Add kms-key module

.github/labeler.yaml

@@ -1,3 +1,5 @@
 # Modules
+":floppy_disk: kms-key":
+- modules/kms-key/**/*
 ":floppy_disk: secrets-manager-secret":
 - modules/secrets-manager-secret/**/*

.github/labels.yaml

@@ -40,6 +40,9 @@
   name: "size/XL"
 
 # Modules
+- color: "fbca04"
+  description: "This issue or pull request is related to kms-key module."
+  name: ":floppy_disk: kms-key"
 - color: "fbca04"
   description: "This issue or pull request is related to secrets-manager-secret module."
   name: ":floppy_disk: secrets-manager-secret"

modules/kms-key/README.md

@@ -0,0 +1,72 @@
+# kms-key
+
+This module creates following resources.
+
+- `aws_kms_key`
+- `aws_kms_alias` (optional)
+- `aws_kms_grant` (optional)
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.6 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.6.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | (Required) Name of the KMS key. | `string` | n/a | yes |
+| <a name="input_aliases"></a> [aliases](#input\_aliases) | (Optional) List of display name of the alias. The name must start with the word `alias/`. | `list(string)` | `[]` | no |
+| <a name="input_bypass_policy_lockout_safety_check"></a> [bypass\_policy\_lockout\_safety\_check](#input\_bypass\_policy\_lockout\_safety\_check) | (Optional) Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the CMK becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. | `bool` | `false` | no |
+| <a name="input_deletion_window_in_days"></a> [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | (Optional) Duration in days after which the key is deleted after destruction of the resource. Valid value is between `7` and `30` days. Defaults to `30`. | `number` | `30` | no |
+| <a name="input_description"></a> [description](#input\_description) | (Optional) The description of the KMS key. | `string` | `""` | no |
+| <a name="input_enabled"></a> [enabled](#input\_enabled) | (Optional) Indicates whether the key is enabled. | `bool` | `true` | no |
+| <a name="input_key_rotation_enabled"></a> [key\_rotation\_enabled](#input\_key\_rotation\_enabled) | (Optional) Indicates whether key rotation is enabled. | `bool` | `false` | no |
+| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_multi_region_enabled"></a> [multi\_region\_enabled](#input\_multi\_region\_enabled) | (Optional) Indicates whether the key is a multi-Region (true) or regional (false) key. | `bool` | `false` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | (Optional) A valid policy JSON document. Although this is a key policy, not an IAM policy, an `aws_iam_policy_document`, in the form that designates a principal, can be used. | `string` | `null` | no |
+| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
+| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_spec"></a> [spec](#input\_spec) | (Optional) Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`. | `string` | `"SYMMETRIC_DEFAULT"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
+| <a name="input_usage"></a> [usage](#input\_usage) | (Optional) Specifies the intended use of the key. Valid values are `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. | `string` | `"ENCRYPT_DECRYPT"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_aliases"></a> [aliases](#output\_aliases) | A collection of aliases of the key. |
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the KMS key. |
+| <a name="output_bypass_policy_lockout_safety_check"></a> [bypass\_policy\_lockout\_safety\_check](#output\_bypass\_policy\_lockout\_safety\_check) | Whether to disable the policy lockout check performed when creating or updating the key's policy. |
+| <a name="output_deletion_window_in_days"></a> [deletion\_window\_in\_days](#output\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource. |
+| <a name="output_enabled"></a> [enabled](#output\_enabled) | Whether the key is enabled. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of the KMS key. |
+| <a name="output_key_rotation_enabled"></a> [key\_rotation\_enabled](#output\_key\_rotation\_enabled) | Whether the key rotation is enabled. |
+| <a name="output_multi_region_enabled"></a> [multi\_region\_enabled](#output\_multi\_region\_enabled) | Whether the key is a multi-region key. |
+| <a name="output_name"></a> [name](#output\_name) | The KMS Key name. |
+| <a name="output_policy"></a> [policy](#output\_policy) | The Resource Policy for KMS Key. |
+| <a name="output_spec"></a> [spec](#output\_spec) | The specification of KMS key which is the encryption algorithm or signing algorithm. |
+| <a name="output_usage"></a> [usage](#output\_usage) | The usage of the KMS key. `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/kms-key/main.tf

@@ -0,0 +1,54 @@
+locals {
+  metadata = {
+    package = "terraform-aws-secret"
+    version = trimspace(file("${path.module}/../../VERSION"))
+    module  = basename(path.module)
+    name    = var.name
+  }
+  module_tags = var.module_tags_enabled ? {
+    "module.terraform.io/package"   = local.metadata.package
+    "module.terraform.io/version"   = local.metadata.version
+    "module.terraform.io/name"      = local.metadata.module
+    "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}"
+    "module.terraform.io/instance"  = local.metadata.name
+  } : {}
+}
+
+
+###################################################
+# KMS Resources
+###################################################
+
+resource "aws_kms_key" "this" {
+  description = var.description
+
+  key_usage                = var.usage
+  customer_master_key_spec = var.spec
+
+  policy                             = var.policy
+  bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
+
+  deletion_window_in_days = var.deletion_window_in_days
+
+  is_enabled          = var.enabled
+  enable_key_rotation = var.key_rotation_enabled
+  multi_region        = var.multi_region_enabled
+
+  tags = merge(
+    {
+      "Name" = local.metadata.name
+    },
+    local.module_tags,
+    var.tags,
+  )
+}
+
+# Provides an alias for a KMS customer master key.
+# AWS Console enforces 1-to-1 mapping between aliases & keys,
+# but API allows you to create as many aliases as the account limits.
+resource "aws_kms_alias" "this" {
+  for_each = toset(var.aliases)
+
+  name          = each.key
+  target_key_id = aws_kms_key.this.key_id
+}

modules/kms-key/outputs.tf

@@ -0,0 +1,65 @@
+output "arn" {
+  description = "The ARN of the KMS key."
+  value       = aws_kms_key.this.arn
+}
+
+output "id" {
+  description = "The ID of the KMS key."
+  value       = aws_kms_key.this.key_id
+}
+
+output "name" {
+  description = "The KMS Key name."
+  value       = var.name
+}
+
+output "usage" {
+  description = "The usage of the KMS key. `ENCRYPT_DECRYPT` or `SIGN_VERIFY`."
+  value       = aws_kms_key.this.key_usage
+}
+
+output "spec" {
+  description = "The specification of KMS key which is the encryption algorithm or signing algorithm."
+  value       = aws_kms_key.this.customer_master_key_spec
+}
+
+output "policy" {
+  description = "The Resource Policy for KMS Key."
+  value       = aws_kms_key.this.policy
+}
+
+output "bypass_policy_lockout_safety_check" {
+  description = "Whether to disable the policy lockout check performed when creating or updating the key's policy."
+  value       = aws_kms_key.this.bypass_policy_lockout_safety_check
+}
+
+output "deletion_window_in_days" {
+  description = "Duration in days after which the key is deleted after destruction of the resource."
+  value       = aws_kms_key.this.deletion_window_in_days
+}
+
+output "enabled" {
+  description = "Whether the key is enabled."
+  value       = aws_kms_key.this.is_enabled
+}
+
+output "key_rotation_enabled" {
+  description = "Whether the key rotation is enabled."
+  value       = aws_kms_key.this.enable_key_rotation
+}
+
+output "multi_region_enabled" {
+  description = "Whether the key is a multi-region key."
+  value       = aws_kms_key.this.multi_region
+}
+
+output "aliases" {
+  description = "A collection of aliases of the key."
+  value = {
+    for alias in aws_kms_alias.this :
+    alias.name => {
+      arn  = alias.arn
+      name = alias.name
+    }
+  }
+}

modules/kms-key/resource-group.tf

@@ -0,0 +1,44 @@
+locals {
+  resource_group_name = (var.resource_group_name != ""
+    ? var.resource_group_name
+    : join(".", [
+      local.metadata.package,
+      local.metadata.module,
+      replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"),
+    ])
+  )
+  resource_group_filters = [
+    for key, value in local.module_tags : {
+      "Key"    = key
+      "Values" = [value]
+    }
+  ]
+  resource_group_query = <<-JSON
+  {
+    "ResourceTypeFilters": [
+      "AWS::AllSupported"
+    ],
+    "TagFilters": ${jsonencode(local.resource_group_filters)}
+  }
+  JSON
+}
+
+resource "aws_resourcegroups_group" "this" {
+  count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0
+
+  name        = local.resource_group_name
+  description = var.resource_group_description
+
+  resource_query {
+    type  = "TAG_FILTERS_1_0"
+    query = local.resource_group_query
+  }
+
+  tags = merge(
+    {
+      "Name" = local.resource_group_name
+    },
+    local.module_tags,
+    var.tags,
+  )
+}

modules/kms-key/variables.tf

@@ -0,0 +1,112 @@
+variable "name" {
+  description = "(Required) Name of the KMS key."
+  type        = string
+}
+
+variable "description" {
+  description = "(Optional) The description of the KMS key."
+  type        = string
+  default     = ""
+}
+
+variable "usage" {
+  description = "(Optional) Specifies the intended use of the key. Valid values are `ENCRYPT_DECRYPT` or `SIGN_VERIFY`."
+  type        = string
+  default     = "ENCRYPT_DECRYPT"
+
+  validation {
+    condition     = contains(["ENCRYPT_DECRYPT", "SIGN_VERIFY"], var.usage)
+    error_message = "Valid values are `ENCRYPT_DECRYPT` or `SIGN_VERIFY`."
+  }
+}
+
+variable "spec" {
+  description = "(Optional) Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`."
+  type        = string
+  default     = "SYMMETRIC_DEFAULT"
+}
+
+variable "policy" {
+  description = "(Optional) A valid policy JSON document. Although this is a key policy, not an IAM policy, an `aws_iam_policy_document`, in the form that designates a principal, can be used."
+  type        = string
+  default     = null
+}
+
+variable "bypass_policy_lockout_safety_check" {
+  description = "(Optional) Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the CMK becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide."
+  type        = bool
+  default     = false
+}
+
+variable "deletion_window_in_days" {
+  description = "(Optional) Duration in days after which the key is deleted after destruction of the resource. Valid value is between `7` and `30` days. Defaults to `30`."
+  type        = number
+  default     = 30
+
+  validation {
+    condition = alltrue([
+      var.deletion_window_in_days >= 7,
+      var.deletion_window_in_days <= 30,
+    ])
+    error_message = "Valid value is between `7` and `30` days."
+  }
+}
+
+variable "enabled" {
+  description = "(Optional) Indicates whether the key is enabled."
+  type        = bool
+  default     = true
+}
+
+variable "key_rotation_enabled" {
+  description = "(Optional) Indicates whether key rotation is enabled."
+  type        = bool
+  default     = false
+}
+
+variable "multi_region_enabled" {
+  description = "(Optional) Indicates whether the key is a multi-Region (true) or regional (false) key."
+  type        = bool
+  default     = false
+}
+
+variable "aliases" {
+  description = "(Optional) List of display name of the alias. The name must start with the word ``alias/`."
+  type        = list(string)
+  default     = []
+}
+
+variable "tags" {
+  description = "(Optional) A map of tags to add to all resources."
+  type        = map(string)
+  default     = {}
+}
+
+variable "module_tags_enabled" {
+  description = "(Optional) Whether to create AWS Resource Tags for the module informations."
+  type        = bool
+  default     = true
+}
+
+
+###################################################
+# Resource Group
+###################################################
+
+variable "resource_group_enabled" {
+  description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module."
+  type        = bool
+  default     = true
+}
+
+variable "resource_group_name" {
+  description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`."
+  type        = string
+  default     = ""
+}
+
+variable "resource_group_description" {
+  description = "(Optional) The description of Resource Group."
+  type        = string
+  default     = "Managed by Terraform."
+}

modules/kms-key/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.6"
+    }
+  }
+}