CCL-438 add aws_kms_alias and aws_kms_key_policy (#178)

* CCL-438 add aws_kms_alias and aws_kms_key_policy * CCL-438 add s3 bucket id to alias * CCL-438 changed alias name to name_prefix * CCL-438 changed alias name to name_prefix * CCL-438 changed alias name to name_prefix * CCL-438 using alias name
UKHomeOffice · Sep 12, 2024 · 2591afe · 2591afe
1 parent 03da152
commit 2591afe
Showing 1 changed file with 38 additions and 35 deletions.
diff --git a/modules/products/static-site/kms.tf b/modules/products/static-site/kms.tf
@@ -3,43 +3,46 @@ resource "aws_kms_key" "static_site_kms" {
   tags                = local.common_tags
 }
 
-resource "aws_kms_key_policy" "static_site_kms_policy" {  
-  key_id = aws_kms_key.static_site_kms.id  
+
+resource "aws_kms_key_policy" "static_site_kms_policy" {
+key_id = aws_kms_key.static_site_kms.id
   policy = jsonencode({
-    Version = "2012-10-17"
-    Id = "static_site_kms_policy"
-    Statement = [
-      {
-        Sid      = "EnableIAMUserPermissions"
-        Action   = "kms:*"
-        Effect   = "Allow"
-        Principal = {
-          AWS = "arn:aws:iam::${local.account_id}:root"
+    "Version": "2012-10-17",
+    "Id": "static_site_kms_policy",
+    "Statement": [
+        {
+            "Sid": "EnableIAMUserPermissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${local.account_id}:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "CloudFrontServiceKmsPolicyKey",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "cloudfront.amazonaws.com"
+            },
+            "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:GenerateDataKey*"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "aws:SourceArn": "aws_cloudfront_distribution.static_site_distribution.arn"
+                }
+            }
         }
-        Resource = ["*"]     
-      },
     ]
-    Statement = [
-      {
-        Sid      = "CloudFrontServiceKmsPolicy"
-        Action = [
-          "kms:Decrypt",
-          "kms:Encrypt",
-          "kms:GenerateDataKey*"
-        ]
-        Effect = "Allow"
-        Principal = {
-          type        = "Service"
-          identifiers = ["cloudfront.amazonaws.com"]
-        }
-        Resource = ["*"]  
-        condition = {
-            test     = "StringEquals"
-            variable = "aws:SourceArn"
-            values   = [aws_cloudfront_distribution.static_site_distribution.arn]
-          }
-      },
-    ]    
-  })
+})
+}
+
+resource "aws_kms_alias" "static_site_kms_alias" {
+  name        = "alias/static_site/${aws_s3_bucket.static_site.id}"
+  target_key_id = aws_kms_key.static_site_kms.key_id
 }