Home Verkennen Help
Registreren Inloggen
AFS
/
xdr-terraform-modules
2
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Bladeren bron

KMS key access

v1.23.12 I think
Duane Waddle 4 jaren geleden
bovenliggende
aa530bdb89
commit
4695200252
4 gewijzigde bestanden met toevoegingen van 29 en 6 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 4 4
      base/globally_accessible_bucket/outputs.tf
  2. 1 0
      base/s3_bucket_writer_role/README.md
  3. 19 2
      base/s3_bucket_writer_role/main.tf
  4. 5 0
      base/s3_bucket_writer_role/vars.tf

+ 4 - 4
base/globally_accessible_bucket/outputs.tf
Bestand weergeven 

@@ -1,7 +1,7 @@
 
-#output "TODO" {
 
-#  value = TODO
 
-#}
 
-
 
 output arn {
 
     value = aws_s3_bucket.bucket.arn
 
 }
 
+
 
+output kms_key_arn {
 
+    value = aws_kms_key.bucketkey.arn
 
+}

+ 1 - 0
base/s3_bucket_writer_role/README.md
Bestand weergeven 

@@ -16,6 +16,7 @@ read-write access.
 
 |---------------|----------------|---------------------|
 
 | name          | string         | The name of the role we're making.  It will be in the /service/ path in IAM
 
 | trusted_arns  | list(string)   | The ARNs that should be able to assume this role |
 
+| kms_key_arns  | list(string)   | (optional) KMS keys that we need to access the bucket |
 
 | description   | string         | Description tied to the role |
 
 | bucket        | string         | The bucket that this policy should allow write access to |
 
 | tags          | map            | (optional) Tags to be applied

+ 19 - 2
base/s3_bucket_writer_role/main.tf
Bestand weergeven 

@@ -30,11 +30,12 @@ resource "aws_iam_policy" "this" {
 
   name        = var.name
 
   path        = "/service/"
 
   description = var.description
 
-  policy      = data.aws_iam_policy_document.policy.json
 
+  policy      = length(var.kms_key_ids) == 0 ? data.aws_iam_policy_document.base_policy.json : data.aws_iam_policy_document.kms_policy.json
 
+
 
   tags        = merge(var.standard_tags, var.tags)
 
 }
 
 
-data "aws_iam_policy_document" "policy" {
 
+data "aws_iam_policy_document" "base_policy" {
 
   statement {
 
     sid    = "ReadTheBucket"
 
     effect = "Allow"
 
@@ -83,3 +84,19 @@ data "aws_iam_policy_document" "policy" {
 
     }
 
   }
 
 }
 
+
 
+data "aws_iam_policy_document" "kms_policy" {
 
+  source_json = data.aws_iam_policy_document.base_policy.json
 
+
 
+  statement {
 
+    sid       = "UseTheKMSKey"
 
+    effect    = "Allow"
 
+    resources = var.kms_key_ids
 
+    actions = [
 
+      "kms:GenerateDataKey",
 
+      "kms:Encrypt",
 
+      "kms:Decrypt",
 
+      "kms:DescribeKey"
 
+    ]
 
+  }
 
+}

+ 5 - 0
base/s3_bucket_writer_role/vars.tf
Bestand weergeven 

@@ -17,3 +17,8 @@ variable "name" { type = string }
 
 variable "trusted_arns" { type = list(string) }
 
 variable "description" { type = string }
 
 variable "bucket" { type = string }
 
+
 
+variable "kms_key_ids" {
 
+  type = list(string)
 
+  default = []
 
+}