enigmango/example_parameter_store_shared.tf

## readme.md

      
    Raw
  

              readme.md
            
          
    Example Shared Encrypted Parameter

This example creates a SecureString parameter and shares it across your AWS organization.
Requirements

No requirements.
Providers


Name
Version


 aws
5.46.0


Modules

No modules.
Resources


Name
Type


aws_kms_alias.example
resource


aws_kms_key.example
resource


aws_kms_key_policy.example
resource


aws_ram_principal_association.parameter
resource


aws_ram_resource_association.parameter
resource


aws_ram_resource_share.parameter
resource


aws_ssm_parameter.example
resource


aws_caller_identity.current
data source


aws_organizations_organization.current
data source


Inputs

No inputs.
Outputs


Name
Description


 parameter_arn
n/a


## example_parameter_store_shared.tf
# Tyler Wengerd
# DoiT International
# See README.md for input variable requirements

data "aws_caller_identity" "current" {}
data "aws_organizations_organization" "current" {}


locals {
  account_id = data.aws_caller_identity.current.account_id
  org_id     = data.aws_organizations_organization.current.id
}

resource "aws_ssm_parameter" "example" {
  name        = "DoiT_example_parameter"
  description = "Example of a shared parameter store parameter"
  type        = "SecureString"
  value       = "CorrectHorseBatteryStaple"
  tier        = "Advanced" # Only Advanced parameters can be shared

  key_id = aws_kms_key.example.key_id

  tags = {
    environment = "example"
  }
}


resource "aws_kms_alias" "example" {
  name          = "alias/doit-example-parameter-key"
  target_key_id = aws_kms_key.example.key_id
}

resource "aws_kms_key" "example" {
  description              = "KMS Key for example shared parameter"
  multi_region             = false
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  key_usage                = "ENCRYPT_DECRYPT"
  enable_key_rotation      = true
}

resource "aws_kms_key_policy" "example" {
  key_id = aws_kms_key.example.key_id
  policy = <<-EOT
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Resource": "*",
        "Action": "kms:*",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::${local.account_id}:root"
        },
        "Sid": "Enable IAM User Permissions"
      },
      {
        "Resource": "*",
        "Action": [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey*",
          "kms:DescribeKey"
        ],
        "Effect": "Allow",
        "Principal": "*",
        "Condition": {
          "StringEquals": {
            "aws:PrincipalOrgID": "${local.org_id}"
          }
        },
        "Sid": "Allow use of the key within the organization"
      }
    ]
  }
  EOT
}

# If you get an error that Organization o-xxxxxxxxx could not be found and/or OperationNotPermittedException: The resource you are attempting to share can only be shared within your AWS Organization, resource sharing within Organizations needs to be enabled
# See https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs

resource "aws_ram_resource_share" "parameter" {
  name            = "DoiT-example-shared-parameter"
  permission_arns = ["arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMParameterReadOnly"]
}

resource "aws_ram_principal_association" "parameter" {
  principal          = data.aws_organizations_organization.current.arn
  resource_share_arn = aws_ram_resource_share.parameter.arn
}

resource "aws_ram_resource_association" "parameter" {
  resource_arn       = aws_ssm_parameter.example.arn
  resource_share_arn = aws_ram_resource_share.parameter.arn
}

output "parameter_arn" {
  value = aws_ssm_parameter.example.arn
}
Name	Type
aws_kms_alias.example	resource
aws_kms_key.example	resource
aws_kms_key_policy.example	resource
aws_ram_principal_association.parameter	resource
aws_ram_resource_association.parameter	resource
aws_ram_resource_share.parameter	resource
aws_ssm_parameter.example	resource
aws_caller_identity.current	data source
aws_organizations_organization.current	data source
	# Tyler Wengerd
	# DoiT International
	# See README.md for input variable requirements

	data "aws_caller_identity" "current" {}
	data "aws_organizations_organization" "current" {}


	locals {
	account_id = data.aws_caller_identity.current.account_id
	org_id = data.aws_organizations_organization.current.id
	}

	resource "aws_ssm_parameter" "example" {
	name = "DoiT_example_parameter"
	description = "Example of a shared parameter store parameter"
	type = "SecureString"
	value = "CorrectHorseBatteryStaple"
	tier = "Advanced" # Only Advanced parameters can be shared

	key_id = aws_kms_key.example.key_id

	tags = {
	environment = "example"
	}
	}


	resource "aws_kms_alias" "example" {
	name = "alias/doit-example-parameter-key"
	target_key_id = aws_kms_key.example.key_id
	}

	resource "aws_kms_key" "example" {
	description = "KMS Key for example shared parameter"
	multi_region = false
	customer_master_key_spec = "SYMMETRIC_DEFAULT"
	key_usage = "ENCRYPT_DECRYPT"
	enable_key_rotation = true
	}

	resource "aws_kms_key_policy" "example" {
	key_id = aws_kms_key.example.key_id
	policy = <<-EOT
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Resource": "*",
	"Action": "kms:*",
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::${local.account_id}:root"
	},
	"Sid": "Enable IAM User Permissions"
	},
	{
	"Resource": "*",
	"Action": [
	"kms:Encrypt",
	"kms:Decrypt",
	"kms:ReEncrypt*",
	"kms:GenerateDataKey*",
	"kms:DescribeKey"
	],
	"Effect": "Allow",
	"Principal": "*",
	"Condition": {
	"StringEquals": {
	"aws:PrincipalOrgID": "${local.org_id}"
	}
	},
	"Sid": "Allow use of the key within the organization"
	}
	]
	}
	EOT
	}

	# If you get an error that Organization o-xxxxxxxxx could not be found and/or OperationNotPermittedException: The resource you are attempting to share can only be shared within your AWS Organization, resource sharing within Organizations needs to be enabled
	# See https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs

	resource "aws_ram_resource_share" "parameter" {
	name = "DoiT-example-shared-parameter"
	permission_arns = ["arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMParameterReadOnly"]
	}

	resource "aws_ram_principal_association" "parameter" {
	principal = data.aws_organizations_organization.current.arn
	resource_share_arn = aws_ram_resource_share.parameter.arn
	}

	resource "aws_ram_resource_association" "parameter" {
	resource_arn = aws_ssm_parameter.example.arn
	resource_share_arn = aws_ram_resource_share.parameter.arn
	}

	output "parameter_arn" {
	value = aws_ssm_parameter.example.arn
	}