Home Explore Help
Register Sign In
AFS
/
xdr-terraform-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

LCP AMI module was lost, I had to remake it

Duane Waddle 4 years ago
parent
b6148ccf41
commit
8c58383fce
3 changed files with 70 additions and 0 deletions
Split View Show Diff Stats
  1. 53 0
      base/lcp_ami_key/main.tf
  2. 3 0
      base/lcp_ami_key/outputs.tf
  3. 14 0
      base/lcp_ami_key/vars.tf

+ 53 - 0
base/lcp_ami_key/main.tf
View File 

@@ -0,0 +1,53 @@
 
+locals {
 
+
 
+  #account_arns = sort(
 
+  #  concat(
 
+  #   [ for account in concat(var.customer_account_list,var.account_list):
 
+  #     "arn:${var.aws_partition}:iam::${account}:root" if account != "*"
 
+  #   ],
 
+  #   [ for account in concat(var.customer_account_list,var.account_list):
 
+  #     "*" if account == "*" 
+  #   ]
 
+  #))
 
+
 
+  # LCP AMI Key should allow anyone and everyone to use it.  Rationale:
 
+  #     * The AMIs themselves only get shared with specific AWS accounts
 
+  #     * Only two IAM Actions are permitted by the policy defined in the
 
+  #       submodule:  kms:ReEncryptFrom and kms:DescribeKey.  
+  #     *Giving these limited rights to "anyone" should be fine, given the only way
 
+  #       to see the volumes encrypted using this key is by launching the AMI
 
+  #       which you have to be whitelisted to
 
+  #
 
+  # It is, however, incumbent on us to not use this particular KMS for any
 
+  # other purpose other than the LCP AMI(s) EBS volume(s).
 
+  account_arns = [ "*" ]
 
+
 
+  terraformer_arns = sort([
 
+    for account in var.account_list:
 
+      "arn:${var.aws_partition}:iam::${account}:role/user/mdr_terraformer"
 
+  ])
 
+
 
+  all_keys = concat([ module.shared_ami_key.key_arn ])
 
+}
 
+
 
+output other {
 
+  value = local.account_arns
 
+}
 
+
 
+module "shared_ami_key" {
 
+  source = "../../submodules/kms/ami-key"
 
+
 
+  name = "lcp_ami_key"
 
+  alias = "alias/lcp_ami_key"
 
+  description = "Key for encrypting the LCP AMIs to be shared with external clients."
 
+  tags = merge(var.standard_tags, var.tags)
 
+  key_admin_arns = [ ]
 
+  key_user_arns = [ ]
 
+  #key_attacher_arns = local.account_arns
 
+  key_attacher_arns = local.terraformer_arns
 
+  #key_attacher_arns = [ ]
 
+  standard_tags = var.standard_tags
 
+  aws_account_id = var.aws_account_id
 
+  aws_partition = var.aws_partition
 
+  remote_account_arns = local.account_arns
 
+}

+ 3 - 0
base/lcp_ami_key/outputs.tf
View File 

@@ -0,0 +1,3 @@
 
+output key_arn { 
+  value = module.shared_ami_key.key_arn
 
+}

+ 14 - 0
base/lcp_ami_key/vars.tf
View File 

@@ -0,0 +1,14 @@
 
+# variables from terragrunt.hcl
 
+variable tags { type = map }
 
+
 
+
 
+# inherited variables
 
+variable standard_tags { type = map }
 
+variable aws_account_id { type = string }
 
+variable aws_partition { type = string }
 
+
 
+variable customer_account_list { 
+  type = list 
+  default = []
 
+}
 
+variable account_list { type = list }