terraform.aws-baseline-infra/modules/storage/aws-backup/kms-key.tf

data "aws_caller_identity" "this" {}

resource "aws_kms_key" "ab-kms-key" {
  description             = "KMS key for aws backup"
  deletion_window_in_days = 10
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Id" : "awsbackup-service",
      "Statement" : [
        {
          "Sid" : "Enable IAM User Permissions",
          "Effect" : "Allow",
          "Principal" : {
            "AWS" : "arn:aws:iam::${data.aws_caller_identity.this.id}:root"
          },
          "Action" : "kms:*",
          "Resource" : "*"
        },
        {
          "Sid" : "Allow attachment of persistent resources",
          "Effect" : "Allow",
          "Principal" : "*",
          "Action" : [
            "kms:CreateGrant",
            "kms:ListGrants",
            "kms:RevokeGrant"
          ],
          "Resource" : "*",
          "Condition" : {
            "Bool" : {
              "kms:GrantIsForAWSResource" : "true"
            }
          }
        }
      ]
  })
}

resource "aws_kms_alias" "ab-kms-key-alias" {
  name          = "alias/awsbackup-kms-key"
  target_key_id = aws_kms_key.ab-kms-key.id
}
UPD: updated awsbackup module 2024-04-29 14:25:25 +08:00			`data "aws_caller_identity" "this" {}`
NEW: aws backup 2022-09-06 11:41:06 +08:00
			`resource "aws_kms_key" "ab-kms-key" {`
			`description = "KMS key for aws backup"`
			`deletion_window_in_days = 10`
UPD: updated awsbackup module 2024-04-29 14:25:25 +08:00			`policy = jsonencode(`
			`{`
			`"Version" : "2012-10-17",`
			`"Id" : "awsbackup-service",`
			`"Statement" : [`
NEW: aws backup 2022-09-06 11:41:06 +08:00			`{`
UPD: updated awsbackup module 2024-04-29 14:25:25 +08:00			`"Sid" : "Enable IAM User Permissions",`
			`"Effect" : "Allow",`
			`"Principal" : {`
			`"AWS" : "arn:aws:iam::${data.aws_caller_identity.this.id}:root"`
			`},`
			`"Action" : "kms:*",`
			`"Resource" : "*"`
NEW: aws backup 2022-09-06 11:41:06 +08:00			`},`
			`{`
UPD: updated awsbackup module 2024-04-29 14:25:25 +08:00			`"Sid" : "Allow attachment of persistent resources",`
			`"Effect" : "Allow",`
			`"Principal" : "*",`
			`"Action" : [`
			`"kms:CreateGrant",`
			`"kms:ListGrants",`
			`"kms:RevokeGrant"`
			`],`
			`"Resource" : "*",`
			`"Condition" : {`
			`"Bool" : {`
			`"kms:GrantIsForAWSResource" : "true"`
NEW: aws backup 2022-09-06 11:41:06 +08:00			`}`
UPD: updated awsbackup module 2024-04-29 14:25:25 +08:00			`}`
NEW: aws backup 2022-09-06 11:41:06 +08:00			`}`
UPD: updated awsbackup module 2024-04-29 14:25:25 +08:00			`]`
			`})`
NEW: aws backup 2022-09-06 11:41:06 +08:00			`}`

			`resource "aws_kms_alias" "ab-kms-key-alias" {`
			`name = "alias/awsbackup-kms-key"`
			`target_key_id = aws_kms_key.ab-kms-key.id`
			`}`