Skip to content

Commit

Permalink
stop prod key sharing (#1435)
Browse files Browse the repository at this point in the history
  • Loading branch information
LBHTKarki authored Sep 13, 2023
1 parent 58200b2 commit 40680d1
Showing 1 changed file with 0 additions and 36 deletions.
36 changes: 0 additions & 36 deletions terraform/modules/qlik-sense-server/10-aws-ec2.tf
Original file line number Diff line number Diff line change
Expand Up @@ -112,16 +112,6 @@ data "aws_secretsmanager_secret_version" "central_backup_role_arn" {
secret_id = data.aws_secretsmanager_secret.central_backup_role_arn[0].id
}

data "aws_secretsmanager_secret" "pre_prod_deployment_role_arn" {
count = var.is_production_environment ? 1 : 0
name = "${var.identifier_prefix}-manually-managed-value-pre-prod-deployment-role-arn"
}

data "aws_secretsmanager_secret_version" "pre_prod_deployment_role_arn" {
count = var.is_production_environment ? 1 : 0
secret_id = data.aws_secretsmanager_secret.pre_prod_deployment_role_arn[0].id
}

data "aws_iam_policy_document" "key_policy" {
statement {
effect = "Allow"
Expand Down Expand Up @@ -164,32 +154,6 @@ data "aws_iam_policy_document" "key_policy" {
]
}
}

dynamic "statement" {
for_each = var.is_production_environment ? [1] : []

content {
sid = "AllowPreProdDeploymentRoleAccessToThisKey"
effect = "Allow"

principals {
type = "AWS"
identifiers = [data.aws_secretsmanager_secret_version.pre_prod_deployment_role_arn[0].secret_string]
}

actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]

resources = [
"*"
]
}
}
}

resource "aws_kms_key" "key" {
Expand Down

0 comments on commit 40680d1

Please sign in to comment.