Skip to content

Commit

Permalink
Added policy for kms (#8)
Browse files Browse the repository at this point in the history 
* Added policy for kms

* Added default policy

* Format code
  • Loading branch information
@goruha
goruha authored Aug 5, 2019
1 parent a710cf2 commit 24629c1
Show file tree
Hide file tree
Showing 5 changed files with 123 additions and 27 deletions.
114 changes: 89 additions & 25 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<!-- This file was automatically generated by the `build-harness`. Make all changes to `README.yaml` and run `make readme` to rebuild this file. -->
[![README Header][readme_header_img]][readme_header_link]

[![Cloud Posse](https://cloudposse.com/logo-300x69.svg)](https://cloudposse.com)
[![Cloud Posse][logo]](https://cpco.io/homepage)

# terraform-aws-kms-key [![Build Status](https://travis-ci.org/cloudposse/terraform-aws-kms-key.svg?branch=master)](https://travis-ci.org/cloudposse/terraform-aws-kms-key) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-kms-key.svg)](https://github.com/cloudposse/terraform-aws-kms-key/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)

Expand All @@ -15,7 +16,17 @@ Can be used with [chamber](https://github.com/segmentio/chamber) for managing se

---

This project is part of our comprehensive ["SweetOps"](https://docs.cloudposse.com) approach towards DevOps.
This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps.
[<img align="right" title="Share via Email" src="https://docs.cloudposse.com/images/ionicons/ios-email-outline-2.0.1-16x16-999999.svg"/>][share_email]
[<img align="right" title="Share on Google+" src="https://docs.cloudposse.com/images/ionicons/social-googleplus-outline-2.0.1-16x16-999999.svg" />][share_googleplus]
[<img align="right" title="Share on Facebook" src="https://docs.cloudposse.com/images/ionicons/social-facebook-outline-2.0.1-16x16-999999.svg" />][share_facebook]
[<img align="right" title="Share on Reddit" src="https://docs.cloudposse.com/images/ionicons/social-reddit-outline-2.0.1-16x16-999999.svg" />][share_reddit]
[<img align="right" title="Share on LinkedIn" src="https://docs.cloudposse.com/images/ionicons/social-linkedin-outline-2.0.1-16x16-999999.svg" />][share_linkedin]
[<img align="right" title="Share on Twitter" src="https://docs.cloudposse.com/images/ionicons/social-twitter-outline-2.0.1-16x16-999999.svg" />][share_twitter]


[![Terraform Open Source Modules](https://docs.cloudposse.com/images/terraform-open-source-modules.svg)][terraform_modules]



It's 100% Open Source and licensed under the [APACHE2](LICENSE).
Expand All @@ -26,11 +37,21 @@ It's 100% Open Source and licensed under the [APACHE2](LICENSE).



We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out!







## Usage


**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-kms-key/releases).


```hcl
module "kms_key" {
source = "git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=master"
Expand All @@ -53,12 +74,12 @@ module "kms_key" {
```
Available targets:
help This help screen
help Help screen
help/all Display help for all targets
help/short This help short screen
lint Lint terraform code
```

## Inputs

| Name | Description | Type | Default | Required |
Expand All @@ -71,6 +92,7 @@ Available targets:
| enable_key_rotation | Specifies whether key rotation is enabled | string | `true` | no |
| name | Application or solution name (e.g. `app`) | string | - | yes |
| namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
| policy | A valid kms policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. | string | `` | no |
| stage | Stage (e.g. `prod`, `dev`, `staging`) | string | - | yes |
| tags | Additional tags (e.g. map(`BusinessUnit`,`XYZ`) | map | `<map>` | no |

Expand All @@ -86,6 +108,13 @@ Available targets:



## Share the Love

Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-kms-key)! (it helps us **a lot**)

Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =)


## Related Projects

Check out these related projects.
Expand All @@ -102,26 +131,38 @@ Check out these related projects.

File a GitHub [issue](https://github.com/cloudposse/terraform-aws-kms-key/issues), send us an [email][email] or join our [Slack Community][slack].

[![README Commercial Support][readme_commercial_support_img]][readme_commercial_support_link]

## Commercial Support

Work directly with our team of DevOps experts via email, slack, and video conferencing.

We provide [*commercial support*][commercial_support] for all of our [Open Source][github] projects. As a *Dedicated Support* customer, you have access to our team of subject matter experts at a fraction of the cost of a full-time engineer.

[![E-Mail](https://img.shields.io/badge/[email protected])](mailto:[email protected])
[![E-Mail](https://img.shields.io/badge/[email protected])][email]

- **Questions.** We'll use a Shared Slack channel between your team and ours.
- **Troubleshooting.** We'll help you triage why things aren't working.
- **Code Reviews.** We'll review your Pull Requests and provide constructive feedback.
- **Bug Fixes.** We'll rapidly work to fix any bugs in our projects.
- **Build New Terraform Modules.** We'll develop original modules to provision infrastructure.
- **Build New Terraform Modules.** We'll [develop original modules][module_development] to provision infrastructure.
- **Cloud Architecture.** We'll assist with your cloud strategy and design.
- **Implementation.** We'll provide hands-on support to implement our reference architectures.


## Community Forum

Get access to our [Open Source Community Forum][slack] on Slack. It's **FREE** to join for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build *sweet* infrastructure.
## Terraform Module Development

Are you interested in custom Terraform module development? Submit your inquiry using [our form][module_development] today and we'll get back to you ASAP.


## Slack Community

Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.

## Newsletter

Signup for [our newsletter][newsletter] that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.

## Contributing

Expand All @@ -131,7 +172,7 @@ Please use the [issue tracker](https://github.com/cloudposse/terraform-aws-kms-k

### Developing

If you are interested in being a contributor and want to get involved in developing this project or [help out](https://github.com/orgs/cloudposse/projects/3) with our other projects, we would love to hear from you! Shoot us an [email](mailto:[email protected]).
If you are interested in being a contributor and want to get involved in developing this project or [help out](https://cpco.io/help-out) with our other projects, we would love to hear from you! Shoot us an [email][email].

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

Expand All @@ -146,7 +187,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

## Copyright

Copyright © 2017-2018 [Cloud Posse, LLC](https://cloudposse.com)
Copyright © 2017-2019 [Cloud Posse, LLC](https://cpco.io/copyright)



Expand Down Expand Up @@ -187,26 +228,16 @@ All other trademarks referenced herein are the property of their respective owne

## About

This project is maintained and funded by [Cloud Posse, LLC][website]. Like it? Please let us know at <[email protected]>
This project is maintained and funded by [Cloud Posse, LLC][website]. Like it? Please let us know by [leaving a testimonial][testimonial]!

[![Cloud Posse](https://cloudposse.com/logo-300x69.svg)](https://cloudposse.com)
[![Cloud Posse][logo]][website]

We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We love [Open Source Software](https://github.com/cloudposse/)!
We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We ❤️ [Open Source Software][we_love_open_source].

We offer paid support on all of our projects.
We offer [paid support][commercial_support] on all of our projects.

Check out [our other projects][github], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation.
Check out [our other projects][github], [follow us on twitter][twitter], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation.

[docs]: https://docs.cloudposse.com/
[website]: https://cloudposse.com/
[github]: https://github.com/cloudposse/
[commercial_support]: https://github.com/orgs/cloudposse/projects
[jobs]: https://cloudposse.com/jobs/
[hire]: https://cloudposse.com/contact/
[slack]: https://slack.cloudposse.com/
[linkedin]: https://www.linkedin.com/company/cloudposse
[twitter]: https://twitter.com/cloudposse/
[email]: mailto:[email protected]


### Contributors
Expand All @@ -218,3 +249,36 @@ Check out [our other projects][github], [apply for a job][jobs], or [hire us][hi
[aknysh_avatar]: https://github.com/aknysh.png?size=150



[![README Footer][readme_footer_img]][readme_footer_link]
[![Beacon][beacon]][website]

[logo]: https://cloudposse.com/logo-300x69.svg
[docs]: https://cpco.io/docs
[website]: https://cpco.io/homepage
[github]: https://cpco.io/github
[jobs]: https://cpco.io/jobs
[hire]: https://cpco.io/hire
[slack]: https://cpco.io/slack
[linkedin]: https://cpco.io/linkedin
[twitter]: https://cpco.io/twitter
[testimonial]: https://cpco.io/leave-testimonial
[newsletter]: https://cpco.io/newsletter
[email]: https://cpco.io/email
[commercial_support]: https://cpco.io/commercial-support
[we_love_open_source]: https://cpco.io/we-love-open-source
[module_development]: https://cpco.io/module-development
[terraform_modules]: https://cpco.io/terraform-modules
[readme_header_img]: https://cloudposse.com/readme/header/img?repo=cloudposse/terraform-aws-kms-key
[readme_header_link]: https://cloudposse.com/readme/header/link?repo=cloudposse/terraform-aws-kms-key
[readme_footer_img]: https://cloudposse.com/readme/footer/img?repo=cloudposse/terraform-aws-kms-key
[readme_footer_link]: https://cloudposse.com/readme/footer/link?repo=cloudposse/terraform-aws-kms-key
[readme_commercial_support_img]: https://cloudposse.com/readme/commercial-support/img?repo=cloudposse/terraform-aws-kms-key
[readme_commercial_support_link]: https://cloudposse.com/readme/commercial-support/link?repo=cloudposse/terraform-aws-kms-key
[share_twitter]: https://twitter.com/intent/tweet/?text=terraform-aws-kms-key&url=https://github.com/cloudposse/terraform-aws-kms-key
[share_linkedin]: https://www.linkedin.com/shareArticle?mini=true&title=terraform-aws-kms-key&url=https://github.com/cloudposse/terraform-aws-kms-key
[share_reddit]: https://reddit.com/submit/?url=https://github.com/cloudposse/terraform-aws-kms-key
[share_facebook]: https://facebook.com/sharer/sharer.php?u=https://github.com/cloudposse/terraform-aws-kms-key
[share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-kms-key
[share_email]: mailto:?subject=terraform-aws-kms-key&body=https://github.com/cloudposse/terraform-aws-kms-key
[beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-kms-key?pixel&cs=github&cm=readme&an=terraform-aws-kms-key
3 changes: 2 additions & 1 deletion docs/targets.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@
```
Available targets:
help This help screen
help Help screen
help/all Display help for all targets
help/short This help short screen
lint Lint terraform code
```
2 changes: 1 addition & 1 deletion docs/terraform.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

## Inputs

| Name | Description | Type | Default | Required |
Expand All @@ -11,6 +10,7 @@
| enable_key_rotation | Specifies whether key rotation is enabled | string | `true` | no |
| name | Application or solution name (e.g. `app`) | string | - | yes |
| namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
| policy | A valid kms policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. | string | `` | no |
| stage | Stage (e.g. `prod`, `dev`, `staging`) | string | - | yes |
| tags | Additional tags (e.g. map(`BusinessUnit`,`XYZ`) | map | `<map>` | no |

Expand Down
25 changes: 25 additions & 0 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,36 @@ module "label" {
tags = "${var.tags}"
}

data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "default" {
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
actions = ["kms:*"]
resources = ["*"]

principals {
type = "AWS"

identifiers = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
]
}
}
}

module "policy" {
source = "git::https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator.git?ref=tags/0.1.2"
source_documents = ["${data.aws_iam_policy_document.default.json}", "${var.policy}"]
}

resource "aws_kms_key" "default" {
description = "${var.description}"
deletion_window_in_days = "${var.deletion_window_in_days}"
enable_key_rotation = "${var.enable_key_rotation}"
tags = "${module.label.tags}"
policy = "${module.policy.result_document}"
}

resource "aws_kms_alias" "default" {
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,9 @@ variable "alias" {
default = ""
description = "The display name of the alias. The name must start with the word `alias` followed by a forward slash"
}

variable "policy" {
type = "string"
default = ""
description = "A valid kms policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy."
}

0 comments on commit 24629c1

Please sign in to comment.