Skip to content

Commit

Permalink
Add infrastructure KMS key
Browse files Browse the repository at this point in the history
* Enabling this feature creates a KMS key that can be used across all
  resources that support KMS encryption. Using a single KMS key can help
  reduce costs related to KMS. We can in future add a feature to use
  individual KMS keys for particular resources if needed.
  • Loading branch information
Stretch96 committed Nov 8, 2023
1 parent d9f5053 commit 4726ef1
Show file tree
Hide file tree
Showing 7 changed files with 60 additions and 2 deletions.
11 changes: 9 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,18 +15,25 @@ This project creates and manages resources within an AWS account for infrastruct

## Providers

No providers.
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |

## Resources

No resources.
| Name | Type |
|------|------|
| [aws_kms_alias.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region in which to launch resources | `string` | n/a | yes |
| <a name="input_environment"></a> [environment](#input\_environment) | The environment name to be used as part of the resource prefix | `string` | n/a | yes |
| <a name="input_infrastructure_kms_encryption"></a> [infrastructure\_kms\_encryption](#input\_infrastructure\_kms\_encryption) | Enable infrastructure KMS encryption. This will create a single KMS key to be used across all resources that support KMS encryption. | `bool` | n/a | yes |
| <a name="input_infrastructure_name"></a> [infrastructure\_name](#input\_infrastructure\_name) | The infrastructure name to be used as part of the resource prefix | `string` | n/a | yes |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name to be used as a prefix for all resources | `string` | n/a | yes |

Expand Down
1 change: 1 addition & 0 deletions data.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
data "aws_caller_identity" "current" {}
29 changes: 29 additions & 0 deletions kms-infrastructure.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
resource "aws_kms_key" "infrastructure" {
count = local.infrastructure_kms_encryption ? 1 : 0

description = "${local.resource_prefix} infrastructure kms key"
deletion_window_in_days = 30
enable_key_rotation = true

policy = templatefile(
"${path.root}/policies/kms-key-policy.json.tpl",
{
statement = <<EOT
[
${templatefile("${path.root}/policies/kms-key-policy-statements/root-allow-all.json.tpl",
{
aws_account_id = local.aws_account_id
}
)}
]
EOT
}
)
}

resource "aws_kms_alias" "infrastructure" {
count = local.infrastructure_kms_encryption ? 1 : 0

name = "alias/${local.resource_prefix}-infrastructure"
target_key_id = aws_kms_key.infrastructure_kms_key[0].key_id
}
3 changes: 3 additions & 0 deletions locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,11 @@ locals {
infrastructure_name = var.infrastructure_name
environment = var.environment
aws_region = var.aws_region
aws_account_id = data.aws_caller_identity.current.account_id
resource_prefix = "${var.project_name}-${var.infrastructure_name}-${var.environment}"

infrastructure_kms_encryption = var.infrastructure_kms_encryption

default_tags = {
Project = local.project_name,
Infrastructure = local.infrastructure_name,
Expand Down
8 changes: 8 additions & 0 deletions policies/kms-key-policy-statements/root-allow-all.json.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${aws_account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
}
5 changes: 5 additions & 0 deletions policies/kms-key-policy.json.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"Version": "2012-10-17",
"Id": "key-permissions",
"Statement": ${statement}
}
5 changes: 5 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,8 @@ variable "aws_region" {
description = "AWS region in which to launch resources"
type = string
}

variable "infrastructure_kms_encryption" {
description = "Enable infrastructure KMS encryption. This will create a single KMS key to be used across all resources that support KMS encryption."
type = bool
}

0 comments on commit 4726ef1

Please sign in to comment.