terraform.aws-baseline-infra/modules/storage/aws-backup/kms-key.tf

data aws_caller_identity this {}

resource "aws_kms_key" "ab-kms-key" {
  description             = "KMS key for aws backup"
  deletion_window_in_days = 10
  tags = var.default-tags
  policy = <<EOD
{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${data.aws_caller_identity.this.id}:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        },
        {
            "Sid": "Allow use of the KMS key for organization",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GetKeyPolicy",
                "kms:CreateGrant",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "${var.aws-org-id}"
                }
            }
        }
    ]
}
EOD
}

resource "aws_kms_alias" "ab-kms-key-alias" {
  name          = "alias/awsbackup-kms-key"
  target_key_id = aws_kms_key.ab-kms-key.id
}
NEW: aws backup 2022-09-06 11:41:06 +08:00			`data aws_caller_identity this {}`

			`resource "aws_kms_key" "ab-kms-key" {`
			`description = "KMS key for aws backup"`
			`deletion_window_in_days = 10`
			`tags = var.default-tags`
			`policy = <<EOD`
			`{`
			`"Version": "2012-10-17",`
			`"Id": "key-consolepolicy-3",`
			`"Statement": [`
			`{`
			`"Sid": "Enable IAM User Permissions",`
			`"Effect": "Allow",`
			`"Principal": {`
			`"AWS": "arn:aws:iam::${data.aws_caller_identity.this.id}:root"`
			`},`
			`"Action": "kms:*",`
			`"Resource": "*"`
			`},`
			`{`
			`"Sid": "Allow attachment of persistent resources",`
			`"Effect": "Allow",`
			`"Principal": "*",`
			`"Action": [`
			`"kms:CreateGrant",`
			`"kms:ListGrants",`
			`"kms:RevokeGrant"`
			`],`
			`"Resource": "*",`
			`"Condition": {`
			`"Bool": {`
			`"kms:GrantIsForAWSResource": "true"`
			`}`
			`}`
			`},`
			`{`
			`"Sid": "Allow use of the KMS key for organization",`
			`"Effect": "Allow",`
			`"Principal": {`
			`"AWS": "*"`
			`},`
			`"Action": [`
			`"kms:Decrypt",`
			`"kms:DescribeKey",`
			`"kms:Encrypt",`
			`"kms:ReEncrypt*",`
			`"kms:GetKeyPolicy",`
			`"kms:CreateGrant",`
			`"kms:GenerateDataKey*"`
			`],`
			`"Resource": "*",`
			`"Condition": {`
			`"StringEquals": {`
			`"aws:PrincipalOrgID": "${var.aws-org-id}"`
			`}`
			`}`
			`}`
			`]`
			`}`
			`EOD`
			`}`

			`resource "aws_kms_alias" "ab-kms-key-alias" {`
			`name = "alias/awsbackup-kms-key"`
			`target_key_id = aws_kms_key.ab-kms-key.id`
			`}`