forked fromCoalfire-CF/terraform-aws-kms
- Notifications
You must be signed in to change notification settings - Fork0
Coalfire AWS KMS Terraform Module
License
NotificationsYou must be signed in to change notification settings
CiscoOpsStack/terraform-aws-kms-ops_stack
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This module creates the necessary resources to store your Terraform code remotely in AWS.
FedRAMP Compliance: Moderate, High
- IAM AWS Accounts
- Any resources requiring KMS keys - IAM policy must be created upon key creation.
Insert a high-level list of resources created as a part of this module. E.g.
- KMS Key
- KMS Key alias
This module can be called as outlined below.
- Change directories to the
kmsdirectory. - From the
terraform/aws/kmsdirectory runterraform init. - Run
terraform planto review the resources being created. - If everything looks correct in the plan output, run
terraform apply.
Include example for how to call the module below with generic variables
terraform {required_providers {aws={ source="hashicorp/aws" version="=4.58" } }}#this can be called in region setupmodule"kms" {source="github.com/Coalfire-CF/ACE-AWS-KMS?ref=vX.X.X"resource_prefix=var.resource_prefixkms_key_resource_type="s3"key_policy=data.aws_iam_policy_document.s3_kms_policy.json}#this should be created where the module is called within the project. such as in region-setup or account setup if desired.data"aws_iam_policy_document""s3_kms_policy" {statement {sid="source-account-full-access"effect="Allow"actions=["kms:*"]resources=["*"]principals {type="AWS"identifiers=["arn:aws:iam::${var.mgmt_account_id}:root"] } }statement {sid="target-account-allow-grant"effect="Allow"# the following actions are required by Terraform to read/create/remove grantsactions=["kms:CreateGrant","kms:DescribeKey","kms:ListGrants","kms:RevokeGrant" ]resources=["*"]# This allows any IAM role in the target account that has permission to create the grant to create the grant.# Can lock this down to a specific account in the target account so only that role is able to create grant for this keyprincipals {type="AWS"identifiers=["arn:aws:iam::${var.app_account_id}:root"] } }# Resource to be called where KMS access is required by a resource/service deploymentresource"aws_kms_grant""cross-account-grant" {name="grant-s3-kms-key"key_id=module.kms.arn# key above that was deployedgrantee_principal=data.aws_iam_role.my_role.arn#cross-account role or resource/service role you want to grant tooperations=["Encrypt","Decrypt","GenerateDataKey"]} }
| Name | Version |
|---|---|
| terraform | >= 1.5 |
| aws | >= 3.26 |
| Name | Version |
|---|---|
| aws | >= 3.26 |
No modules.
| Name | Type |
|---|---|
| aws_kms_alias.kms_key_alias | resource |
| aws_kms_key.kms_key | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| key_description | The description given to the created CMK | string | "" | no |
| key_policy | IAM key policy for the kms key | any | null | no |
| kms_key_resource_type | the type of resource/service this key is for, such as S3, EBS or RDS | string | n/a | yes |
| resource_prefix | The prefix of the KMS key alias | string | n/a | yes |
| Name | Description |
|---|---|
| kms_key_arn | The arn of the s3 kms key |
| kms_key_id | The id of the s3 key |
Relative or absolute link to contributing.md
Absolute link to any relevant Coalfire Pages
Copyright © 2023 Coalfire Systems Inc.
About
Coalfire AWS KMS Terraform Module
Resources
License
Contributing
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Packages0
No packages published
Uh oh!
There was an error while loading.Please reload this page.
Languages
- HCL100.0%