xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity

feat: updated key policy for secretsmanager

Browse Source
This commit is contained in:
xpk
2026-02-26 18:59:24 +08:00
parent 149d3938f8
commit 38be9d195a
2 changed files with 131 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security_identity_compliance/CustomerManagedKmsKeys/README.md
+2 -1
View File
@@ -47,13 +47,14 @@ No modules.
| [aws_kms_key.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.UseOfKeyByAll](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.allpurpose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.eksebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.notify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_roles.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
+129 -47
View File
@@ -22,7 +22,7 @@ resource "aws_kms_key" "allpurpose" {
enable_key_rotation = var.enable_key_rotation
rotation_period_in_days = var.rotation_period_in_days
is_enabled = var.is_enabled
policy = data.aws_iam_policy_document.UseOfKeyByAll.json
policy = data.aws_iam_policy_document.allpurpose.json
deletion_window_in_days = var.deletion_window_in_days
customer_master_key_spec = "SYMMETRIC_DEFAULT"
key_usage = "ENCRYPT_DECRYPT"
@@ -79,7 +79,7 @@ resource "aws_kms_key" "secret" {
enable_key_rotation = var.enable_key_rotation
rotation_period_in_days = var.rotation_period_in_days
is_enabled = var.is_enabled
policy = data.aws_iam_policy_document.UseOfKeyByAll.json
policy = data.aws_iam_policy_document.secretsmanager.json
deletion_window_in_days = var.deletion_window_in_days
customer_master_key_spec = "SYMMETRIC_DEFAULT"
key_usage = "ENCRYPT_DECRYPT"
@@ -197,6 +197,88 @@ resource "aws_kms_alias" "notify" {
}
# Policies
data "aws_iam_policy_document" "allpurpose" {
source_policy_documents = [data.aws_iam_policy_document.base.json]
statement {
sid = "Allow use by AWS services"
effect = "Allow"
principals {
identifiers = [
"delivery.logs.amazonaws.com" # vpc flow log
]
type = "Service"
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
]
resources = ["*"]
}
statement {
sid = "Allow use of key by aws services"
effect = "Allow"
principals {
identifiers = [data.aws_caller_identity.current.account_id]
type = "AWS"
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
]
resources = ["*"]
condition {
test = "StringLike"
values = [
"*.*.amazonaws.com"
]
variable = "kms:ViaService"
}
}
# this needs to be explicitly allowed for users and roles to be able to encrypt and decrypt data
statement {
sid = "Allow use of key by users and roles in same account"
effect = "Allow"
principals {
identifiers = [data.aws_caller_identity.current.account_id]
type = "AWS"
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
]
resources = ["*"]
}
statement {
sid = "AllowAttachmentOfPersistentResources"
effect = "Allow"
principals {
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
type = "AWS"
}
actions = [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
resources = ["*"]
condition {
test = "Bool"
values = ["true"]
variable = "kms:GrantIsForAWSResource"
}
}
}
data "aws_iam_policy_document" "storage" {
source_policy_documents = [data.aws_iam_policy_document.base.json]
statement {
@@ -331,6 +413,51 @@ data "aws_iam_policy_document" "database" {
}
}
data "aws_iam_policy_document" "secretsmanager" {
source_policy_documents = [data.aws_iam_policy_document.base.json]
statement {
sid = "Allow use of key by aws services"
effect = "Allow"
principals {
identifiers = [data.aws_caller_identity.current.account_id]
type = "AWS"
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
]
resources = ["*"]
condition {
test = "StringLike"
values = [
"secretsmanager.*.amazonaws.com"
]
variable = "kms:ViaService"
}
}
# allow users in this account to encrypt and decrypt data
statement {
sid = "Allow use of key by users and roles in same account"
effect = "Allow"
principals {
identifiers = [data.aws_caller_identity.current.account_id]
type = "AWS"
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
]
resources = ["*"]
}
}
# create an ASG service linked role if not already exist
data "aws_iam_roles" "autoscaling" {
count = var.create_asg_role ? 0 : 1
@@ -495,51 +622,6 @@ data "aws_iam_policy_document" "backup" {
}
}
# allow all entities in this account to perform encryption and decryption
data "aws_iam_policy_document" "UseOfKeyByAll" {
source_policy_documents = [data.aws_iam_policy_document.base.json]
statement {
sid = "AllowUseOfKey"
effect = "Allow"
principals {
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
type = "AWS"
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = ["*"]
condition {
test = "StringEquals"
values = [data.aws_caller_identity.current.account_id]
variable = "aws:PrincipalAccount"
}
}
statement {
sid = "AllowAttachmentOfPersistentResources"
effect = "Allow"
principals {
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
type = "AWS"
}
actions = [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
resources = ["*"]
condition {
test = "Bool"
values = ["true"]
variable = "kms:GrantIsForAWSResource"
}
}
}
# base policies allowing full access to key admin and read access to all
data "aws_iam_policy_document" "base" {
source_policy_documents = [jsonencode(