I was trying to provision AWS kms key using terraform, added the code which I am using. In this kms resource I need to add a AWS kinesis firehose role to access the kms key. For that in the code I added kms key as hardcorded (after provisioning). To add this role as part of the terraform apply I tried the below options
- Used
*in theResourcefieldkey/*and got the error “malformed policy document exception” - Used
aws_kms_key.key.arnConfiguration foraws_kms_key.keymay not refer to itself
resource "aws_kms_key" "key" {
description = var.description
key_usage = var.key_usage
is_enabled = true
policy = jsonencode({
Version = "2012-10-17",
Id = "key-default-1",
Statement = [
{
Sid = "Enable IAM User Permissions",
Effect = "Allow",
Principal = { AWS = "*" },
Action = [
"kms:Create*",
..............
"kms:CancelKeyDeletion",
],
Resource = "*",
},
{
"Sid": "Allow firehose role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${local.account_id}:role/${var.somerole}"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:eu-central-1:${local.account_id}:key/111-111-111"
},
.
.
.
}
If you want to use an implicit reference, I would probably go for this resource: registry.terraform.io/providers/hashicorp/aws/latest/docs/….