From 49cc3e9ce3936b509a95b4575cc9204dd924748f Mon Sep 17 00:00:00 2001 From: theprashantyadav Date: Fri, 9 Jun 2023 20:39:24 +0530 Subject: [PATCH] feat: added resource and variable --- _example/example.tf | 112 ++------------------ main.tf | 154 +++++++++++++++++++++++++++- variables.tf | 51 +++++++-- _example/versions.tf => versions.tf | 6 +- 4 files changed, 208 insertions(+), 115 deletions(-) rename _example/versions.tf => versions.tf (63%) diff --git a/_example/example.tf b/_example/example.tf index 2c7c1d9..f1e3c0e 100644 --- a/_example/example.tf +++ b/_example/example.tf @@ -1,8 +1,6 @@ provider "aws" { - region = "eu-west-1" + region = "eu-central-1" } -data "aws_caller_identity" "current" {} -data "aws_partition" "current" {} module "kms_key" { source = "./../" @@ -11,104 +9,16 @@ module "kms_key" { environment = "test" label_order = ["name", "environment"] - enabled = true - description = "KMS key for cloudtrail" - deletion_window_in_days = 15 - alias = "alias/cloudtrail_Name" - multi_region = false - policy = data.aws_iam_policy_document.default.json -} - -data "aws_iam_policy_document" "default" { - version = "2012-10-17" - statement { - sid = "Enable IAM User Permissions" - effect = "Allow" - principals { - type = "AWS" - identifiers = [ - format( - "arn:%s:iam::%s:root", - join("", data.aws_partition.current.*.partition), - data.aws_caller_identity.current.account_id - ) - ] - } - actions = ["kms:*"] - resources = ["*"] - } - statement { - sid = "Allow CloudTrail to encrypt logs" - effect = "Allow" - principals { - type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] - } - actions = ["kms:GenerateDataKey*"] - resources = ["*"] - condition { - test = "StringLike" - variable = "kms:EncryptionContext:aws:cloudtrail:arn" - values = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"] - } - } + deletion_window_in_days = 15 + alias = "alias/cloudtrail_Name" + enabled = false + multi_region = true + create_replica_external_enabled = true + create_replica_enabled = true + create_external_enabled = true + valid_to = "2023-11-21T23:20:50Z" + key_material_base64 = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY=" - statement { - sid = "Allow CloudTrail to describe key" - effect = "Allow" - principals { - type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] - } - actions = ["kms:DescribeKey"] - resources = ["*"] - } - statement { - sid = "Allow principals in the account to decrypt log files" - effect = "Allow" - principals { - type = "AWS" - identifiers = [ - format( - "arn:%s:iam::%s:root", - join("", data.aws_partition.current.*.partition), - data.aws_caller_identity.current.account_id - ) - ] - } - actions = [ - "kms:Decrypt", - "kms:ReEncryptFrom" - ] - resources = ["*"] - condition { - test = "StringEquals" - variable = "kms:CallerAccount" - values = [ - "XXXXXXXXXXXX"] - } - condition { - test = "StringLike" - variable = "kms:EncryptionContext:aws:cloudtrail:arn" - values = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"] - } - } - statement { - sid = "Allow alias creation during setup" - effect = "Allow" - principals { - type = "AWS" - identifiers = [ - format( - "arn:%s:iam::%s:root", - join("", data.aws_partition.current.*.partition), - data.aws_caller_identity.current.account_id - ) - ] - } - actions = ["kms:CreateAlias"] - resources = ["*"] - } -} +} \ No newline at end of file diff --git a/main.tf b/main.tf index 2536a39..51c9db1 100644 --- a/main.tf +++ b/main.tf @@ -16,25 +16,173 @@ module "labels" { label_order = var.label_order } + +data "aws_caller_identity" "current" {} +data "aws_partition" "current" {} + # Module : KMS KEY # Description : This terraform module creates a KMS Customer Master Key (CMK) and its alias. resource "aws_kms_key" "default" { - count = var.enabled ? 1 : 0 + count = var.enabled ? 1 : 0 + description = var.description key_usage = var.key_usage deletion_window_in_days = var.deletion_window_in_days is_enabled = var.is_enabled enable_key_rotation = var.enable_key_rotation customer_master_key_spec = var.customer_master_key_spec - policy = var.policy + policy = data.aws_iam_policy_document.default.json multi_region = var.multi_region tags = module.labels.tags } +resource "aws_kms_external_key" "external" { + count = var.enabled && var.create_external_enabled ? 1 : 0 + + bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check + deletion_window_in_days = var.deletion_window_in_days + description = var.description + enabled = var.is_enabled + key_material_base64 = var.key_material_base64 + multi_region = var.multi_region + policy = data.aws_iam_policy_document.default.json + valid_to = var.valid_to + + tags = module.labels.tags +} + +resource "aws_kms_replica_key" "replica-key" { + count = var.enabled && var.create_replica_enabled ? 1 : 0 + + bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check + deletion_window_in_days = var.deletion_window_in_days + description = var.description + primary_key_arn = join("",aws_kms_key.default.*.arn) + enabled = var.is_enabled + policy = data.aws_iam_policy_document.default.json + + tags = module.labels.tags +} + +####---------------------------------------------------------------------------------- +## Replica External Key. +####---------------------------------------------------------------------------------- +resource "aws_kms_replica_external_key" "replica-external-key" { + count = var.enabled && var.create_replica_external_enabled ? 1 : 0 + + bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check + deletion_window_in_days = var.deletion_window_in_days + description = var.description + enabled = var.is_enabled + key_material_base64 = var.key_material_base64 + policy = data.aws_iam_policy_document.default.json + primary_key_arn = join("",aws_kms_key.default.*.arn) + valid_to = var.valid_to + + tags = module.labels.tags +} + + # Module : KMS ALIAS # Description : Provides an alias for a KMS customer master key.. resource "aws_kms_alias" "default" { - count = var.enabled ? 1 : 0 + count = var.enabled ? 1 : 0 + name = coalesce(var.alias, format("alias/%v", module.labels.id)) target_key_id = join("", aws_kms_key.default.*.id) } + + +data "aws_iam_policy_document" "default" { + version = "2012-10-17" + statement { + sid = "Enable IAM User Permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + join("", data.aws_partition.current.*.partition), + data.aws_caller_identity.current.account_id + ) + ] + } + actions = ["kms:*"] + resources = ["*"] + } + statement { + sid = "Allow CloudTrail to encrypt logs" + effect = "Allow" + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + actions = ["kms:GenerateDataKey*"] + resources = ["*"] + condition { + test = "StringLike" + variable = "kms:EncryptionContext:aws:cloudtrail:arn" + values = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"] + } + } + + statement { + sid = "Allow CloudTrail to describe key" + effect = "Allow" + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + actions = ["kms:DescribeKey"] + resources = ["*"] + } + + statement { + sid = "Allow principals in the account to decrypt log files" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + join("", data.aws_partition.current.*.partition), + data.aws_caller_identity.current.account_id + ) + ] + } + actions = [ + "kms:Decrypt", + "kms:ReEncryptFrom" + ] + resources = ["*"] + condition { + test = "StringEquals" + variable = "kms:CallerAccount" + values = [ + "XXXXXXXXXXXX"] + } + condition { + test = "StringLike" + variable = "kms:EncryptionContext:aws:cloudtrail:arn" + values = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"] + } + } + + statement { + sid = "Allow alias creation during setup" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + join("", data.aws_partition.current.*.partition), + data.aws_caller_identity.current.account_id + ) + ] + } + actions = ["kms:CreateAlias"] + resources = ["*"] + } +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index f6af831..a14b9a5 100644 --- a/variables.tf +++ b/variables.tf @@ -82,13 +82,6 @@ variable "alias" { description = "The display name of the alias. The name must start with the word `alias` followed by a forward slash." } -variable "policy" { - type = string - default = "" - sensitive = true - description = "A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform." -} - variable "customer_master_key_spec" { type = string default = "SYMMETRIC_DEFAULT" @@ -98,7 +91,7 @@ variable "customer_master_key_spec" { variable "enable_key_rotation" { type = string - default = true + default = false description = "Specifies whether key rotation is enabled." } @@ -107,3 +100,45 @@ variable "multi_region" { default = true description = "Indicates whether the KMS key is a multi-Region (true) or regional (false) key." } + +variable "bypass_policy_lockout_safety_check" { + type = bool + default = null + description = "A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable" +} + +variable "valid_to" { + type = string + default = "" + description = "Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire" +} + +variable "key_material_base64" { + type = string + default = null + description = "Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only" +} + +variable "create_replica_external_enabled" { + type = bool + default = false + description = "Determines whether a replica external CMK will be created (externally provided material)" +} + +variable "create_replica_enabled" { + type = bool + default = false + description = "Determines whether a replica standard CMK will be created (AWS provided material)" +} + +variable "create_external_enabled" { + type = bool + default = false + description = "Determines whether an external CMK (externally provided material) will be created or a standard CMK (AWS provided material)" +} + +variable "primary_external_key_arn" { + type = string + default = null + description = "The primary external key arn of a multi-region replica external key" +} \ No newline at end of file diff --git a/_example/versions.tf b/versions.tf similarity index 63% rename from _example/versions.tf rename to versions.tf index 87b6d15..9317499 100644 --- a/_example/versions.tf +++ b/versions.tf @@ -1,11 +1,11 @@ # Terraform version terraform { - required_version = ">= 1.3.6" + required_version = ">= 1.4.6" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.48.0" + version = ">= 5.1.0" } } -} +} \ No newline at end of file