AWS KMS Key

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. This component creates a KMS key that is used to encrypt data across the platform.

It creates:

• KMS key: Resource which creates KMS key
• KMS key policy: Key policies which permits cross account access, access through AWS principles and AWS services based on some conditions and input variables

Architecture

[TODO] Insert Architecture Diagram

Run-Book

Pre-requisites

IMPORTANT NOTE

1. Required version of Terraform is mentioned in meta.tf.
2. Go through variables.tf for understanding each terraform variable before running this component.

AWS Accounts

Needs the following accounts:

1. Compute/Spoke Account (AWS account where KMS Key is to be created)

Getting Started

How to use this component in a blueprint

IMPORTANT: We periodically release versions for the components. Since, master branch may have on-going changes, best practice would be to use a released version in form of a tag (e.g. ?ref=x.y.z)

module "logs_kms" {
  source      = "git::https://<YOUR_VCS_URL>/components/terraform-aws-kms-key?ref=<ref_name>"
  key_type    = "service"
  description = "Used to encrypt log aggregation resources"
  prefix      = "<customer_name>"
  name        = "<paas_name>"
  environment = "devops"

  service_key_info = {
    aws_service_names  = tolist([format("s3.%s.amazonaws.com", data.aws_region.current.name)])
    caller_account_ids = tolist([data.aws_caller_identity.current.account_id])
  }

  additional_policies = [data.aws_iam_policy_document.cloudtrail.json, data.aws_iam_policy_document.flow_logs.json]
}

Requirements

Name	Version
terraform	>= 1.0.0
aws	>= 5.0.0
random	>= 3.1.0

Providers

Name	Version
aws	5.1.0
random	3.5.1

Modules

No modules.

Resources

Name	Type
aws_kms_alias.this	resource
aws_kms_key.this	resource
random_string.random_suffix	resource
aws_caller_identity.current	data source
aws_iam_policy_document.admin_policy	data source
aws_iam_policy_document.direct_cryptography	data source
aws_iam_policy_document.kms_key_policy	data source
aws_iam_policy_document.service_cryptography	data source

Inputs

Name	Description	Type	Default	Required
additional_policies	Additional IAM policies block, input as data source. Ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document	list(string)	[]	no
append_random_suffix	Append a random string to the alias name. Default: true (yes)	bool	true	no
deletion_window	Number of days before a key actually gets deleted once it's been scheduled for deletion. Valid value between 7 and 30 days	number	30	no
description	The description to give to the key	string	n/a	yes
direct_key_info	Information required for a 'direct' key	object({ # List of principals to allow for cryptographic use of key. allow_access_from_principals = list(string) })	{ "allow_access_from_principals": [] }	no
environment	Environment name used as environment resources name.	string	n/a	yes
key_type	Indicate which kind of key to create: 'service' for key used by services; 'direct' for other keys. Must provide service_key or direct_key maps depending on the type	string	n/a	yes
name	Name used as a resources name.	string	n/a	yes
prefix	The prefix name of customer to be displayed in AWS console and resource.	string	n/a	yes
service_key_info	Information required for a 'service' key	object({ # List of AWS service names for the kms:ViaService policy condition aws_service_names = list(string) # List of caller account IDs for the kms:CallerAccount policy condition caller_account_ids = list(string) })	{ "aws_service_names": [], "caller_account_ids": [] }	no
tags	Tags to add more; default tags contian {terraform=true, environment=var.environment}	map(string)	{}	no

Outputs

Name	Description
key_arn	KMS key arn
key_id	KMS key id