feat: added resource and variable

clouddrove · Jun 9, 2023 · 49cc3e9 · 49cc3e9
1 parent 62688e6
commit 49cc3e9
Show file tree

Hide file tree

Showing 4 changed files with 208 additions and 115 deletions.
diff --git a/_example/example.tf b/_example/example.tf
@@ -1,8 +1,6 @@
 provider "aws" {
-  region = "eu-west-1"
+  region = "eu-central-1"
 }
-data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
 
 module "kms_key" {
   source = "./../"
@@ -11,104 +9,16 @@ module "kms_key" {
   environment = "test"
   label_order = ["name", "environment"]
 
-  enabled                 = true
-  description             = "KMS key for cloudtrail"
-  deletion_window_in_days = 15
-  alias                   = "alias/cloudtrail_Name"
-  multi_region            = false
-  policy                  = data.aws_iam_policy_document.default.json
-}
-
-data "aws_iam_policy_document" "default" {
-  version = "2012-10-17"
-  statement {
-    sid    = "Enable IAM User Permissions"
-    effect = "Allow"
-    principals {
-      type = "AWS"
-      identifiers = [
-        format(
-          "arn:%s:iam::%s:root",
-          join("", data.aws_partition.current.*.partition),
-          data.aws_caller_identity.current.account_id
-        )
-      ]
-    }
-    actions   = ["kms:*"]
-    resources = ["*"]
-  }
-  statement {
-    sid    = "Allow CloudTrail to encrypt logs"
-    effect = "Allow"
-    principals {
-      type        = "Service"
-      identifiers = ["cloudtrail.amazonaws.com"]
-    }
-    actions   = ["kms:GenerateDataKey*"]
-    resources = ["*"]
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
-      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
-    }
-  }
+  deletion_window_in_days            = 15
+  alias                              = "alias/cloudtrail_Name"
+  enabled = false
+  multi_region                       = true
+  create_replica_external_enabled    = true
+  create_replica_enabled             = true
+  create_external_enabled            = true
+  valid_to                           = "2023-11-21T23:20:50Z"
+  key_material_base64                = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
 
-  statement {
-    sid    = "Allow CloudTrail to describe key"
-    effect = "Allow"
-    principals {
-      type        = "Service"
-      identifiers = ["cloudtrail.amazonaws.com"]
-    }
-    actions   = ["kms:DescribeKey"]
-    resources = ["*"]
-  }
 
-  statement {
-    sid    = "Allow principals in the account to decrypt log files"
-    effect = "Allow"
-    principals {
-      type = "AWS"
-      identifiers = [
-        format(
-          "arn:%s:iam::%s:root",
-          join("", data.aws_partition.current.*.partition),
-          data.aws_caller_identity.current.account_id
-        )
-      ]
-    }
-    actions = [
-      "kms:Decrypt",
-      "kms:ReEncryptFrom"
-    ]
-    resources = ["*"]
-    condition {
-      test     = "StringEquals"
-      variable = "kms:CallerAccount"
-      values = [
-      "XXXXXXXXXXXX"]
-    }
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
-      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
-    }
-  }
 
-  statement {
-    sid    = "Allow alias creation during setup"
-    effect = "Allow"
-    principals {
-      type = "AWS"
-      identifiers = [
-        format(
-          "arn:%s:iam::%s:root",
-          join("", data.aws_partition.current.*.partition),
-          data.aws_caller_identity.current.account_id
-        )
-      ]
-    }
-    actions   = ["kms:CreateAlias"]
-    resources = ["*"]
-  }
-}
+}
diff --git a/main.tf b/main.tf
@@ -16,25 +16,173 @@ module "labels" {
   label_order = var.label_order
 }
 
+
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
 # Module      : KMS KEY
 # Description : This terraform module creates a KMS Customer Master Key (CMK) and its alias.
 resource "aws_kms_key" "default" {
-  count                    = var.enabled ? 1 : 0
+  count = var.enabled ? 1 : 0
+
   description              = var.description
   key_usage                = var.key_usage
   deletion_window_in_days  = var.deletion_window_in_days
   is_enabled               = var.is_enabled
   enable_key_rotation      = var.enable_key_rotation
   customer_master_key_spec = var.customer_master_key_spec
-  policy                   = var.policy
+  policy                   = data.aws_iam_policy_document.default.json
   multi_region             = var.multi_region
   tags                     = module.labels.tags
 }
 
+resource "aws_kms_external_key" "external" {
+  count = var.enabled && var.create_external_enabled ? 1 : 0
+
+  bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
+  deletion_window_in_days            = var.deletion_window_in_days
+  description                        = var.description
+  enabled                            = var.is_enabled
+  key_material_base64                = var.key_material_base64
+  multi_region                       = var.multi_region
+  policy                             = data.aws_iam_policy_document.default.json
+  valid_to                           = var.valid_to
+
+  tags = module.labels.tags
+}
+
+resource "aws_kms_replica_key" "replica-key" {
+  count = var.enabled && var.create_replica_enabled ? 1 : 0
+
+  bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
+  deletion_window_in_days            = var.deletion_window_in_days
+  description                        = var.description
+  primary_key_arn                    = join("",aws_kms_key.default.*.arn)
+  enabled                            = var.is_enabled
+  policy                             = data.aws_iam_policy_document.default.json
+
+  tags = module.labels.tags
+}
+
+####----------------------------------------------------------------------------------
+## Replica External Key.
+####----------------------------------------------------------------------------------
+resource "aws_kms_replica_external_key" "replica-external-key" {
+  count = var.enabled && var.create_replica_external_enabled ? 1 : 0
+
+  bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
+  deletion_window_in_days            = var.deletion_window_in_days
+  description                        = var.description
+  enabled                            = var.is_enabled
+  key_material_base64                = var.key_material_base64
+  policy                             = data.aws_iam_policy_document.default.json
+  primary_key_arn                    = join("",aws_kms_key.default.*.arn)
+  valid_to                           = var.valid_to
+
+  tags = module.labels.tags
+}
+
+
 # Module      : KMS ALIAS
 # Description : Provides an alias for a KMS customer master key..
 resource "aws_kms_alias" "default" {
-  count         = var.enabled ? 1 : 0
+  count = var.enabled ? 1 : 0
+
   name          = coalesce(var.alias, format("alias/%v", module.labels.id))
   target_key_id = join("", aws_kms_key.default.*.id)
 }
+
+
+data "aws_iam_policy_document" "default" {
+  version = "2012-10-17"
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          join("", data.aws_partition.current.*.partition),
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "Allow CloudTrail to encrypt logs"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    actions   = ["kms:GenerateDataKey*"]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
+    }
+  }
+
+  statement {
+    sid    = "Allow CloudTrail to describe key"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    actions   = ["kms:DescribeKey"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow principals in the account to decrypt log files"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          join("", data.aws_partition.current.*.partition),
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    actions = [
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values = [
+      "XXXXXXXXXXXX"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
+    }
+  }
+
+  statement {
+    sid    = "Allow alias creation during setup"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          join("", data.aws_partition.current.*.partition),
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    actions   = ["kms:CreateAlias"]
+    resources = ["*"]
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -82,13 +82,6 @@ variable "alias" {
   description = "The display name of the alias. The name must start with the word `alias` followed by a forward slash."
 }
 
-variable "policy" {
-  type        = string
-  default     = ""
-  sensitive   = true
-  description = "A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform."
-}
-
 variable "customer_master_key_spec" {
   type        = string
   default     = "SYMMETRIC_DEFAULT"
@@ -98,7 +91,7 @@ variable "customer_master_key_spec" {
 
 variable "enable_key_rotation" {
   type        = string
-  default     = true
+  default     = false
   description = "Specifies whether key rotation is enabled."
 }
 
@@ -107,3 +100,45 @@ variable "multi_region" {
   default     = true
   description = "Indicates whether the KMS key is a multi-Region (true) or regional (false) key."
 }
+
+variable "bypass_policy_lockout_safety_check" {
+  type        = bool
+  default     = null
+  description = "A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable"
+}
+
+variable "valid_to" {
+  type        = string
+  default     = ""
+  description = "Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire"
+}
+
+variable "key_material_base64" {
+  type        = string
+  default     = null
+  description = "Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only"
+}
+
+variable "create_replica_external_enabled" {
+  type        = bool
+  default     = false
+  description = "Determines whether a replica external CMK will be created (externally provided material)"
+}
+
+variable "create_replica_enabled" {
+  type        = bool
+  default     = false
+  description = "Determines whether a replica standard CMK will be created (AWS provided material)"
+}
+
+variable "create_external_enabled" {
+  type        = bool
+  default     = false
+  description = "Determines whether an external CMK (externally provided material) will be created or a standard CMK (AWS provided material)"
+}
+
+variable "primary_external_key_arn" {
+  type        = string
+  default     = null
+  description = "The primary external key arn of a multi-region replica external key"
+}
diff --git a/_example/versions.tf → versions.tf b/_example/versions.tf → versions.tf
@@ -1,11 +1,11 @@
 # Terraform version
 terraform {
-  required_version = ">= 1.3.6"
+  required_version = ">= 1.4.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.48.0"
+      version = ">= 5.1.0"
     }
   }
-}
+}