xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity

feat: added key for ssm

Browse Source
This commit is contained in:
xpk
2026-02-26 14:26:37 +08:00
parent 53271833ef
commit 149d3938f8
4 changed files with 50 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
+39
View File
@@ -9,6 +9,7 @@
* - backup
* - log
* - notify
* - ssm
*/
data "aws_region" "this" {}
@@ -128,6 +129,19 @@ resource "aws_kms_key" "notify" {
bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
}
resource "aws_kms_key" "notify" {
count = var.create-ssm-key ? 1 : 0
description = "Customer-managed KMS key for encrypting ssm parameters"
enable_key_rotation = var.enable_key_rotation
rotation_period_in_days = var.rotation_period_in_days
is_enabled = var.is_enabled
policy = data.aws_iam_policy_document.ssm.json
deletion_window_in_days = var.deletion_window_in_days
customer_master_key_spec = "SYMMETRIC_DEFAULT"
key_usage = "ENCRYPT_DECRYPT"
multi_region = var.multi_region
bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
}
locals {
prefix = var.name-prefix == null ? "" : "${var.name-prefix}-"
@@ -579,6 +593,31 @@ data "aws_iam_policy_document" "base" {
)]
}
data "aws_iam_policy_document" "ssm" {
source_policy_documents = [data.aws_iam_policy_document.base.json]
statement {
sid = "Allow access through SSM for all principals in the account that are authorized to use SSM"
effect = "Allow"
principals {
identifiers = [data.aws_caller_identity.current.account_id]
type = "AWS"
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = ["*"]
condition {
test = "StringLike"
values = ["ssm.*.amazonaws.com"]
variable = "kms:ViaService"
}
}
}
# data "aws_iam_policy_document" "this" {
# source_policy_documents = var.source_policy_documents
# override_policy_documents = var.override_policy_documents