From fc6de547559d8e33513cadf76521eae8675e2417 Mon Sep 17 00:00:00 2001
From: lalanza808 <lance@lzahq.tech>
Date: Fri, 24 Apr 2020 19:19:02 -0700
Subject: [PATCH] add kms-key module

---
 security/kms-key/README.md    | 26 +++++++++++
 security/kms-key/main.tf      | 86 +++++++++++++++++++++++++++++++++++
 security/kms-key/outputs.tf   |  7 +++
 security/kms-key/variables.tf | 17 +++++++
 4 files changed, 136 insertions(+)
 create mode 100644 security/kms-key/README.md
 create mode 100644 security/kms-key/main.tf
 create mode 100644 security/kms-key/outputs.tf
 create mode 100644 security/kms-key/variables.tf

diff --git a/security/kms-key/README.md b/security/kms-key/README.md
new file mode 100644
index 0000000..3611a2f
--- /dev/null
+++ b/security/kms-key/README.md
@@ -0,0 +1,26 @@
+# KMS Key
+
+This module sets up a new KMS key and alias with the required policy for allowing certain roles to access the KMS key to encrypt/decrypt secrets.
+
+This can be used by any workloads which need encryption keys with KMS.
+
+## Usage
+
+This module is intended to be used in conjunction with other IAM related modules for each application. You must provide the `app_name` and `usage_roles` inputs in order to have access for any applications or tools which use SSM.
+
+`app_name` becomes the KMS key alias and `usage_roles` is a list of IAM roles which can have basic access to decrypt secrets with the key.
+
+```
+module "my-new-app-kms" {
+  source              = "github.com/lalanza808/tf-modules.git/security/kms-key"
+  app_name            = "my-new-app"
+  usage_roles         = ["app_iam_role"]
+  administrator_roles = ["administrator"]
+}
+```
+
+The outputs can be used as references for other tools and systems.
+
+## Inputs
+
+See all inputs in [variables](./variables.tf)
diff --git a/security/kms-key/main.tf b/security/kms-key/main.tf
new file mode 100644
index 0000000..35d5681
--- /dev/null
+++ b/security/kms-key/main.tf
@@ -0,0 +1,86 @@
+data "aws_caller_identity" "this" {}
+
+locals {
+  account_id = data.aws_caller_identity.this.account_id
+}
+
+data "aws_iam_policy_document" "kms" {
+  statement {
+    sid       = "Enable IAM User Permissions"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.account_id}:root"]
+    }
+  }
+  statement {
+    sid = "Allow administrators to manage"
+    actions = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:TagResource",
+      "kms:UntagResource",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion"
+    ]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.administrator_roles)
+    }
+  }
+  statement {
+    sid = "Allow use of the key by other roles"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = ["*"]
+    principals {
+      type = "AWS"
+      identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.usage_roles)
+    }
+  }
+  statement {
+    sid = "Allow attachment of persistent resources"
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+    principals {
+      type = "AWS"
+      identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.usage_roles)
+    }
+    condition {
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+      values = [
+        "true"
+      ]
+    }
+  }
+}
+
+resource "aws_kms_key" "kms" {
+  description = "KMS key for encrypting/decrypting secrets for ${var.app_name}"
+  policy      = data.aws_iam_policy_document.kms.json
+}
+
+resource "aws_kms_alias" "kms" {
+  name          = "alias/${var.app_name}"
+  target_key_id = aws_kms_key.kms.key_id
+}
diff --git a/security/kms-key/outputs.tf b/security/kms-key/outputs.tf
new file mode 100644
index 0000000..3a4cbab
--- /dev/null
+++ b/security/kms-key/outputs.tf
@@ -0,0 +1,7 @@
+output "kms_key_id" {
+  value = aws_kms_key.kms.key_id
+}
+
+output "kms_key_alias" {
+  value = var.app_name
+}
diff --git a/security/kms-key/variables.tf b/security/kms-key/variables.tf
new file mode 100644
index 0000000..857e5d7
--- /dev/null
+++ b/security/kms-key/variables.tf
@@ -0,0 +1,17 @@
+variable "usage_roles" {
+  type        = list
+  default     = []
+  description = "IAM Role names which can use this key to decrypt secrets"
+}
+variable "app_name" {
+  description = "Name of application SSM secrets are for"
+}
+variable "administrator_roles" {
+  description = "IAM Role name of AWS account administrators"
+  type = list
+}
+variable "tags" {
+  default     = {}
+  type        = map
+  description = "Optional set of tags to apply to the infrastructure"
+}