-
Notifications
You must be signed in to change notification settings - Fork 23
/
kms_key_report_lifecycle.sp
97 lines (82 loc) · 1.95 KB
/
kms_key_report_lifecycle.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
dashboard "kms_key_lifecycle_report" {
title = "AWS KMS CMK Lifecycle Report"
documentation = file("./dashboards/kms/docs/kms_key_report_lifecycle.md")
tags = merge(local.kms_common_tags, {
type = "Report"
category = "Lifecycle"
})
container {
card {
query = query.kms_customer_managed_key_count
width = 3
}
card {
query = query.kms_key_rotation_disabled_count
width = 3
}
card {
query = query.kms_cmk_pending_deletion_count
width = 3
}
}
table {
column "Account ID" {
display = "none"
}
column "ARN" {
display = "none"
}
column "Key ID" {
href = "${dashboard.kms_key_detail.url_path}?input.key_arn={{.ARN | @uri}}"
}
query = query.kms_cmk_lifecycle_table
}
}
query "kms_key_rotation_disabled_count" {
sql = <<-EOQ
select
count(*) as value,
'Rotation Disabled' as label,
case count(*) when 0 then 'ok' else 'alert' end as "type"
from
aws_kms_key
where
not key_rotation_enabled
and key_manager = 'CUSTOMER';
EOQ
}
query "kms_cmk_pending_deletion_count" {
sql = <<-EOQ
select
count(*) as value,
'Pending Deletion' as label,
case count(*) when 0 then 'ok' else 'alert' end as type
from
aws_kms_key
where
key_state = 'PendingDeletion'
and key_manager = 'CUSTOMER';
EOQ
}
query "kms_cmk_lifecycle_table" {
sql = <<-EOQ
select
k.id as "Key ID",
case when k.key_rotation_enabled then 'Enabled' else null end as "Key Rotation",
k.key_state as "Key State",
k.key_manager as "Key Manager",
k.deletion_date as "Deletion Date",
a.title as "Account",
k.account_id as "Account ID",
k.region as "Region",
k.arn as "ARN"
from
aws_kms_key as k,
aws_account as a
where
k.account_id = a.account_id
and k.key_manager = 'CUSTOMER'
order by
k.id;
EOQ
}