You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
|
data "aws_caller_identity" "this" {}
|
|
|
|
|
|
|
|
locals {
|
|
|
|
account_id = data.aws_caller_identity.this.account_id
|
|
|
|
}
|
|
|
|
|
|
|
|
data "aws_iam_policy_document" "kms" {
|
|
|
|
statement {
|
|
|
|
sid = "Enable IAM User Permissions"
|
|
|
|
actions = ["kms:*"]
|
|
|
|
resources = ["*"]
|
|
|
|
principals {
|
|
|
|
type = "AWS"
|
|
|
|
identifiers = ["arn:aws:iam::${local.account_id}:root"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
statement {
|
|
|
|
sid = "Allow administrators to manage"
|
|
|
|
actions = [
|
|
|
|
"kms:Create*",
|
|
|
|
"kms:Describe*",
|
|
|
|
"kms:Enable*",
|
|
|
|
"kms:List*",
|
|
|
|
"kms:Put*",
|
|
|
|
"kms:Update*",
|
|
|
|
"kms:Revoke*",
|
|
|
|
"kms:Disable*",
|
|
|
|
"kms:Get*",
|
|
|
|
"kms:Delete*",
|
|
|
|
"kms:TagResource",
|
|
|
|
"kms:UntagResource",
|
|
|
|
"kms:ScheduleKeyDeletion",
|
|
|
|
"kms:CancelKeyDeletion"
|
|
|
|
]
|
|
|
|
resources = ["*"]
|
|
|
|
principals {
|
|
|
|
type = "AWS"
|
|
|
|
identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.administrator_roles)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
statement {
|
|
|
|
sid = "Allow use of the key by other roles"
|
|
|
|
actions = [
|
|
|
|
"kms:Encrypt",
|
|
|
|
"kms:Decrypt",
|
|
|
|
"kms:ReEncrypt*",
|
|
|
|
"kms:GenerateDataKey*",
|
|
|
|
"kms:DescribeKey"
|
|
|
|
]
|
|
|
|
resources = ["*"]
|
|
|
|
principals {
|
|
|
|
type = "AWS"
|
|
|
|
identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.usage_roles)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
statement {
|
|
|
|
sid = "Allow attachment of persistent resources"
|
|
|
|
actions = [
|
|
|
|
"kms:CreateGrant",
|
|
|
|
"kms:ListGrants",
|
|
|
|
"kms:RevokeGrant"
|
|
|
|
]
|
|
|
|
resources = ["*"]
|
|
|
|
principals {
|
|
|
|
type = "AWS"
|
|
|
|
identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.usage_roles)
|
|
|
|
}
|
|
|
|
condition {
|
|
|
|
test = "Bool"
|
|
|
|
variable = "kms:GrantIsForAWSResource"
|
|
|
|
values = [
|
|
|
|
"true"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_kms_key" "kms" {
|
|
|
|
description = "KMS key for encrypting/decrypting secrets for ${var.app_name}"
|
|
|
|
policy = data.aws_iam_policy_document.kms.json
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_kms_alias" "kms" {
|
|
|
|
name = "alias/${var.app_name}"
|
|
|
|
target_key_id = aws_kms_key.kms.key_id
|
|
|
|
}
|