feat: added key for ssm

modules/security_identity_compliance/CustomerManagedKmsKeys/README.md

@@ -9,6 +9,7 @@ Module to create the following CMKs:
 - backup
 - log
 - notify
+- ssm
 
 ## Requirements
 
@@ -49,10 +50,11 @@ No modules.
 | [aws_iam_policy_document.UseOfKeyByAll](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.eksebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.notify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_roles.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -69,6 +71,7 @@ No modules.
 | create-log-key | Create a CMK for use with logging such as CloudwatchLogs and Cloudtrail | `bool` | n/a | yes |
 | create-notify-key | Create a CMK for use with notification and events | `bool` | n/a | yes |
 | create-secret-key | Create a CMK for use with secretsmanager | `bool` | n/a | yes |
+| create-ssm-key | Create a CMK for use with SSM parameters | `bool` | n/a | yes |
 | create-storage-key | Create a CMK for use with storage such as EBS, S3, EFS | `bool` | n/a | yes |
 | create\_asg\_role | Create service linked role for autoscaling, required in key policy | `bool` | `true` | no |
 | customer\_master\_key\_spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT` | `string` | `"SYMMETRIC_DEFAULT"` | no |

modules/security_identity_compliance/CustomerManagedKmsKeys/example/main.tf

@@ -13,6 +13,7 @@ module "example-keys" {
   create-secret-key       = true
   create-storage-key      = true
   create-eksebs-key       = true
+  create-ssm-key          = true
   key_administrator_arn   = data.aws_caller_identity.this.arn
 }
 

modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf

@@ -9,6 +9,7 @@
 * - backup
 * - log
 * - notify
+* - ssm
 */
 
 data "aws_region" "this" {}
@@ -128,6 +129,19 @@ resource "aws_kms_key" "notify" {
   bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
 }
 
+resource "aws_kms_key" "notify" {
+  count                              = var.create-ssm-key ? 1 : 0
+  description                        = "Customer-managed KMS key for encrypting ssm parameters"
+  enable_key_rotation                = var.enable_key_rotation
+  rotation_period_in_days            = var.rotation_period_in_days
+  is_enabled                         = var.is_enabled
+  policy                             = data.aws_iam_policy_document.ssm.json
+  deletion_window_in_days            = var.deletion_window_in_days
+  customer_master_key_spec           = "SYMMETRIC_DEFAULT"
+  key_usage                          = "ENCRYPT_DECRYPT"
+  multi_region                       = var.multi_region
+  bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
+}
 
 locals {
   prefix = var.name-prefix == null ? "" : "${var.name-prefix}-"
@@ -579,6 +593,31 @@ data "aws_iam_policy_document" "base" {
   )]
 }
 
+data "aws_iam_policy_document" "ssm" {
+  source_policy_documents = [data.aws_iam_policy_document.base.json]
+  statement {
+    sid    = "Allow access through SSM for all principals in the account that are authorized to use SSM"
+    effect = "Allow"
+    principals {
+      identifiers = [data.aws_caller_identity.current.account_id]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      values   = ["ssm.*.amazonaws.com"]
+      variable = "kms:ViaService"
+    }
+  }
+}
+
 # data "aws_iam_policy_document" "this" {
 #   source_policy_documents   = var.source_policy_documents
 #   override_policy_documents = var.override_policy_documents

modules/security_identity_compliance/CustomerManagedKmsKeys/variables.tf

@@ -38,6 +38,12 @@ variable "create-notify-key" {
   type        = bool
 }
 
+variable "create-ssm-key" {
+  description = "Create a CMK for use with SSM parameters"
+  type        = bool
+}
+
+
 variable "name-prefix" {
   description = "Assign a name prefix for key alias"
   type        = string