Skip to content

wearetechnative/terraform-aws-kms

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.github/workflows
.github/workflows
 
 
examples
examples
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.tfdocs-config.yml
.tfdocs-config.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
data.tf
data.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 
we-are-technative.png
we-are-technative.png
 
 

Repository files navigation

Terraform AWS KMS

This module implements an KMS key usable for most scenarios.

Use aws_kms_grant to allow least privilege to this key.

This key contains a lot of open policies by default. This is due to a limitation in Terraform aws_kms_grant. See this issue as to why.

How does it work

Generally you online define the var.name and only use var.resource_policy_additions when you use a service or resource that is not able to access the key using grants. It's generally not recommended to use var.resource_policy_additions. For general AWS services we include these services by default into this module until this can be solved using aws_kms_grant as well. Please UPVOTE this issue.

Examples

Check the example how to implement KMS.

  • with_extra_iam_user_additions, if you want to give users explicit access

Providers

Name Version
aws >=4.8.0

Modules

No modules.

Resources

Name Type
aws_kms_alias.this resource
aws_kms_key.this resource
aws_caller_identity.current data source
aws_iam_policy_document.access_role data source
aws_iam_policy_document.guarded_roles data source
aws_iam_policy_document.kms_policy data source
aws_iam_policy_document.kms_standard_policy data source
aws_iam_role.kms_access_role data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
guarded_role_access Defaults to TRUE.
This will create a policy that will allow all access based on principal tag landing_zone_usertype with value devops_administrator.
Setting tags starting with landing_zone_ is a guarded feature in our landing zone and can only be done from the management account.
This setting extends the KMS so that these compliant roles are always able to access any KMS keys.		 bool true no
name Unique name for KMS key and alias. string n/a yes
resource_policy_additions Additional IAM policy statements in Terraform object notation. any null no
role_access Access for regular roles. Explicitly defined to set compatibility with the move to var.guarded_role_access. Set the role name. list(string) 
[
  "OrganizationAccountAccessRole"
]
 no

Outputs

Name Description
kms_key_arn n/a

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Feb 8, 2024

Packages

No packages published

Contributors 2

  •  
  •  

Languages