 +231,14 @@ data "aws_iam_policy_document" "kms_policy_doc" {
     actions   = ["kms:*"]
     resources = var.use_local_kms ? ["*"] : [aws_kms_key.key.0.arn]
   }
+
+  statement {
+    sid     = "AllowGeneratingRandom"
+    effect  = "Allow"
+    actions = ["kms:GenerateRandom"]
+    # This has to be a `*` since `kms:GenerateRandom` does not allow for specific resources.
+    resources = ["*"]
+  }
 }
 
 resource "aws_iam_policy" "kms_policy" {

diff --git a/variables.tf b/variables.tf
@@ -397,21 +397,21 @@ variable "extra_secret_envs" {
   default     = {}
 }
 
-variable use_network_load_balancer {
+variable "use_network_load_balancer" {
   type        = bool
   description = <<EOF
   If true, the internal load balancer will use a Network Load Balancer instead of an Application Load Balancer.
 
   Use this if you plan to terminate SSL on the sombra itself, and not on the load balancer. This should always be
   used with `tls_config`.
   EOF
-  default = false
+  default     = false
 }
 
-variable network_load_balancer_ingress_cidr_blocks {
+variable "network_load_balancer_ingress_cidr_blocks" {
   type        = list(string)
   description = "CIDR blocks that can talk to sombra when using an NLB"
-  default = ["0.0.0.0/0"]
+  default     = ["0.0.0.0/0"]
 }
 
 variable "tags" {

diff --git a/versions.tf b/versions.tf
@@ -6,7 +6,7 @@ terraform {
     # We cannot use versions 3.16.0 or higher due to this regression:
     # https://github.com/hashicorp/terraform-provider-vault/issues/1907
     vault = {
-      source = "hashicorp/vault"
+      source  = "hashicorp/vault"
       version = "< 3.16.0"
     }
   }