File tree Expand file tree Collapse file tree
infrastructure/modules/kms/tests Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -3,7 +3,41 @@ mock_provider "aws" {}
33override_data {
44 target = data. aws_iam_policy_document . key_policy
55 values = {
6- json = " {\" Statement\" :[{\" Sid\" :\" EnableIAMUserPermissions\" },{\" Sid\" :\" AllowCloudWatchLogs\" }]}"
6+ json = << EOF
7+ {
8+ "Statement": [
9+ {
10+ "Sid": "EnableIAMUserPermissions",
11+ "Effect": "Allow",
12+ "Principal": {
13+ "AWS": "arn:aws:iam::123456789012:root"
14+ },
15+ "Action": "kms:*",
16+ "Resource": "*"
17+ },
18+ {
19+ "Sid": "AllowCloudWatchLogs",
20+ "Effect": "Allow",
21+ "Principal": {
22+ "Service": "logs.us-east-1.amazonaws.com"
23+ },
24+ "Action": [
25+ "kms:Decrypt",
26+ "kms:Describe*",
27+ "kms:Encrypt",
28+ "kms:GenerateDataKey*",
29+ "kms:ReEncrypt*"
30+ ],
31+ "Resource": "*",
32+ "Condition": {
33+ "ArnLike": {
34+ "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:123456789012:log-group:*"
35+ }
36+ }
37+ }
38+ ]
39+ }
40+ EOF
741 }
842}
943
@@ -30,6 +64,14 @@ run "test_cloudwatch_logs_policy_statement_exists" {
3064 condition = can (regex (" AllowCloudWatchLogs" , data. aws_iam_policy_document . key_policy . json ))
3165 error_message = " Key policy must include CloudWatch Logs permissions."
3266 }
67+
68+ assert {
69+ condition = (
70+ can (regex (" arn:aws:logs:[a-z0-9-]+:\\ d{12}:log-group:\\ *" , data. aws_iam_policy_document . key_policy . json )) &&
71+ can (regex (" logs\\ .[a-z0-9-]+\\ .amazonaws\\ .com" , data. aws_iam_policy_document . key_policy . json ))
72+ )
73+ error_message = " CloudWatch Logs KMS policy must use the current AWS region in the encryption context and principal."
74+ }
3375}
3476
3577run "test_deletion_window" {
You can’t perform that action at this time.
0 commit comments