Home Verkennen Help
Registreren Inloggen
AFS
/
xdr-terraform-modules
2
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Boom: 1992399174
Aftakkingen Labels
xdr-terraform-m...
/
base
/
generic_s3_bucket_with_role
/
kms.tf

kms.tf 2.3 KB
Geschiedenis Ruwe

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697 
  1. resource "aws_kms_key" "bucketkey" {
    2. 

  2.   description             = "S3 KMS for ${local.fullname}."
    3. 

  3.   deletion_window_in_days = 30
    4. 

  4.   enable_key_rotation     = true
    5. 

  5.   policy                  = data.aws_iam_policy_document.kms_key_policy.json
    6. 

  6.   tags                    = merge(var.standard_tags, var.tags)
    7. 

  7. }
    8. 

  8. 

  9. resource "aws_kms_alias" "bucketkey" {
    10. 

  10.   name          = "alias/${var.name}"
    11. 

  11.   target_key_id = aws_kms_key.bucketkey.key_id
    12. 

  12. }
    13. 

  13. 

  14. data "aws_iam_policy_document" "kms_key_policy" {
    15. 

  15.   depends_on = [ aws_iam_role.role ]
    16. 

  16.   policy_id = local.fullname
    17. 

  17.   statement {
    18. 

  18.     sid    = "Enable IAM User Permissions"
    19. 

  19.     effect = "Allow"
    20. 

  20.     principals {
    21. 

  21.       type = "AWS"
    22. 

  22.       identifiers = local.principals
    23. 

  23.     }
    24. 

  24.     actions   = ["kms:*"]
    25. 

  25.     resources = ["*"]
    26. 

  26.   }
    27. 

  27. 

  28.   statement {
    29. 

  29.     sid    = "Allow access for Engineers"
    30. 

  30.     effect = "Allow"
    31. 

  31.     principals {
    32. 

  32.       type = "AWS"
    33. 

  33.       identifiers = [
    34. 

  34.         "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",
    35. 

  35.         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
    36. 

  36.       ]
    37. 

  37.     }
    38. 

  38. 

  39.     actions = [
    40. 

  40.       "kms:Create*",
    41. 

  41.       "kms:Describe*",
    42. 

  42.       "kms:Enable*",
    43. 

  43.       "kms:List*",
    44. 

  44.       "kms:Put*",
    45. 

  45.       "kms:Update*",
    46. 

  46.       "kms:Revoke*",
    47. 

  47.       "kms:Disable*",
    48. 

  48.       "kms:Get*",
    49. 

  49.       "kms:Delete*",
    50. 

  50.       "kms:TagResource",
    51. 

  51.       "kms:UntagResource",
    52. 

  52.       "kms:ScheduleKeyDeletion",
    53. 

  53.       "kms:CancelKeyDeletion"
    54. 

  54.     ]
    55. 

  55.     resources = ["*"]
    56. 

  56.   }
    57. 

  57. 

  58.   statement {
    59. 

  59.     sid    = "Allow use of the key to encrypt and decrypt"
    60. 

  60.     effect = "Allow"
    61. 

  61.     principals {
    62. 

  62.       type        = "AWS"
    63. 

  63.       identifiers = local.principals
    64. 

  64.     }
    65. 

  65.     actions = [
    66. 

  66.       "kms:Encrypt",
    67. 

  67.       "kms:Decrypt",
    68. 

  68.       "kms:ReEncrypt*",
    69. 

  69.       "kms:GenerateDataKey*",
    70. 

  70.       "kms:DescribeKey"
    71. 

  71.     ]
    72. 

  72.     resources = ["*"]
    73. 

  73.   }
    74. 

  74. 

  75.   statement {
    76. 

  76.     sid    = "Allow attachment of persistent resources"
    77. 

  77.     effect = "Allow"
    78. 

  78.     principals {
    79. 

  79.       type = "AWS"
    80. 

  80.       identifiers = [
    81. 

  81.         "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",
    82. 

  82.         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
    83. 

  83.       ]
    84. 

  84.     }
    85. 

  85.     actions = [
    86. 

  86.       "kms:CreateGrant",
    87. 

  87.       "kms:ListGrants",
    88. 

  88.       "kms:RevokeGrant"
    89. 

  89.     ]
    90. 

  90.     resources = ["*"]
    91. 

  91.     condition {
    92. 

  92.       test     = "Bool"
    93. 

  93.       variable = "kms:GrantIsForAWSResource"
    94. 

  94.       values   = ["true"]
    95. 

  95.     }
    96. 

  96.   }
    97. 

  97. }
    98.