Limit principal to account id (#76)

ftzimmer · web-flow · commit e5089d0b3b46 · 2022-06-13T18:37:20.000+02:00
diff --git a/modules/infrastructure/cloudtrail/kms.tf b/modules/infrastructure/cloudtrail/kms.tf
@@ -21,7 +21,7 @@ data "aws_iam_policy_document" "cloudtrail_kms" {
     effect = "Allow"
     principals {
       # identifiers = ["arn:aws:iam::${data.aws_caller_identity.me.account_id}:root"]
-      identifiers = ["*"]
+      identifiers = [data.aws_caller_identity.me.account_id]
       type        = "AWS"
     }
     actions   = ["kms:*"]

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ data "aws_iam_policy_document" "cloudtrail_kms" {`
`21`	`21`	`effect = "Allow"`
`22`	`22`	`principals {`
`23`	`23`	`# identifiers = ["arn:aws:iam::${data.aws_caller_identity.me.account_id}:root"]`
`24`		`- identifiers = ["*"]`
	`24`	`+ identifiers = [data.aws_caller_identity.me.account_id]`
`25`	`25`	`type = "AWS"`
`26`	`26`	`}`
`27`	`27`	`actions = ["kms:*"]`