Multiple KMS Principals in Terraform

CORRECTION:

You can actually implement policies through the normal procedure, example below:

      principals {
          type = "AWS"
          identifiers = [
             "ARN",
             "ARN"
      }

However – You must verify that your Roles are already created! Otherwise you will get what appears to be a generic failure. It was just a coincidence for me that I deployed the roles at the same time that I deployed the below code change.



Recently I was struggling to get multiple principals to deploy as owners/users of a KMS key I was publishing. It seems such a simple thing, but I found myself getting frustrated. Eventually I found the solution, and wanted to document it somewhere that may help someone else!

Notice in the AllowAdmin statement the multiple principals blocks.

data "aws_iam_policy_document" "s3_kms" {
    statement {
      sid = "AllowUser"
      effect = "Allow"
      principals {
        type = "AWS"
        identifiers =  ["ARN"]
      }
      actions = [
          "kms:Encrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey*",
          "kms:DescribeKey"
      ]
      resources = ["*"]
    }
    statement {
      sid = "AllowAdmin"
      effect = "Allow"
      principals {
          type = "AWS"
          identifiers = ["ARN"]
      }
      principals {
          type = "AWS"
          identifiers = ["ARN"]
      }
      actions = ["kms:*"]
      resources = ["*"]
        }
}

An example of how NOT to do it (at least it didn’t work for me as of this writing)

data "aws_iam_policy_document" "s3_kms" {
    statement {
      sid = "AllowUser"
      effect = "Allow"
      principals {
        type = "AWS"
        identifiers =  ["ARN"]
      }
      actions = [
          "kms:Encrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey*",
          "kms:DescribeKey"
      ]
      resources = ["*"]
    }
    statement {
      sid = "AllowAdmin"
      effect = "Allow"
      principals {
          type = "AWS"
          identifiers = [
             "ARN",
             "ARN"
      }
      actions = ["kms:*"]
      resources = ["*"]
        }
}