Git Product home page Git Product logo

terraform-aws-kms's Introduction

Terraform AWS KMS

This terraform module creates a KMS Customer Master Key (CMK) and its alias.

Terraform Licence

We eat, drink, sleep and most importantly love DevOps. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure.

This module is basically combination of Terraform open source and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself.

We have fifty plus terraform modules. A few of them are comepleted and are available for open source usage while a few others are in progress.

Prerequisites

This module has a few dependencies:

Examples

IMPORTANT: Since the master branch used in source varies based on new modifications, we suggest that you use the release versions here.

Simple Example

Here is an example of how you can use this module in your inventory structure:

  module "kms_key" {
    source      = "clouddrove/kms/aws"
    version     = "0.15.0"
    name        = "kms"
    environment = "test"
    label_order = ["name", "environment"]
    enabled     = true
    description             = "KMS key for cloudtrail"
    deletion_window_in_days = 7
    enable_key_rotation     = true
    alias                   = "alias/cloudtrail"
    policy                  = data.aws_iam_policy_document.default.json
  }

  data "aws_iam_policy_document" "default" {
    version = "2012-10-17"
    statement {
      sid    = "Enable IAM User Permissions"
      effect = "Allow"
      principals {
        type        = "AWS"
        identifiers = ["*"]
      }
      actions   = ["kms:*"]
      resources = ["*"]
    }
    statement {
      sid    = "Allow CloudTrail to encrypt logs"
      effect = "Allow"
      principals {
        type        = "Service"
        identifiers = ["cloudtrail.amazonaws.com"]
      }
      actions   = ["kms:GenerateDataKey*"]
      resources = ["*"]
      condition {
        test     = "StringLike"
        variable = "kms:EncryptionContext:aws:cloudtrail:arn"
        values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
      }
    }

    statement {
      sid    = "Allow CloudTrail to describe key"
      effect = "Allow"
      principals {
        type        = "Service"
        identifiers = ["cloudtrail.amazonaws.com"]
      }
      actions   = ["kms:DescribeKey"]
      resources = ["*"]
    }

    statement {
      sid    = "Allow principals in the account to decrypt log files"
      effect = "Allow"
      principals {
        type        = "AWS"
        identifiers = ["*"]
      }
      actions = [
        "kms:Decrypt",
        "kms:ReEncryptFrom"
      ]
      resources = ["*"]
      condition {
        test     = "StringEquals"
        variable = "kms:CallerAccount"
        values = [
        "XXXXXXXXXXXX"]
      }
      condition {
        test     = "StringLike"
        variable = "kms:EncryptionContext:aws:cloudtrail:arn"
        values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
      }
    }

    statement {
      sid    = "Allow alias creation during setup"
      effect = "Allow"
      principals {
        type        = "AWS"
        identifiers = ["*"]
      }
      actions   = ["kms:CreateAlias"]
      resources = ["*"]
    }
  }

Inputs

Name Description Type Default Required
alias The display name of the alias. The name must start with the word alias followed by a forward slash. string "" no
attributes Additional attributes (e.g. 1). list(string) [] no
customer_master_key_spec Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. string "SYMMETRIC_DEFAULT" no
deletion_window_in_days Duration in days after which the key is deleted after destruction of the resource. number 10 no
description The description of the key as viewed in AWS console. string "Parameter Store KMS master key" no
enable_key_rotation Specifies whether key rotation is enabled. string true no
enabled Specifies whether the kms is enabled or disabled. bool true no
environment Environment (e.g. prod, dev, staging). string "" no
is_enabled Specifies whether the key is enabled. bool true no
key_usage Specifies the intended use of the key. Defaults to ENCRYPT_DECRYPT, and only symmetric encryption and decryption are supported. string "ENCRYPT_DECRYPT" no
label_order label order, e.g. name,application. list(any) [] no
managedby ManagedBy, eg 'CloudDrove'. string "[email protected]" no
name Name (e.g. app or cluster). string "" no
policy A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform. string "" no
repository Terraform current module repo string "https://github.com/clouddrove/terraform-aws-kms" no
tags Additional tags (e.g. map(BusinessUnit,XYZ). map(string) {} no

Outputs

Name Description
alias_arn Alias ARN.
alias_name Alias name.
key_arn Key ARN.
key_id Key ID.
tags A mapping of tags to assign to the resource.

Testing

In this module testing is performed with terratest and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a GO environment in your system.

You need to run the following command in the testing folder:

  go test -run Test

Feedback

If you come accross a bug or have any feedback, please log it in our issue tracker, or feel free to drop us an email at [email protected].

If you have found it worth your time, go ahead and give us a ★ on our GitHub!

About us

At CloudDrove, we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering.

We are The Cloud Experts!

We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.