#### # KMS #### locals { should_create_kms_key = var.volume_kms_key_create && (var.root_block_device_encrypted || var.extra_volume_count > 0) should_grant_asg_to_access_key = var.root_block_device_encrypted && var.use_autoscaling_group && (var.volume_kms_key_external_exist || local.should_create_kms_key) volume_kms_key_arn = local.should_create_kms_key ? aws_kms_key.this_volume.*.arn[0] : var.volume_kms_key_arn } resource "aws_kms_key" "this_volume" { count = local.should_create_kms_key ? 1 : 0 description = "KMS key for ${format("%s%s", var.prefix, var.name)} instance(s) volume(s)." customer_master_key_spec = var.volume_kms_key_customer_master_key_spec policy = var.volume_kms_key_policy tags = merge( { "Name" = format("%s%s", var.prefix, var.volume_kms_key_name) }, var.tags, var.volume_kms_key_tags, local.tags, ) } resource "aws_kms_alias" "this_volume" { count = local.should_create_kms_key ? 1 : 0 name = format("alias/%s%s", var.prefix, var.volume_kms_key_alias) target_key_id = aws_kms_key.this_volume[0].key_id } resource "aws_kms_grant" "this_volume" { count = local.should_grant_asg_to_access_key ? 1 : 0 name = "AllowASGToAccessKMS" key_id = local.volume_kms_key_arn grantee_principal = aws_iam_service_linked_role.asg.*.arn[0] operations = ["Encrypt", "Decrypt", "GenerateDataKey", "DescribeKey", "CreateGrant", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "RetireGrant"] }