feat: Added example for replica key.

Author: 13archit

.github/dependabot.yml

@@ -2,9 +2,18 @@
 # package ecosystems to update and where the package manifests are located.
 # Please see the documentation for all configuration options:
 # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
 version: 2
 updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 3
+    assignees:
+      - "clouddrove-ci"
+    reviewers:
+      - "approvers"
+
   - package-ecosystem: "terraform" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
@@ -15,13 +24,57 @@ updates:
     # Add reviewer
     reviewers:
       - "approvers"
+    # Allow up to 3 open pull requests for pip dependencies
+    open-pull-requests-limit: 3
+
+  - package-ecosystem: "terraform" # See documentation for possible values
+    directory: "/_example/complete" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    # Add assignees
+    assignees:
+      - "clouddrove-ci"
+    # Add reviewer
+    reviewers:
+      - "approvers"
+    # Allow up to 3 open pull requests for pip dependencies
+    open-pull-requests-limit: 3
+
   - package-ecosystem: "terraform" # See documentation for possible values
-    directory: "_example/" # Location of package manifests
+    directory: "/_example/external_key" # Location of package manifests
     schedule:
       interval: "weekly"
     # Add assignees
     assignees:
       - "clouddrove-ci"
     # Add reviewer
     reviewers:
-      - "approvers"
+      - "approvers"
+    # Allow up to 3 open pull requests for pip dependencies
+    open-pull-requests-limit: 3
+
+  - package-ecosystem: "terraform" # See documentation for possible values
+    directory: "/_example/external_replica_key" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    # Add assignees
+    assignees:
+      - "clouddrove-ci"
+    # Add reviewer
+    reviewers:
+      - "approvers"
+    # Allow up to 3 open pull requests for pip dependencies
+    open-pull-requests-limit: 3
+
+  - package-ecosystem: "terraform" # See documentation for possible values
+    directory: "/_example/replica_key" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    # Add assignees
+    assignees:
+      - "clouddrove-ci"
+    # Add reviewer
+    reviewers:
+      - "approvers"
+    # Allow up to 3 open pull requests for pip dependencies
+    open-pull-requests-limit: 3

.github/workflows/tf-checks.yml

@@ -12,4 +12,12 @@ jobs:
   external_key:
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
-      working_directory: './_example/external_key/'
+      working_directory: './_example/external_key/'
+  external_replica_key:
+    uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
+    with:
+      working_directory: './_example/external_replica_key/'
+  replica_key:
+    uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
+    with:
+      working_directory: './_example/replica_key/'

README.yaml

@@ -15,19 +15,19 @@ github_repo: clouddrove/terraform-aws-kms
 
 # Badges to display
 badges:
-  - name: "Terraform"
-    image: "https://img.shields.io/badge/Terraform-v1.1.7-green"
-    url: "https://www.terraform.io"
+  - name: "Latest Release"
+    image: "https://img.shields.io/github/release/clouddrove/terraform-aws-subnet.svg"
+    url: "https://github.com/clouddrove/terraform-aws-subnet/releases/latest"
+  - name: "tfsec"
+    image: "https://github.com/clouddrove/terraform-aws-subnet/actions/workflows/tfsec.yml/badge.svg"
+    url: "https://github.com/clouddrove/terraform-aws-kms/actions/workflows/tfsec.yml"
   - name: "Licence"
     image: "https://img.shields.io/badge/License-APACHE-blue.svg"
     url: "LICENSE.md"
-  - name: "tfsec"
-    image: "https://github.com/clouddrove/terraform-aws-kms/actions/workflows/tfsec.yml/badge.svg"
-    url: "https://github.com/clouddrove/terraform-aws-kms/actions/workflows/tfsec.yml"
-  - name: "static-checks"
-    image: "https://github.com/clouddrove/terraform-aws-kms/actions/workflows/terraform.yml/badge.svg"
-    url: "https://github.com/clouddrove/terraform-aws-kms/actions/workflows/terraform.yml"
 
+prerequesties:
+  - name: Terraform 1.5.4
+    url: https://learn.hashicorp.com/terraform/getting-started/install.html
 #  description of this project
 description: |-
   This terraform module creates a KMS Customer Master Key (CMK) and its alias.

_example/external_replica_key/example.tf

@@ -0,0 +1,125 @@
+####----------------------------------------------------------------------------------
+## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS.
+####----------------------------------------------------------------------------------
+provider "aws" {
+  region = "us-east-1"
+}
+
+####----------------------------------------------------------------------------------
+## AWS External KMS Key Replica.
+## Should be deployed in different region as of primary key.
+####----------------------------------------------------------------------------------
+module "kms_key" {
+  source                          = "./../../"
+  name                            = "kms"
+  environment                     = "test"
+  deletion_window_in_days         = 7
+  alias                           = "alias/replicate_key"
+  kms_key_enabled                 = false
+  create_replica_external_enabled = true
+  enabled                         = true
+  multi_region                    = false
+  key_material_base64             = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
+  primary_key_arn                 = "arn:aws:kms:xxxxxxxxxxxxxxxxxxxxx"
+  policy                          = data.aws_iam_policy_document.default.json
+}
+
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
+##----------------------------------------------------------------------------------
+## Data block called to get Permissions that will be used in creating policy.
+##----------------------------------------------------------------------------------
+data "aws_iam_policy_document" "default" {
+  version = "2012-10-17"
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          join("", data.aws_partition.current.*.partition),
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "Allow CloudTrail to encrypt logs"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    actions   = ["kms:GenerateDataKey*"]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
+    }
+  }
+
+  statement {
+    sid    = "Allow CloudTrail to describe key"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    actions   = ["kms:DescribeKey"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow principals in the account to decrypt log files"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          join("", data.aws_partition.current.*.partition),
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    actions = [
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values = [
+      "XXXXXXXXXXXX"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
+    }
+  }
+
+  statement {
+    sid    = "Allow alias creation during setup"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          join("", data.aws_partition.current.*.partition),
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    actions   = ["kms:CreateAlias"]
+    resources = ["*"]
+  }
+}

_example/external_replica_key/outputs.tf

@@ -0,0 +1,19 @@
+output "key_arn" {
+  value       = module.kms_key.key_arn
+  description = "Key ARN."
+}
+
+output "tags" {
+  value       = module.kms_key.tags
+  description = "A mapping of tags to assign to the KMS."
+}
+
+output "key_id" {
+  value       = module.kms_key.key_id
+  description = "The globally unique identifier for the key."
+}
+
+output "target_key_id" {
+  value       = module.kms_key.target_key_id
+  description = "Identifier for the key for which the alias is for, can be either an ARN or key_id."
+}