fix: add KMS policy statement only if key given (#1258)

kayman-mk · web-flow · commit 7635c219fd1c · 2025-03-03T22:28:02.000+01:00
## Description As we assumed that the KMS key is always present (why isn't it?), the policy is created without any resource in case we don't have any key. This PR introduces a separate policy created only if the key is present. Closes #1257
diff --git a/modules/terminate-agent-hook/iam.tf b/modules/terminate-agent-hook/iam.tf
@@ -32,9 +32,26 @@ resource "aws_iam_role" "lambda" {
   tags                  = var.tags
 }
 
+resource "aws_iam_role_policy_attachment" "lambda_kms" {
+  count = var.kms_key_id != "" ? 1 : 0
+
+  role       = aws_iam_role.lambda.name
+  policy_arn = aws_iam_policy.lambda_kms[0].arn
+}
+
+resource "aws_iam_policy" "lambda_kms" {
+  count = var.kms_key_id != "" ? 1 : 0
+
+  name   = "${var.name_iam_objects}-${var.name}-lambda-kms"
+  path   = "/"
+  policy = data.aws_iam_policy_document.kms_key[0].json
+
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "kms_key" {
+  count = var.kms_key_id != "" ? 1 : 0
 
-# This IAM policy is used by the Lambda function.
-data "aws_iam_policy_document" "lambda" {
   # checkov:skip=CKV_AWS_111:Write access is limited to the resources needed
   statement {
     sid = "AllowKmsAccess"
@@ -44,7 +61,9 @@ data "aws_iam_policy_document" "lambda" {
     resources = [var.kms_key_id]
     effect    = "Allow"
   }
+}
 
+data "aws_iam_policy_document" "lambda" {
   # Permit the function to get a list of instances
   statement {
     sid = "GitLabRunnerLifecycleGetInstances"
diff --git a/modules/terminate-agent-hook/variables.tf b/modules/terminate-agent-hook/variables.tf
@@ -57,7 +57,7 @@ variable "name_docker_machine_runners" {
 }
 
 variable "kms_key_id" {
-  description = "KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..."
+  description = "(optional) KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..."
   type        = string
 }
 

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ variable "name_docker_machine_runners" {`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`variable "kms_key_id" {`
`60`		`- description = "KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..."`
	`60`	`+ description = "(optional) KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..."`
`61`	`61`	`type = string`
`62`	`62`	`}`
`63`	`63`