首頁 探索 說明
註冊 登入
AFS
/
xdr-terraform-modules
2
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
目錄樹: b19d7fe518
分支列表 標籤列表
xdr-terraform-m...
/
thirdparty
/
terraform-aws-cloudtrail-bucket
/
kms.tf

kms.tf 1.5 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. data "aws_iam_policy_document" "key" {
    2. 

  2.   statement {
    3. 

  3.     actions   = ["kms:*"]
    4. 

  4.     effect    = "Allow"
    5. 

  5.     resources = ["*"]
    6. 

  6. 

  7.     principals {
    8. 

  8.       type        = "AWS"
    9. 

  9.       identifiers = ["arn:${local.partition}:iam::${local.account_id}:root"]
    10. 

  10.     }
    11. 

  11.   }
    12. 

  12. 

  13.   statement {
    14. 

  14.     actions   = ["kms:GenerateDataKey*"]
    15. 

  15.     effect    = "Allow"
    16. 

  16.     resources = ["*"]
    17. 

  17. 

  18.     condition {
    19. 

  19.       test     = "StringLike"
    20. 

  20.       variable = "kms:EncryptionContext:aws:cloudtrail:arn"
    21. 

  21.       values   = local.kms_key_encrypt_resources
    22. 

  22.     }
    23. 

  23. 

  24.     principals {
    25. 

  25.       type        = "Service"
    26. 

  26.       identifiers = ["cloudtrail.amazonaws.com"]
    27. 

  27.     }
    28. 

  28.   }
    29. 

  29. 

  30.   statement {
    31. 

  31.     actions = [
    32. 

  32.       "kms:Encrypt*",
    33. 

  33.       "kms:Decrypt*",
    34. 

  34.       "kms:ReEncrypt*",
    35. 

  35.       "kms:GenerateDataKey*",
    36. 

  36.       "kms:Describe*",
    37. 

  37.     ]
    38. 

  38.     effect    = "Allow"
    39. 

  39.     resources = ["*"]
    40. 

  40. 

  41.     principals {
    42. 

  42.       type        = "Service"
    43. 

  43.       identifiers = ["logs.${var.region}.amazonaws.com"]
    44. 

  44.     }
    45. 

  45.   }
    46. 

  46. 

  47.   statement {
    48. 

  48.     actions   = ["kms:Describe*"]
    49. 

  49.     effect    = "Allow"
    50. 

  50.     resources = ["*"]
    51. 

  51. 

  52.     principals {
    53. 

  53.       type        = "Service"
    54. 

  54.       identifiers = ["cloudtrail.amazonaws.com"]
    55. 

  55.     }
    56. 

  56.   }
    57. 

  57. }
    58. 

  58. 

  59. resource "aws_kms_key" "this" {
    60. 

  60.   deletion_window_in_days = 7
    61. 

  61.   description             = "CloudTrail Encryption Key"
    62. 

  62.   enable_key_rotation     = true
    63. 

  63.   policy                  = data.aws_iam_policy_document.key.json
    64. 

  64.   tags = merge(
    65. 

  65.     {
    66. 

  66.       "Name" = "cloudtrail-key"
    67. 

  67.     },
    68. 

  68.     var.tags
    69. 

  69.   )
    70. 

  70. }
    71. 

  71. 

  72. resource "aws_kms_alias" "this" {
    73. 

  73.   name          = "alias/cloudtrail_key"
    74. 

  74.   target_key_id = aws_kms_key.this.id
    75. 

  75. }
    76.