kms

main.tf

  resource "aws_kms_key" "key" {
  description = "${var.cluster_name} internal authentication key"
}

data "aws_iam_policy_document" "generate_data_key_permissions" {
  statement {
    actions   = ["kms:GenerateDataKey"]
    resources = ["${aws_kms_key.key.arn}"]
  }
}

resource "aws_iam_policy" "generate_data_key_permissions" {
  name = "${var.cluster_name}-generate-data-key-policy"
  path = "/"
  description = "allow kms:GenerateDataKey"
  policy = data.aws_iam_policy_document.generate_data_key_permissions.json
}

data "aws_iam_policy_document" "decrypt_permissions" {
  statement {
    actions   = ["kms:Decrypt"]
    resources = ["${aws_kms_key.key.arn}"]
  }
}

resource "aws_iam_policy" "decrypt_data_key_permissions" {
  name = "${var.cluster_name}-decrypt-data-key-policy"
  path = "/"
  description = "allow kms:Decrypt"
  policy = data.aws_iam_policy_document.decrypt_permissions.json
}

outputs.tf

output "kms_key_arn" {
  value = aws_kms_key.key.arn
}

output "kms_generate_data_key_policy_arn" {
  value = aws_iam_policy.generate_data_key_permissions.arn
}

output "kms_decrypt_policy_arn" {
  value = aws_iam_policy.decrypt_data_key_permissions.arn
}

test1.tf

provider "aws" {
  region = "us-east-2"
}

module "kms" {
  source = "../../modules/kms"

  cluster_name = "test1"
}

variables.tf

variable "cluster_name" {
  description = "the cluster this key belongs to"
  type        = string
}