From 6b5fe4149114b72bded6e2a1d73964bc02add261 Mon Sep 17 00:00:00 2001
From: Magicloud <1886157+Magicloud@users.noreply.github.com>
Date: Fri, 11 Oct 2019 20:30:59 +0800
Subject: [PATCH 1/3] Deprecate: module/credstash-grant

---
 modules/credstash-grant/README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/credstash-grant/README.md b/modules/credstash-grant/README.md
index a484729a..9b22a502 100644
--- a/modules/credstash-grant/README.md
+++ b/modules/credstash-grant/README.md
@@ -9,3 +9,6 @@ See [this RFC](https://docs.google.com/document/d/15nEcV7fxskDgYrXoNMl6RYIo10PCi
 and [this ticket](https://github.com/hashicorp/terraform/issues/386) for more
 details on that.
 
+## Deprecated
+
+With `aws_kms_grant` resource introduced, and in the case that host running the module does not have AWSCLI, this module is deprecated. Please use `credstash-grant-reader`, `credstash-grant-writer`.

From cbc272a37b6f67050a09057ad73aafd6b88fd5c8 Mon Sep 17 00:00:00 2001
From: Magicloud <1886157+Magicloud@users.noreply.github.com>
Date: Fri, 11 Oct 2019 22:12:18 +0800
Subject: [PATCH 2/3] module/credstash-grant-reader: Replace the implemention
 of kms_grant context with `map`.

The original way of creating map at runtime from two lists are easy to go wrong, and acturally wrong. It went through the lists by role count, which does not make sense.
---
 modules/credstash-grant-reader/main.tf | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

diff --git a/modules/credstash-grant-reader/main.tf b/modules/credstash-grant-reader/main.tf
index 65af8ce9..c5c508d2 100644
--- a/modules/credstash-grant-reader/main.tf
+++ b/modules/credstash-grant-reader/main.tf
@@ -24,16 +24,10 @@ variable "reader_policy_arn" {
   type        = string
 }
 
-variable "context_keys" {
-  default     = []
-  description = "list of keys to be zipped with the context_values to set an 'encryption context' for additional granularity that clients are required to provide to read encrypted values. Eg. for env=dev svc=db, this would be [env, svc]. All readers get this context map."
-  type        = list(string)
-}
-
-variable "context_values" {
-  default     = []
-  description = "list of values to be zipped with the context_keys to set an 'encryption context' for additional granularity that clients are required to provide to read encrypted values. Eg. for env=dev svc=db, this would be [dev, db]. All readers get this context map."
-  type        = list(string)
+variable "context" {
+  default     = {}
+  description = "Context for additional granularity that clients are required to provide to read encrypted values."
+  type        = map(string)
 }
 
 resource "aws_iam_role_policy_attachment" "credstash-reader-policy-attachment" {
@@ -48,11 +42,6 @@ resource "aws_kms_grant" "credstash-reader" {
   grantee_principal = var.role_arns[count.index]
   key_id            = var.kms_key_arn
   operations        = ["Decrypt"]
-
-  constraints {
-    encryption_context_equals = {
-      element(var.context_keys, count.index) = element(var.context_values, count.index)
-    }
-  }
+  constraints { encryption_context_equals = var.context }
 }
 

From 860c2784349be21d7afc68eaafea8af7f00f6100 Mon Sep 17 00:00:00 2001
From: Magicloud <1886157+Magicloud@users.noreply.github.com>
Date: Fri, 11 Oct 2019 22:25:21 +0800
Subject: [PATCH 3/3] module/credstash-grant-writer: Replace the implemention
 of kms_grant context with `map`.

The original way of creating map at runtime from two lists are easy to go wrong, and acturally wrong. It went through the lists by role count, which does not make sense.
---
 modules/credstash-grant-writer/main.tf | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

diff --git a/modules/credstash-grant-writer/main.tf b/modules/credstash-grant-writer/main.tf
index 6d38f148..05f4fef3 100644
--- a/modules/credstash-grant-writer/main.tf
+++ b/modules/credstash-grant-writer/main.tf
@@ -24,16 +24,10 @@ variable "writer_policy_arn" {
   type        = string
 }
 
-variable "context_keys" {
-  default     = []
-  description = "list of keys to be zipped with the context_values to set an 'encryption context' for additional granularity that clients are required to provide to read encrypted values. Eg. for env=dev svc=db, this would be [env, svc]. All writers get this context map."
-  type        = list(string)
-}
-
-variable "context_values" {
-  default     = []
-  description = "list of values to be zipped with the context_keys to set an 'encryption context' for additional granularity that clients are required to provide to read encrypted values. Eg. for env=dev svc=db, this would be [dev, db]. All writers get this context map."
-  type        = list(string)
+variable "context" {
+  default     = {}
+  description = "Context for additional granularity that clients are required to provide to write values to encrypt."
+  type        = map(string)
 }
 
 resource "aws_iam_role_policy_attachment" "credstash-writer-policy-attachment" {
@@ -48,11 +42,6 @@ resource "aws_kms_grant" "credstash-writer" {
   grantee_principal = var.role_arns[count.index]
   key_id            = var.kms_key_arn
   operations        = ["GenerateDataKey"]
-
-  constraints {
-    encryption_context_equals = {
-      element(var.context_keys, count.index) = element(var.context_values, count.index)
-    }
-  }
+  constraints { encryption_context_equals = var.context }
 }