add kms-key module
parent
3a06444360
commit
fc6de54755
@ -0,0 +1,26 @@
|
||||
# KMS Key
|
||||
|
||||
This module sets up a new KMS key and alias with the required policy for allowing certain roles to access the KMS key to encrypt/decrypt secrets.
|
||||
|
||||
This can be used by any workloads which need encryption keys with KMS.
|
||||
|
||||
## Usage
|
||||
|
||||
This module is intended to be used in conjunction with other IAM related modules for each application. You must provide the `app_name` and `usage_roles` inputs in order to have access for any applications or tools which use SSM.
|
||||
|
||||
`app_name` becomes the KMS key alias and `usage_roles` is a list of IAM roles which can have basic access to decrypt secrets with the key.
|
||||
|
||||
```
|
||||
module "my-new-app-kms" {
|
||||
source = "github.com/lalanza808/tf-modules.git/security/kms-key"
|
||||
app_name = "my-new-app"
|
||||
usage_roles = ["app_iam_role"]
|
||||
administrator_roles = ["administrator"]
|
||||
}
|
||||
```
|
||||
|
||||
The outputs can be used as references for other tools and systems.
|
||||
|
||||
## Inputs
|
||||
|
||||
See all inputs in [variables](./variables.tf)
|
@ -0,0 +1,86 @@
|
||||
data "aws_caller_identity" "this" {}
|
||||
|
||||
locals {
|
||||
account_id = data.aws_caller_identity.this.account_id
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "kms" {
|
||||
statement {
|
||||
sid = "Enable IAM User Permissions"
|
||||
actions = ["kms:*"]
|
||||
resources = ["*"]
|
||||
principals {
|
||||
type = "AWS"
|
||||
identifiers = ["arn:aws:iam::${local.account_id}:root"]
|
||||
}
|
||||
}
|
||||
statement {
|
||||
sid = "Allow administrators to manage"
|
||||
actions = [
|
||||
"kms:Create*",
|
||||
"kms:Describe*",
|
||||
"kms:Enable*",
|
||||
"kms:List*",
|
||||
"kms:Put*",
|
||||
"kms:Update*",
|
||||
"kms:Revoke*",
|
||||
"kms:Disable*",
|
||||
"kms:Get*",
|
||||
"kms:Delete*",
|
||||
"kms:TagResource",
|
||||
"kms:UntagResource",
|
||||
"kms:ScheduleKeyDeletion",
|
||||
"kms:CancelKeyDeletion"
|
||||
]
|
||||
resources = ["*"]
|
||||
principals {
|
||||
type = "AWS"
|
||||
identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.administrator_roles)
|
||||
}
|
||||
}
|
||||
statement {
|
||||
sid = "Allow use of the key by other roles"
|
||||
actions = [
|
||||
"kms:Encrypt",
|
||||
"kms:Decrypt",
|
||||
"kms:ReEncrypt*",
|
||||
"kms:GenerateDataKey*",
|
||||
"kms:DescribeKey"
|
||||
]
|
||||
resources = ["*"]
|
||||
principals {
|
||||
type = "AWS"
|
||||
identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.usage_roles)
|
||||
}
|
||||
}
|
||||
statement {
|
||||
sid = "Allow attachment of persistent resources"
|
||||
actions = [
|
||||
"kms:CreateGrant",
|
||||
"kms:ListGrants",
|
||||
"kms:RevokeGrant"
|
||||
]
|
||||
resources = ["*"]
|
||||
principals {
|
||||
type = "AWS"
|
||||
identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.usage_roles)
|
||||
}
|
||||
condition {
|
||||
test = "Bool"
|
||||
variable = "kms:GrantIsForAWSResource"
|
||||
values = [
|
||||
"true"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_kms_key" "kms" {
|
||||
description = "KMS key for encrypting/decrypting secrets for ${var.app_name}"
|
||||
policy = data.aws_iam_policy_document.kms.json
|
||||
}
|
||||
|
||||
resource "aws_kms_alias" "kms" {
|
||||
name = "alias/${var.app_name}"
|
||||
target_key_id = aws_kms_key.kms.key_id
|
||||
}
|
@ -0,0 +1,7 @@
|
||||
output "kms_key_id" {
|
||||
value = aws_kms_key.kms.key_id
|
||||
}
|
||||
|
||||
output "kms_key_alias" {
|
||||
value = var.app_name
|
||||
}
|
@ -0,0 +1,17 @@
|
||||
variable "usage_roles" {
|
||||
type = list
|
||||
default = []
|
||||
description = "IAM Role names which can use this key to decrypt secrets"
|
||||
}
|
||||
variable "app_name" {
|
||||
description = "Name of application SSM secrets are for"
|
||||
}
|
||||
variable "administrator_roles" {
|
||||
description = "IAM Role name of AWS account administrators"
|
||||
type = list
|
||||
}
|
||||
variable "tags" {
|
||||
default = {}
|
||||
type = map
|
||||
description = "Optional set of tags to apply to the infrastructure"
|
||||
}
|
Loading…
Reference in New Issue