From b74123706e08682df3ee1674be677ce5487ec201 Mon Sep 17 00:00:00 2001
From: patoarvizu <patoarvizu@gmail.com>
Date: Tue, 7 May 2019 19:23:09 -0500
Subject: [PATCH 1/3] Add variable to allow extending permissions to additional
 accounts

---
 modules/kms_key/data.tf      | 18 ++++++++++++++++++
 modules/kms_key/locals.tf    |  3 +++
 modules/kms_key/main.tf      |  4 +++-
 modules/kms_key/variables.tf |  6 ++++++
 4 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 modules/kms_key/data.tf
 create mode 100644 modules/kms_key/locals.tf

diff --git a/modules/kms_key/data.tf b/modules/kms_key/data.tf
new file mode 100644
index 0000000..a7bd0bb
--- /dev/null
+++ b/modules/kms_key/data.tf
@@ -0,0 +1,18 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "policy" {
+  policy_id = "key-default-1"
+  version   = "2012-10-17"
+
+  statement {
+    sid       = "Enable IAM User Permissions"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${formatlist("arn:aws:iam::%s:root", local.accounts_with_permissions)}"]
+    }
+  }
+}
\ No newline at end of file
diff --git a/modules/kms_key/locals.tf b/modules/kms_key/locals.tf
new file mode 100644
index 0000000..33754d1
--- /dev/null
+++ b/modules/kms_key/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  accounts_with_permissions = ["${concat(list(data.aws_caller_identity.current.account_id), var.additional_account_ids)}"]
+}
diff --git a/modules/kms_key/main.tf b/modules/kms_key/main.tf
index 9dbb155..d5c3167 100644
--- a/modules/kms_key/main.tf
+++ b/modules/kms_key/main.tf
@@ -1,4 +1,6 @@
-resource "aws_kms_key" "key" {}
+resource "aws_kms_key" "key" {
+  policy = "${data.aws_iam_policy_document.policy.json}"
+}
 
 resource "aws_kms_alias" "alias" {
   name = "alias/${var.alias_name}"
diff --git a/modules/kms_key/variables.tf b/modules/kms_key/variables.tf
index 65501ad..7e1ae11 100644
--- a/modules/kms_key/variables.tf
+++ b/modules/kms_key/variables.tf
@@ -1,4 +1,10 @@
 variable "alias_name" {
   type = "string"
   description = "The alias for the main key"
+}
+
+variable "additional_account_ids" {
+  type = "list"
+  description = "List of additional account ids with permissions to use the key"
+  default = []
 }
\ No newline at end of file

From 553468c46009bfc3b5e550073c472afea614cda8 Mon Sep 17 00:00:00 2001
From: patoarvizu <patoarvizu@gmail.com>
Date: Tue, 7 May 2019 21:48:24 -0500
Subject: [PATCH 2/3] Update README with modules' inputs and outputs

---
 README.md | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 99d16f7..2d33bfc 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,51 @@
-# terraform-kms-encryption
\ No newline at end of file
+# terraform-kms-encryption
+
+## Modules
+
+### KMS Key
+
+Path: `modules/kms_key`
+
+#### Inputs
+
+Variable name | Default value
+------------- | -------------
+alias_name |
+additional_account_ids | []
+
+#### Outputs
+
+* `key_id`
+* `key_arn`
+
+### Secret decryption
+
+Path: `modules/secret_decryption`
+
+#### Inputs
+
+Variable name | Default value
+------------- | -------------
+encrypted_secret |
+secret_context | {}
+
+#### Outputs
+
+* `decrypted_secret`
+
+### Secret encryption
+
+Path: `modules/secret_encryption`
+
+#### Inputs
+
+Variable name | Default value
+------------- | -------------
+alias_name |
+text_to_encrypt |
+secret_context | {}
+
+#### Outputs
+
+* `encrypted_secret`
+

From b29d0c7fc420aea0127f1bef3b6c41bf4524afea Mon Sep 17 00:00:00 2001
From: patoarvizu <patoarvizu@gmail.com>
Date: Tue, 7 May 2019 21:50:26 -0500
Subject: [PATCH 3/3] Run 'terraform fmt'

---
 modules/kms_key/data.tf                |  2 +-
 modules/kms_key/main.tf                |  4 ++--
 modules/kms_key/outputs.tf             |  2 +-
 modules/kms_key/variables.tf           |  8 ++++----
 modules/secret_decryption/main.tf      |  4 ++--
 modules/secret_decryption/outputs.tf   |  2 +-
 modules/secret_decryption/variables.tf |  8 ++++----
 modules/secret_encryption/data.tf      |  2 +-
 modules/secret_encryption/main.tf      |  6 +++---
 modules/secret_encryption/outputs.tf   |  2 +-
 modules/secret_encryption/variables.tf | 10 +++++-----
 11 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/modules/kms_key/data.tf b/modules/kms_key/data.tf
index a7bd0bb..4859546 100644
--- a/modules/kms_key/data.tf
+++ b/modules/kms_key/data.tf
@@ -15,4 +15,4 @@ data "aws_iam_policy_document" "policy" {
       identifiers = ["${formatlist("arn:aws:iam::%s:root", local.accounts_with_permissions)}"]
     }
   }
-}
\ No newline at end of file
+}
diff --git a/modules/kms_key/main.tf b/modules/kms_key/main.tf
index d5c3167..e50552e 100644
--- a/modules/kms_key/main.tf
+++ b/modules/kms_key/main.tf
@@ -3,6 +3,6 @@ resource "aws_kms_key" "key" {
 }
 
 resource "aws_kms_alias" "alias" {
-  name = "alias/${var.alias_name}"
+  name          = "alias/${var.alias_name}"
   target_key_id = "${aws_kms_key.key.key_id}"
-}
\ No newline at end of file
+}
diff --git a/modules/kms_key/outputs.tf b/modules/kms_key/outputs.tf
index 9a8179b..4d61a1a 100644
--- a/modules/kms_key/outputs.tf
+++ b/modules/kms_key/outputs.tf
@@ -4,4 +4,4 @@ output "key_id" {
 
 output "key_arn" {
   value = "${aws_kms_key.key.arn}"
-}
\ No newline at end of file
+}
diff --git a/modules/kms_key/variables.tf b/modules/kms_key/variables.tf
index 7e1ae11..1f3cd57 100644
--- a/modules/kms_key/variables.tf
+++ b/modules/kms_key/variables.tf
@@ -1,10 +1,10 @@
 variable "alias_name" {
-  type = "string"
+  type        = "string"
   description = "The alias for the main key"
 }
 
 variable "additional_account_ids" {
-  type = "list"
+  type        = "list"
   description = "List of additional account ids with permissions to use the key"
-  default = []
-}
\ No newline at end of file
+  default     = []
+}
diff --git a/modules/secret_decryption/main.tf b/modules/secret_decryption/main.tf
index c9655b0..6e73a69 100644
--- a/modules/secret_decryption/main.tf
+++ b/modules/secret_decryption/main.tf
@@ -1,7 +1,7 @@
 data "aws_kms_secrets" "secret" {
   secret {
-    name = "decrypted_secret"
+    name    = "decrypted_secret"
     payload = "${var.encrypted_secret}"
     context = "${var.secret_context}"
   }
-}
\ No newline at end of file
+}
diff --git a/modules/secret_decryption/outputs.tf b/modules/secret_decryption/outputs.tf
index ee95ac7..4b30927 100644
--- a/modules/secret_decryption/outputs.tf
+++ b/modules/secret_decryption/outputs.tf
@@ -1,3 +1,3 @@
 output "decrypted_secret" {
   value = "${data.aws_kms_secrets.secret.plaintext.decrypted_secret}"
-}
\ No newline at end of file
+}
diff --git a/modules/secret_decryption/variables.tf b/modules/secret_decryption/variables.tf
index 742b111..3c789b1 100644
--- a/modules/secret_decryption/variables.tf
+++ b/modules/secret_decryption/variables.tf
@@ -1,10 +1,10 @@
 variable "encrypted_secret" {
-  type = "string"
+  type        = "string"
   description = "KMS-encrypted secret to be decrypted"
 }
 
 variable "secret_context" {
-  type = "map"
+  type        = "map"
   description = "Encryption context associated with the secret"
-  default = {}
-}
\ No newline at end of file
+  default     = {}
+}
diff --git a/modules/secret_encryption/data.tf b/modules/secret_encryption/data.tf
index 4587272..cdd9bd0 100644
--- a/modules/secret_encryption/data.tf
+++ b/modules/secret_encryption/data.tf
@@ -1,3 +1,3 @@
 data "aws_kms_alias" "alias" {
   name = "alias/${var.alias_name}"
-}
\ No newline at end of file
+}
diff --git a/modules/secret_encryption/main.tf b/modules/secret_encryption/main.tf
index c145fe9..928a1d7 100644
--- a/modules/secret_encryption/main.tf
+++ b/modules/secret_encryption/main.tf
@@ -1,5 +1,5 @@
 data "aws_kms_ciphertext" "secret" {
-  key_id = "${data.aws_kms_alias.alias.target_key_id}"
+  key_id    = "${data.aws_kms_alias.alias.target_key_id}"
   plaintext = "${var.text_to_encrypt}"
-  context = "${var.secret_context}"
-}
\ No newline at end of file
+  context   = "${var.secret_context}"
+}
diff --git a/modules/secret_encryption/outputs.tf b/modules/secret_encryption/outputs.tf
index 850d3b7..105c008 100644
--- a/modules/secret_encryption/outputs.tf
+++ b/modules/secret_encryption/outputs.tf
@@ -1,3 +1,3 @@
 output "encrypted_secret" {
   value = "${data.aws_kms_ciphertext.secret.ciphertext_blob}"
-}
\ No newline at end of file
+}
diff --git a/modules/secret_encryption/variables.tf b/modules/secret_encryption/variables.tf
index 9230fb2..f847a7d 100644
--- a/modules/secret_encryption/variables.tf
+++ b/modules/secret_encryption/variables.tf
@@ -1,15 +1,15 @@
 variable "alias_name" {
-  type = "string"
+  type        = "string"
   description = "Alias of the KMS key to be used for encryption"
 }
 
 variable "text_to_encrypt" {
-  type = "string"
+  type        = "string"
   description = "Plain text string to be encrypted"
 }
 
 variable "secret_context" {
-  type = "map"
+  type        = "map"
   description = "Context to be associated with the encrypted secret"
-  default = {}
-}
\ No newline at end of file
+  default     = {}
+}