diff --git a/modules/credstash-grant-reader/main.tf b/modules/credstash-grant-reader/main.tf index 65af8ce9..c5c508d2 100644 --- a/modules/credstash-grant-reader/main.tf +++ b/modules/credstash-grant-reader/main.tf @@ -24,16 +24,10 @@ variable "reader_policy_arn" { type = string } -variable "context_keys" { - default = [] - description = "list of keys to be zipped with the context_values to set an 'encryption context' for additional granularity that clients are required to provide to read encrypted values. Eg. for env=dev svc=db, this would be [env, svc]. All readers get this context map." - type = list(string) -} - -variable "context_values" { - default = [] - description = "list of values to be zipped with the context_keys to set an 'encryption context' for additional granularity that clients are required to provide to read encrypted values. Eg. for env=dev svc=db, this would be [dev, db]. All readers get this context map." - type = list(string) +variable "context" { + default = {} + description = "Context for additional granularity that clients are required to provide to read encrypted values." + type = map(string) } resource "aws_iam_role_policy_attachment" "credstash-reader-policy-attachment" { @@ -48,11 +42,6 @@ resource "aws_kms_grant" "credstash-reader" { grantee_principal = var.role_arns[count.index] key_id = var.kms_key_arn operations = ["Decrypt"] - - constraints { - encryption_context_equals = { - element(var.context_keys, count.index) = element(var.context_values, count.index) - } - } + constraints { encryption_context_equals = var.context } } diff --git a/modules/credstash-grant-writer/main.tf b/modules/credstash-grant-writer/main.tf index 6d38f148..05f4fef3 100644 --- a/modules/credstash-grant-writer/main.tf +++ b/modules/credstash-grant-writer/main.tf @@ -24,16 +24,10 @@ variable "writer_policy_arn" { type = string } -variable "context_keys" { - default = [] - description = "list of keys to be zipped with the context_values to set an 'encryption context' for additional granularity that clients are required to provide to read encrypted values. Eg. for env=dev svc=db, this would be [env, svc]. All writers get this context map." - type = list(string) -} - -variable "context_values" { - default = [] - description = "list of values to be zipped with the context_keys to set an 'encryption context' for additional granularity that clients are required to provide to read encrypted values. Eg. for env=dev svc=db, this would be [dev, db]. All writers get this context map." - type = list(string) +variable "context" { + default = {} + description = "Context for additional granularity that clients are required to provide to write values to encrypt." + type = map(string) } resource "aws_iam_role_policy_attachment" "credstash-writer-policy-attachment" { @@ -48,11 +42,6 @@ resource "aws_kms_grant" "credstash-writer" { grantee_principal = var.role_arns[count.index] key_id = var.kms_key_arn operations = ["GenerateDataKey"] - - constraints { - encryption_context_equals = { - element(var.context_keys, count.index) = element(var.context_values, count.index) - } - } + constraints { encryption_context_equals = var.context } } diff --git a/modules/credstash-grant/README.md b/modules/credstash-grant/README.md index a484729a..9b22a502 100644 --- a/modules/credstash-grant/README.md +++ b/modules/credstash-grant/README.md @@ -9,3 +9,6 @@ See [this RFC](https://docs.google.com/document/d/15nEcV7fxskDgYrXoNMl6RYIo10PCi and [this ticket](https://github.com/hashicorp/terraform/issues/386) for more details on that. +## Deprecated + +With `aws_kms_grant` resource introduced, and in the case that host running the module does not have AWSCLI, this module is deprecated. Please use `credstash-grant-reader`, `credstash-grant-writer`.