Skip to content

devops4mecode/terraform-aws-kms

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
gorun
gorun
 
 
test
test
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
output.tf
output.tf
 
 
variables.tf
variables.tf
 
 
version.tf
version.tf
 
 

Repository files navigation

Terraform AWS KMS

This terraform module creates a KMS Customer Master Key (CMK) and its alias.

Terraform Licence

## Prerequisites

This module has a few dependencies:

Examples

IMPORTANT: Since the master branch used in source varies based on new modifications, we suggest that you use the release versions here.

Simple Example

Here is an example of how you can use this module in your inventory structure:

  module "kms_key" {
    source      = "devops4mecode/kms/aws"
    version     = "1.1.0"
    name        = "kms"
    application = "devops4me"
    environment = "test"
    label_order = ["environment", "application", "name"]
    enabled     = true
    description             = "KMS key for cloudtrail"
    deletion_window_in_days = 7
    enable_key_rotation     = true
    alias                   = "alias/cloudtrail"
    policy                  = data.aws_iam_policy_document.default.json
  }

  data "aws_iam_policy_document" "default" {
    version = "2012-10-17"
    statement {
      sid    = "Enable IAM User Permissions"
      effect = "Allow"
      principals {
        type        = "AWS"
        identifiers = ["*"]
      }
      actions   = ["kms:*"]
      resources = ["*"]
    }
    statement {
      sid    = "Allow CloudTrail to encrypt logs"
      effect = "Allow"
      principals {
        type        = "Service"
        identifiers = ["cloudtrail.amazonaws.com"]
      }
      actions   = ["kms:GenerateDataKey*"]
      resources = ["*"]
      condition {
        test     = "StringLike"
        variable = "kms:EncryptionContext:aws:cloudtrail:arn"
        values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
      }
    }

    statement {
      sid    = "Allow CloudTrail to describe key"
      effect = "Allow"
      principals {
        type        = "Service"
        identifiers = ["cloudtrail.amazonaws.com"]
      }
      actions   = ["kms:DescribeKey"]
      resources = ["*"]
    }

    statement {
      sid    = "Allow principals in the account to decrypt log files"
      effect = "Allow"
      principals {
        type        = "AWS"
        identifiers = ["*"]
      }
      actions = [
        "kms:Decrypt",
        "kms:ReEncryptFrom"
      ]
      resources = ["*"]
      condition {
        test     = "StringEquals"
        variable = "kms:CallerAccount"
        values = [
        "XXXXXXXXXXXX"]
      }
      condition {
        test     = "StringLike"
        variable = "kms:EncryptionContext:aws:cloudtrail:arn"
        values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
      }
    }

    statement {
      sid    = "Allow alias creation during setup"
      effect = "Allow"
      principals {
        type        = "AWS"
        identifiers = ["*"]
      }
      actions   = ["kms:CreateAlias"]
      resources = ["*"]
    }
  }

Inputs

Name Description Type Default Required
alias The display name of the alias. The name must start with the word alias followed by a forward slash. string "" no
application Application (e.g. do4m or devops4me). string "" no
attributes Additional attributes (e.g. 1). list(string) [] no
customer_master_key_spec Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. string "SYMMETRIC_DEFAULT" no
deletion_window_in_days Duration in days after which the key is deleted after destruction of the resource. number 10 no
description The description of the key as viewed in AWS console. string "Parameter Store KMS master key" no
enable_key_rotation Specifies whether key rotation is enabled. bool true no
enabled Specifies whether the kms is enabled or disabled. bool true no
environment Environment (e.g. prod, dev, staging). string "" no
is_enabled Specifies whether the key is enabled. bool true no
key_usage Specifies the intended use of the key. Defaults to ENCRYPT_DECRYPT, and only symmetric encryption and decryption are supported. string "ENCRYPT_DECRYPT" no
label_order label order, e.g. name,application. list [] no
managedby ManagedBy, eg 'DevOps4Me' or 'NajibRadzuan'. string "[email protected]" no
name Name (e.g. app or cluster). string "" no
policy A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform. string "" no
tags Additional tags (e.g. map(BusinessUnit,XYZ). map(string) {} no

Outputs

Name Description
alias_arn Alias ARN.
alias_name Alias name.
key_arn Key ARN.
key_id Key ID.
tags A mapping of tags to assign to the resource.

Testing

In this module testing is performed with terratest and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a GO environment in your system.

You need to run the following command in the testing folder:

  go test -run Test

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases 2

RC20201125002 Latest
Nov 24, 2020
+ 1 release

Packages

No packages published

Languages