Skip to content

Commit

Permalink
feat: Adding Key Service Principals (#6)
Browse files Browse the repository at this point in the history
Co-authored-by: Anton Babenko <[email protected]>
  • Loading branch information
zestrells and antonbabenko authored Oct 14, 2022
1 parent b026981 commit 4841f28
Show file tree
Hide file tree
Showing 6 changed files with 40 additions and 1 deletion.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.74.1
rev: v1.76.0
hooks:
- id: terraform_fmt
- id: terraform_validate
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,7 @@ No modules.
| <a name="input_key_hmac_users"></a> [key\_hmac\_users](#input\_key\_hmac\_users) | A list of IAM ARNs for [key HMAC users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
| <a name="input_key_material_base64"></a> [key\_material\_base64](#input\_key\_material\_base64) | Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only | `string` | `null` | no |
| <a name="input_key_owners"></a> [key\_owners](#input\_key\_owners) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
| <a name="input_key_service_principals"></a> [key\_service\_principals](#input\_key\_service\_principals) | A map of IAM Services for [key principals](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html) | `map(any)` | `{}` | no |
| <a name="input_key_service_users"></a> [key\_service\_users](#input\_key\_service\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |
| <a name="input_key_symmetric_encryption_users"></a> [key\_symmetric\_encryption\_users](#input\_key\_symmetric\_encryption\_users) | A list of IAM ARNs for [key symmetric encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
| <a name="input_key_usage"></a> [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. Defaults to `ENCRYPT_DECRYPT` | `string` | `null` | no |
Expand Down
1 change: 1 addition & 0 deletions examples/complete/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ Note that this example may create resources which will incur monetary charges on
|------|------|
| [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

## Inputs

Expand Down
16 changes: 16 additions & 0 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ locals {

data "aws_caller_identity" "current" {}

data "aws_region" "current" {}

################################################################################
# KMS Module
################################################################################
Expand All @@ -40,6 +42,20 @@ module "kms_complete" {
key_hmac_users = [local.current_identity]
key_asymmetric_public_encryption_users = [local.current_identity]
key_asymmetric_sign_verify_users = [local.current_identity]
key_service_principals = {
"aws-logs" = {
sid = "aws-logs"
actions = [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
]
resources = ["*"]
principals = ["logs.${data.aws_region.current.name}.amazonaws.com"]
}
}

# Aliases
aliases = ["one", "foo/bar"]
Expand Down
15 changes: 15 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,21 @@ data "aws_iam_policy_document" "this" {
}
}
}

dynamic "statement" {
for_each = var.key_service_principals

content {
sid = statement.value.sid
actions = statement.value.actions
resources = statement.value.resources

principals {
type = "Service"
identifiers = statement.value.principals
}
}
}
}

################################################################################
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,12 @@ variable "key_users" {
default = []
}

variable "key_service_principals" {
description = "A map of IAM Services for [key principals](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html)"
type = map(any)
default = {}
}

variable "key_service_users" {
description = "A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration)"
type = list(string)
Expand Down

0 comments on commit 4841f28

Please sign in to comment.