AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
							# Roles carried over from the tf11 code have been commented out but may
# need to be re-added.
#
# HOWEVER, it would be better to simply create an additional KMS key
# with the corresponding service. This key is available as a fallback,
# but better to create one per service.
resource "aws_kms_key" "key" {
  description             = var.description
  policy = data.aws_iam_policy_document.kms_policy.json
  tags = merge(
    var.standard_tags,
    { "Name" = var.name },
    var.tags
  )
}

resource "aws_kms_alias" "alias" {
  name          = var.alias
  target_key_id = aws_kms_key.key.key_id
}

locals {
  iam_admins_legacy = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" ]
  iam_admins_tf12   = [ 
    "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin", # MDRAdmin as a break glass
    "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" # Terraformer always gets full access
  ]
}

data "aws_iam_policy_document" "kms_policy" {
  policy_id = "${var.name}-policy"

  statement {
      sid = "Enable IAM User Permissions"
      effect = "Allow"
      principals {
        type = "AWS"
        identifiers = var.is_legacy ? local.iam_admins_legacy : local.iam_admins_tf12
      }
      actions = [ "kms:*" ]
      resources = [ "*" ]
  }

  statement {
      sid = "Allow access for Key Administrators"
      effect = "Allow"
      principals {
        type = "AWS"
         identifiers = concat(var.key_admin_arns, [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" ])
      }

      actions = [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ]
      resources = [ "*" ]
    }

  statement {
      sid =  "Allow use of the key"
      effect = "Allow"
      principals {
        type = "AWS"
        identifiers = concat(var.key_user_arns, [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" ] )
      }
      actions = [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ]
      resources = [ "*" ]
    }

  statement {
      sid = "Allow attachment of persistent resources"
      effect = "Allow"
      principals {
        type = "AWS"
        identifiers = concat(var.key_attacher_arns, ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer"])
      }
      actions = [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ]
      resources = [ "*" ]
      condition {
        test = "Bool"
        variable =  "kms:GrantIsForAWSResource"
        values = [ "true" ]
        }
      }
}