Merge remote-tracking branch 'upstream/master'

asappinc · May 8, 2019 · a667c90 · a667c90
2 parents d154f0e + e62735d
commit a667c90
Show file tree

Hide file tree

Showing 13 changed files with 103 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -1 +1,51 @@
-# terraform-kms-encryption
+# terraform-kms-encryption
+
+## Modules
+
+### KMS Key
+
+Path: `modules/kms_key`
+
+#### Inputs
+
+Variable name | Default value
+------------- | -------------
+alias_name |
+additional_account_ids | []
+
+#### Outputs
+
+* `key_id`
+* `key_arn`
+
+### Secret decryption
+
+Path: `modules/secret_decryption`
+
+#### Inputs
+
+Variable name | Default value
+------------- | -------------
+encrypted_secret |
+secret_context | {}
+
+#### Outputs
+
+* `decrypted_secret`
+
+### Secret encryption
+
+Path: `modules/secret_encryption`
+
+#### Inputs
+
+Variable name | Default value
+------------- | -------------
+alias_name |
+text_to_encrypt |
+secret_context | {}
+
+#### Outputs
+
+* `encrypted_secret`
+
diff --git a/modules/kms_key/data.tf b/modules/kms_key/data.tf
@@ -0,0 +1,18 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "policy" {
+  policy_id = "key-default-1"
+  version   = "2012-10-17"
+
+  statement {
+    sid       = "Enable IAM User Permissions"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${formatlist("arn:aws:iam::%s:root", local.accounts_with_permissions)}"]
+    }
+  }
+}
diff --git a/modules/kms_key/locals.tf b/modules/kms_key/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  accounts_with_permissions = ["${concat(list(data.aws_caller_identity.current.account_id), var.additional_account_ids)}"]
+}
diff --git a/modules/kms_key/main.tf b/modules/kms_key/main.tf
@@ -1,6 +1,8 @@
-resource "aws_kms_key" "key" {}
+resource "aws_kms_key" "key" {
+  policy = "${data.aws_iam_policy_document.policy.json}"
+}
 
 resource "aws_kms_alias" "alias" {
-  name = "alias/${var.alias_name}"
+  name          = "alias/${var.alias_name}"
   target_key_id = "${aws_kms_key.key.key_id}"
-}
+}
diff --git a/modules/kms_key/outputs.tf b/modules/kms_key/outputs.tf
@@ -4,4 +4,4 @@ output "key_id" {
 
 output "key_arn" {
   value = "${aws_kms_key.key.arn}"
-}
+}
diff --git a/modules/kms_key/variables.tf b/modules/kms_key/variables.tf
@@ -1,4 +1,10 @@
 variable "alias_name" {
-  type = "string"
+  type        = "string"
   description = "The alias for the main key"
-}
+}
+
+variable "additional_account_ids" {
+  type        = "list"
+  description = "List of additional account ids with permissions to use the key"
+  default     = []
+}
diff --git a/modules/secret_decryption/main.tf b/modules/secret_decryption/main.tf
@@ -1,7 +1,7 @@
 data "aws_kms_secrets" "secret" {
   secret {
-    name = "decrypted_secret"
+    name    = "decrypted_secret"
     payload = "${var.encrypted_secret}"
     context = "${var.secret_context}"
   }
-}
+}
diff --git a/modules/secret_decryption/outputs.tf b/modules/secret_decryption/outputs.tf
@@ -1,3 +1,3 @@
 output "decrypted_secret" {
   value = "${data.aws_kms_secrets.secret.plaintext.decrypted_secret}"
-}
+}
diff --git a/modules/secret_decryption/variables.tf b/modules/secret_decryption/variables.tf
@@ -1,10 +1,10 @@
 variable "encrypted_secret" {
-  type = "string"
+  type        = "string"
   description = "KMS-encrypted secret to be decrypted"
 }
 
 variable "secret_context" {
-  type = "map"
+  type        = "map"
   description = "Encryption context associated with the secret"
-  default = {}
-}
+  default     = {}
+}
diff --git a/modules/secret_encryption/data.tf b/modules/secret_encryption/data.tf
@@ -1,3 +1,3 @@
 data "aws_kms_alias" "alias" {
   name = "alias/${var.alias_name}"
-}
+}
diff --git a/modules/secret_encryption/main.tf b/modules/secret_encryption/main.tf
@@ -1,5 +1,5 @@
 data "aws_kms_ciphertext" "secret" {
-  key_id = "${data.aws_kms_alias.alias.target_key_id}"
+  key_id    = "${data.aws_kms_alias.alias.target_key_id}"
   plaintext = "${var.text_to_encrypt}"
-  context = "${var.secret_context}"
-}
+  context   = "${var.secret_context}"
+}
diff --git a/modules/secret_encryption/outputs.tf b/modules/secret_encryption/outputs.tf
@@ -1,3 +1,3 @@
 output "encrypted_secret" {
   value = "${data.aws_kms_ciphertext.secret.ciphertext_blob}"
-}
+}
diff --git a/modules/secret_encryption/variables.tf b/modules/secret_encryption/variables.tf
@@ -1,15 +1,15 @@
 variable "alias_name" {
-  type = "string"
+  type        = "string"
   description = "Alias of the KMS key to be used for encryption"
 }
 
 variable "text_to_encrypt" {
-  type = "string"
+  type        = "string"
   description = "Plain text string to be encrypted"
 }
 
 variable "secret_context" {
-  type = "map"
+  type        = "map"
   description = "Context to be associated with the encrypted secret"
-  default = {}
-}
+  default     = {}
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,4 +4,4 @@ output "key_id" { @@
     output "key_arn" {
       value = "${aws_kms_key.key.arn}"
-    }
+    }