From 4726ef16c0454161f60349b4af1f249e12b9e0a0 Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Wed, 8 Nov 2023 15:17:05 +0000 Subject: [PATCH] Add infrastructure KMS key * Enabling this feature creates a KMS key that can be used across all resources that support KMS encryption. Using a single KMS key can help reduce costs related to KMS. We can in future add a feature to use individual KMS keys for particular resources if needed. --- README.md | 11 +++++-- data.tf | 1 + kms-infrastructure.tf | 29 +++++++++++++++++++ locals.tf | 3 ++ .../root-allow-all.json.tpl | 8 +++++ policies/kms-key-policy.json.tpl | 5 ++++ variables.tf | 5 ++++ 7 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 data.tf create mode 100644 kms-infrastructure.tf create mode 100644 policies/kms-key-policy-statements/root-allow-all.json.tpl create mode 100644 policies/kms-key-policy.json.tpl diff --git a/README.md b/README.md index 2bb0dce..611c457 100644 --- a/README.md +++ b/README.md @@ -15,11 +15,17 @@ This project creates and manages resources within an AWS account for infrastruct ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.24.0 | ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_kms_alias.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | ## Inputs @@ -27,6 +33,7 @@ No resources. |------|-------------|------|---------|:--------:| | [aws\_region](#input\_aws\_region) | AWS region in which to launch resources | `string` | n/a | yes | | [environment](#input\_environment) | The environment name to be used as part of the resource prefix | `string` | n/a | yes | +| [infrastructure\_kms\_encryption](#input\_infrastructure\_kms\_encryption) | Enable infrastructure KMS encryption. This will create a single KMS key to be used across all resources that support KMS encryption. | `bool` | n/a | yes | | [infrastructure\_name](#input\_infrastructure\_name) | The infrastructure name to be used as part of the resource prefix | `string` | n/a | yes | | [project\_name](#input\_project\_name) | Project name to be used as a prefix for all resources | `string` | n/a | yes | diff --git a/data.tf b/data.tf new file mode 100644 index 0000000..8fc4b38 --- /dev/null +++ b/data.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} diff --git a/kms-infrastructure.tf b/kms-infrastructure.tf new file mode 100644 index 0000000..1b34b35 --- /dev/null +++ b/kms-infrastructure.tf @@ -0,0 +1,29 @@ +resource "aws_kms_key" "infrastructure" { + count = local.infrastructure_kms_encryption ? 1 : 0 + + description = "${local.resource_prefix} infrastructure kms key" + deletion_window_in_days = 30 + enable_key_rotation = true + + policy = templatefile( + "${path.root}/policies/kms-key-policy.json.tpl", + { + statement = <