feat: updates on eks example, cmk, and s3bucket

2026-03-31 07:59:05 +08:00
parent b74aeac165
commit c8eba9a6f8
9 changed files with 424 additions and 2 deletions
@@ -129,7 +129,7 @@ resource "aws_kms_key" "notify" {
  bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
 }

-resource "aws_kms_key" "notify" {
+resource "aws_kms_key" "ssm" {
  count                              = var.create-ssm-key ? 1 : 0
  description                        = "Customer-managed KMS key for encrypting ssm parameters"
  enable_key_rotation                = var.enable_key_rotation
@@ -196,6 +196,12 @@ resource "aws_kms_alias" "notify" {
  target_key_id = aws_kms_key.notify[0].id
 }

+resource "aws_kms_alias" "ssm" {
+  count         = var.create-ssm-key ? 1 : 0
+  name          = "alias/${local.prefix}ssm"
+  target_key_id = aws_kms_key.notify[0].id
+}
+
 # Policies
 data "aws_iam_policy_document" "allpurpose" {
  source_policy_documents = [data.aws_iam_policy_document.base.json]
@@ -25,6 +25,10 @@ output "cmks" {
      alias = one(aws_kms_alias.notify.*.name)
      arn   = one(aws_kms_key.notify.*.arn)
    },
+    ssm = {
+      alias = one(aws_kms_alias.ssm.*.name)
+      arn   = one(aws_kms_key.ssm.*.arn)
+    }
    storage = {
      alias = one(aws_kms_alias.storage.*.name)
      arn   = one(aws_kms_key.storage.*.arn)