feat: Create a KMS key for shareable secrets

terranisu · terranisu · commit ba9e40372adb · 2022-01-13T11:34:52.000+01:00
diff --git a/kms.tf b/kms.tf
@@ -0,0 +1,43 @@
+data "aws_iam_policy_document" "master" {
+  count = length(local.arns) > 0 ? 1 : 0
+
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = [data.aws_caller_identity.current.account_id]
+    }
+
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = flatten(values(local.arns))
+    }
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_key" "master" {
+  count = length(local.arns) > 0 ? 1 : 0
+
+  description = "The master key for ${var.app_name} application"
+  policy      = data.aws_iam_policy_document.master[0].json
+
+  tags = var.tags
+}
+
+resource "aws_kms_alias" "master" {
+  count = length(local.arns) > 0 ? 1 : 0
+
+  name = "alias/${var.app_name}"
+
+  target_key_id = aws_kms_key.master[0].key_id
+}
diff --git a/main.tf b/main.tf
@@ -20,6 +20,8 @@ resource "aws_secretsmanager_secret" "app" {
   name_prefix = "${var.app_name}-${each.key}"
   description = "The ${title(replace(each.key, "-", " "))} secret for ${var.app_name} application"
 
+  kms_key_id = length(local.arns) > 0 ? aws_kms_key.master[0].key_id : null
+
   policy = lookup(local.arns, each.key, null) == null ? null : data.aws_iam_policy_document.access[each.key].json
 
   tags = merge(var.tags, { "service" = var.app_name })
