add kms-key module
parent
3a06444360
commit
fc6de54755
@ -0,0 +1,26 @@
|
|||||||
|
# KMS Key
|
||||||
|
|
||||||
|
This module sets up a new KMS key and alias with the required policy for allowing certain roles to access the KMS key to encrypt/decrypt secrets.
|
||||||
|
|
||||||
|
This can be used by any workloads which need encryption keys with KMS.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
This module is intended to be used in conjunction with other IAM related modules for each application. You must provide the `app_name` and `usage_roles` inputs in order to have access for any applications or tools which use SSM.
|
||||||
|
|
||||||
|
`app_name` becomes the KMS key alias and `usage_roles` is a list of IAM roles which can have basic access to decrypt secrets with the key.
|
||||||
|
|
||||||
|
```
|
||||||
|
module "my-new-app-kms" {
|
||||||
|
source = "github.com/lalanza808/tf-modules.git/security/kms-key"
|
||||||
|
app_name = "my-new-app"
|
||||||
|
usage_roles = ["app_iam_role"]
|
||||||
|
administrator_roles = ["administrator"]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
The outputs can be used as references for other tools and systems.
|
||||||
|
|
||||||
|
## Inputs
|
||||||
|
|
||||||
|
See all inputs in [variables](./variables.tf)
|
@ -0,0 +1,86 @@
|
|||||||
|
data "aws_caller_identity" "this" {}
|
||||||
|
|
||||||
|
locals {
|
||||||
|
account_id = data.aws_caller_identity.this.account_id
|
||||||
|
}
|
||||||
|
|
||||||
|
data "aws_iam_policy_document" "kms" {
|
||||||
|
statement {
|
||||||
|
sid = "Enable IAM User Permissions"
|
||||||
|
actions = ["kms:*"]
|
||||||
|
resources = ["*"]
|
||||||
|
principals {
|
||||||
|
type = "AWS"
|
||||||
|
identifiers = ["arn:aws:iam::${local.account_id}:root"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
statement {
|
||||||
|
sid = "Allow administrators to manage"
|
||||||
|
actions = [
|
||||||
|
"kms:Create*",
|
||||||
|
"kms:Describe*",
|
||||||
|
"kms:Enable*",
|
||||||
|
"kms:List*",
|
||||||
|
"kms:Put*",
|
||||||
|
"kms:Update*",
|
||||||
|
"kms:Revoke*",
|
||||||
|
"kms:Disable*",
|
||||||
|
"kms:Get*",
|
||||||
|
"kms:Delete*",
|
||||||
|
"kms:TagResource",
|
||||||
|
"kms:UntagResource",
|
||||||
|
"kms:ScheduleKeyDeletion",
|
||||||
|
"kms:CancelKeyDeletion"
|
||||||
|
]
|
||||||
|
resources = ["*"]
|
||||||
|
principals {
|
||||||
|
type = "AWS"
|
||||||
|
identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.administrator_roles)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
statement {
|
||||||
|
sid = "Allow use of the key by other roles"
|
||||||
|
actions = [
|
||||||
|
"kms:Encrypt",
|
||||||
|
"kms:Decrypt",
|
||||||
|
"kms:ReEncrypt*",
|
||||||
|
"kms:GenerateDataKey*",
|
||||||
|
"kms:DescribeKey"
|
||||||
|
]
|
||||||
|
resources = ["*"]
|
||||||
|
principals {
|
||||||
|
type = "AWS"
|
||||||
|
identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.usage_roles)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
statement {
|
||||||
|
sid = "Allow attachment of persistent resources"
|
||||||
|
actions = [
|
||||||
|
"kms:CreateGrant",
|
||||||
|
"kms:ListGrants",
|
||||||
|
"kms:RevokeGrant"
|
||||||
|
]
|
||||||
|
resources = ["*"]
|
||||||
|
principals {
|
||||||
|
type = "AWS"
|
||||||
|
identifiers = formatlist("arn:aws:iam::${local.account_id}:role/%s", var.usage_roles)
|
||||||
|
}
|
||||||
|
condition {
|
||||||
|
test = "Bool"
|
||||||
|
variable = "kms:GrantIsForAWSResource"
|
||||||
|
values = [
|
||||||
|
"true"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_kms_key" "kms" {
|
||||||
|
description = "KMS key for encrypting/decrypting secrets for ${var.app_name}"
|
||||||
|
policy = data.aws_iam_policy_document.kms.json
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_kms_alias" "kms" {
|
||||||
|
name = "alias/${var.app_name}"
|
||||||
|
target_key_id = aws_kms_key.kms.key_id
|
||||||
|
}
|
@ -0,0 +1,7 @@
|
|||||||
|
output "kms_key_id" {
|
||||||
|
value = aws_kms_key.kms.key_id
|
||||||
|
}
|
||||||
|
|
||||||
|
output "kms_key_alias" {
|
||||||
|
value = var.app_name
|
||||||
|
}
|
@ -0,0 +1,17 @@
|
|||||||
|
variable "usage_roles" {
|
||||||
|
type = list
|
||||||
|
default = []
|
||||||
|
description = "IAM Role names which can use this key to decrypt secrets"
|
||||||
|
}
|
||||||
|
variable "app_name" {
|
||||||
|
description = "Name of application SSM secrets are for"
|
||||||
|
}
|
||||||
|
variable "administrator_roles" {
|
||||||
|
description = "IAM Role name of AWS account administrators"
|
||||||
|
type = list
|
||||||
|
}
|
||||||
|
variable "tags" {
|
||||||
|
default = {}
|
||||||
|
type = map
|
||||||
|
description = "Optional set of tags to apply to the infrastructure"
|
||||||
|
}
|
Loading…
Reference in New Issue