change IAM permissions

Ontotext-AD · Jun 28, 2024 · b8bc7d5 · b8bc7d5
1 parent abb2dfe
commit b8bc7d5
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 55 deletions.
diff --git a/modules/backup/iam.tf b/modules/backup/iam.tf
@@ -54,20 +54,7 @@ data "aws_iam_policy_document" "graphdb_s3_key_admin_role_permissions" {
       "kms:EnableKeyRotation",
       "kms:ListResourceTags",
       "kms:ScheduleKeyDeletion",
-      "kms:DisableKeyRotation"
-    ]
-
-    resources = [
-      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*",
-      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/*"
-    ]
-  }
-
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "kms:ListAliases",
+      "kms:DisableKeyRotation",
       "tag:GetResources"
     ]
 

diff --git a/modules/graphdb/iam.tf b/modules/graphdb/iam.tf
@@ -395,20 +395,6 @@ data "aws_iam_policy_document" "graphdb_ebs_key_admin_role_permissions" {
       "tag:GetResources"
     ]
 
-    resources = [
-      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*",
-      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/*"
-    ]
-  }
-
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "kms:ListAliases",
-      "tag:GetResources"
-    ]
-
     resources = [
       "*"
     ]
@@ -484,20 +470,7 @@ data "aws_iam_policy_document" "graphdb_param_store_key_admin_role_permissions"
       "kms:EnableKeyRotation",
       "kms:ListResourceTags",
       "kms:ScheduleKeyDeletion",
-      "kms:DisableKeyRotation"
-    ]
-
-    resources = [
-      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*",
-      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/*"
-    ]
-  }
-
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "kms:ListAliases",
+      "kms:DisableKeyRotation",
       "tag:GetResources"
     ]
 

diff --git a/modules/monitoring/iam.tf b/modules/monitoring/iam.tf
@@ -53,19 +53,7 @@ data "aws_iam_policy_document" "graphdb_parameter_store_key_admin_role_permissio
       "kms:EnableKeyRotation",
       "kms:ListResourceTags",
       "kms:ScheduleKeyDeletion",
-      "kms:DisableKeyRotation"
-    ]
-
-    resources = [
-      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*",
-      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/*"
-    ]
-  }
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "kms:ListAliases",
+      "kms:DisableKeyRotation",
       "tag:GetResources"
     ]