Skip to content

Commit

Permalink
Merge pull request #6 from vistaprint/fix/rotate-kms-key
Browse files Browse the repository at this point in the history 
Fix KMS key issues
  • Loading branch information
@betabandido
betabandido authored Sep 28, 2021
2 parents 5344064 + 506821f commit cb9927c
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 63 deletions.
107 changes: 48 additions & 59 deletions kms-key.tf
View file
Original file line number Diff line number Diff line change
@@ -1,71 +1,60 @@
data "aws_caller_identity" "current" {}

resource "aws_kms_key" "ebs_encryption_key" {
count = var.encrypt_ebs ? 1 : 0

description = "Encryption Key for EBS volumes"
deletion_window_in_days = 7
enable_key_rotation = true

policy = jsonencode({
"Version": "2012-10-17",
"Id": "auto-ebs-2",
"Statement": [
{
"Sid": "Allow access through EBS for all principals in the account that are authorized to use EBS",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": data.aws_caller_identity.current.account_id,
"kms:ViaService": "ec2.eu-west-1.amazonaws.com"
}
}
"Version" : "2012-10-17",
"Id" : "auto-ebs-2",
"Statement" : [
{
"Sid" : "Allow access through EBS for all principals in the account that are authorized to use EBS",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:RevokeGrant"
],
"Resource": "*"
"Action" : [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"kms:CallerAccount" : data.aws_caller_identity.current.account_id,
"kms:ViaService" : "ec2.${var.region}.amazonaws.com"
}
}
},
{
"Sid" : "Allow administration of the key",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action" : [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource" : "*"
}
]
})
}
2 changes: 1 addition & 1 deletion launch-template.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ resource "aws_launch_template" "worker_nodes" {
volume_type = var.volume_type
delete_on_termination = true
encrypted = var.encrypt_ebs
kms_key_id = var.encrypt_ebs ? aws_kms_key.ebs_encryption_key.arn : null
kms_key_id = var.encrypt_ebs ? aws_kms_key.ebs_encryption_key[0].arn : null
}
}

Expand Down
6 changes: 3 additions & 3 deletions versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
terraform {
required_providers {
helm = {
source = "hashicorp/helm"
source = "hashicorp/helm"
version = "~> 2.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
source = "hashicorp/kubernetes"
version = "~> 1.13"
}
}
}
}

0 comments on commit cb9927c

Please sign in to comment.