70 lines
1.5 KiB
HCL
70 lines
1.5 KiB
HCL
resource "aws_kms_key" "ctbucket-key" {
|
|
deletion_window_in_days = 7
|
|
tags = var.default-tags
|
|
policy = data.aws_iam_policy_document.key-policy.json
|
|
enable_key_rotation = true
|
|
}
|
|
|
|
resource "aws_kms_alias" ctbucket-key-aliaas {
|
|
name = "alias/${var.resource-prefix}-kmskey-default"
|
|
target_key_id = aws_kms_key.ctbucket-key.key_id
|
|
}
|
|
|
|
# https://gist.github.com/shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22
|
|
data "aws_iam_policy_document" "key-policy" {
|
|
statement {
|
|
sid = "Key usage by aws services"
|
|
principals {
|
|
identifiers = [
|
|
"autoscaling.amazonaws.com",
|
|
"cloudtrail.amazonaws.com",
|
|
"eks.amazonaws.com",
|
|
"eks-nodegroup.amazonaws.com",
|
|
"guardduty.amazonaws.com",
|
|
"delivery.logs.amazonaws.com",
|
|
"sns.amazonaws.com",
|
|
"sqs.amazonaws.com",
|
|
"lambda.amazonaws.com",
|
|
"backup.amazonaws.com",
|
|
"events.amazonaws.com",
|
|
"cloudwatch.amazonaws.com",
|
|
"s3.amazonaws.com",
|
|
"logs.amazonaws.com"
|
|
]
|
|
type = "Service"
|
|
}
|
|
|
|
actions = [
|
|
"kms:Encrypt",
|
|
"kms:Decrypt",
|
|
"kms:ReEncrypt*",
|
|
"kms:GenerateDataKey*",
|
|
"kms:DescribeKey"
|
|
]
|
|
|
|
resources = [
|
|
"*"
|
|
]
|
|
|
|
effect = "Allow"
|
|
}
|
|
|
|
statement {
|
|
sid = "Key administrator"
|
|
actions = [
|
|
"kms:*"
|
|
]
|
|
|
|
resources = [
|
|
"*"
|
|
]
|
|
|
|
principals {
|
|
type = "AWS"
|
|
identifiers = [data.aws_caller_identity.this.account_id]
|
|
}
|
|
|
|
effect = "Allow"
|
|
}
|
|
}
|