aws_kms enhancements (#31960)

* Allow creation and deletion of keys (deletion just schedules for deletion, recreating an old key is just cancelling its deletion) * Allow grants to be set, thus enabling encryption contexts to be used with keys * Allow tags to be added and modified * Add testing for KMS module * Tidy up aws_kms module to latest standards
2025-07-24 22:00:22 -07:00 · 2019-02-13 13:06:58 +10:00 · 2019-02-13 13:06:58 +10:00 · 46fbcf08bc
commit 46fbcf08bc
parent 1f3a74c0c8
7 changed files with 1136 additions and 54 deletions
--- a/hacking/aws_config/testing_policies/kms-policy.json
+++ b/hacking/aws_config/testing_policies/kms-policy.json
@ -0,0 +1,54 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowAccessToUnspecifiedKMSResources",
+            "Effect": "Allow",
+            "Action": [
+                "iam:ListRoles",
+                "kms:CancelKeyDeletion",
+                "kms:CreateAlias",
+                "kms:CreateGrant",
+                "kms:CreateKey",
+                "kms:DeleteAlias",
+                "kms:Describe*",
+                "kms:DisableKey",
+                "kms:EnableKey",
+                "kms:GenerateRandom",
+                "kms:Get*",
+                "kms:List*",
+                "kms:RetireGrant",
+                "kms:ScheduleKeyDeletion",
+                "kms:TagResource",
+                "kms:UntagResource",
+                "kms:UpdateGrant",
+                "kms:UpdateKeyDescription"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowAccessToSpecifiedIAMResources",
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreateRole",
+                "iam:DeleteRole",
+                "iam:GetRole",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListInstanceProfilesForRole",
+                "iam:PassRole",
+                "iam:UpdateAssumeRolePolicy"
+            ],
+            "Resource": "arn:aws:iam::{{aws_account}}:role/ansible-test-*"
+        },
+        {
+            "Sid": "AllowInstanceProfileCreation",
+            "Effect": "Allow",
+            "Action": [
+                "iam:AddRoleToInstanceProfile",
+                "iam:CreateInstanceProfile",
+                "iam:RemoveRoleFromInstanceProfile"
+            ],
+            "Resource": "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-*"
+        }
+    ]
+}