Merge pull request #28 from clouddrove/issue-451

update readme.yaml according new example and version.tf

Author: yadavprakash

README.yaml

@@ -47,88 +47,115 @@ usage : |-
       name        = "kms"
       environment = "test"
       label_order = ["name", "environment"]
-      enabled     = true
-      description             = "KMS key for cloudtrail"
+    
       deletion_window_in_days = 7
-      enable_key_rotation     = true
-      alias                   = "alias/cloudtrail"
+      alias                   = "alias/cloudtrail_Name"
+      enabled                 = true
+      kms_key_enabled         = true
+      multi_region            = true
+      create_external_enabled = true
+      valid_to                = "2023-11-21T23:20:50Z"
+      key_material_base64     = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
       policy                  = data.aws_iam_policy_document.default.json
     }
-
-    data "aws_iam_policy_document" "default" {
+      
+      data "aws_caller_identity" "current" {}
+      data "aws_partition" "current" {}
+      
+      ##----------------------------------------------------------------------------------
+      ## Data block called to get Permissions that will be used in creating policy.
+      ##----------------------------------------------------------------------------------
+      data "aws_iam_policy_document" "default" {
       version = "2012-10-17"
       statement {
-        sid    = "Enable IAM User Permissions"
-        effect = "Allow"
-        principals {
-          type        = "AWS"
-          identifiers = ["*"]
-        }
-        actions   = ["kms:*"]
-        resources = ["*"]
+      sid    = "Enable IAM User Permissions"
+      effect = "Allow"
+      principals {
+      type = "AWS"
+      identifiers = [
+      format(
+      "arn:%s:iam::%s:root",
+      join("", data.aws_partition.current.*.partition),
+      data.aws_caller_identity.current.account_id
+      )
+      ]
+      }
+      actions   = ["kms:*"]
+      resources = ["*"]
       }
       statement {
-        sid    = "Allow CloudTrail to encrypt logs"
-        effect = "Allow"
-        principals {
-          type        = "Service"
-          identifiers = ["cloudtrail.amazonaws.com"]
-        }
-        actions   = ["kms:GenerateDataKey*"]
-        resources = ["*"]
-        condition {
-          test     = "StringLike"
-          variable = "kms:EncryptionContext:aws:cloudtrail:arn"
-          values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
-        }
+      sid    = "Allow CloudTrail to encrypt logs"
+      effect = "Allow"
+      principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
       }
-
+      actions   = ["kms:GenerateDataKey*"]
+      resources = ["*"]
+      condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
+      }
+      }
+    
       statement {
-        sid    = "Allow CloudTrail to describe key"
-        effect = "Allow"
-        principals {
-          type        = "Service"
-          identifiers = ["cloudtrail.amazonaws.com"]
-        }
-        actions   = ["kms:DescribeKey"]
-        resources = ["*"]
+      sid    = "Allow CloudTrail to describe key"
+      effect = "Allow"
+      principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
       }
-
+      actions   = ["kms:DescribeKey"]
+      resources = ["*"]
+      }
+    
       statement {
-        sid    = "Allow principals in the account to decrypt log files"
-        effect = "Allow"
-        principals {
-          type        = "AWS"
-          identifiers = ["*"]
-        }
-        actions = [
-          "kms:Decrypt",
-          "kms:ReEncryptFrom"
-        ]
-        resources = ["*"]
-        condition {
-          test     = "StringEquals"
-          variable = "kms:CallerAccount"
-          values = [
-          "XXXXXXXXXXXX"]
-        }
-        condition {
-          test     = "StringLike"
-          variable = "kms:EncryptionContext:aws:cloudtrail:arn"
-          values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
-        }
+      sid    = "Allow principals in the account to decrypt log files"
+      effect = "Allow"
+      principals {
+      type = "AWS"
+      identifiers = [
+      format(
+      "arn:%s:iam::%s:root",
+      join("", data.aws_partition.current.*.partition),
+      data.aws_caller_identity.current.account_id
+      )
+      ]
       }
-
+      actions = [
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+      ]
+      resources = ["*"]
+      condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values = [
+      "XXXXXXXXXXXX"]
+      }
+      condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"]
+      }
+      }
+    
       statement {
-        sid    = "Allow alias creation during setup"
-        effect = "Allow"
-        principals {
-          type        = "AWS"
-          identifiers = ["*"]
-        }
-        actions   = ["kms:CreateAlias"]
-        resources = ["*"]
+      sid    = "Allow alias creation during setup"
+      effect = "Allow"
+      principals {
+      type = "AWS"
+      identifiers = [
+      format(
+      "arn:%s:iam::%s:root",
+      join("", data.aws_partition.current.*.partition),
+      data.aws_caller_identity.current.account_id
+      )
+      ]
+      }
+      actions   = ["kms:CreateAlias"]
+      resources = ["*"]
       }
     }
-
   ```

_example/example.tf

@@ -1,24 +1,40 @@
+####----------------------------------------------------------------------------------
+## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS.
+####----------------------------------------------------------------------------------
+
+
 provider "aws" {
-  region = "eu-west-1"
+  region = "us-east-1"
 }
-data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
 
+####----------------------------------------------------------------------------------
+## AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data.
+####----------------------------------------------------------------------------------
 module "kms_key" {
+
   source = "./../"
 
   name        = "kms"
   environment = "test"
   label_order = ["name", "environment"]
 
-  enabled                 = true
-  description             = "KMS key for cloudtrail"
-  deletion_window_in_days = 15
+  deletion_window_in_days = 7
   alias                   = "alias/cloudtrail_Name"
-  multi_region            = false
+  enabled                 = true
+  kms_key_enabled         = true
+  multi_region            = true
+  create_external_enabled = true
+  valid_to                = "2023-11-21T23:20:50Z"
+  key_material_base64     = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
   policy                  = data.aws_iam_policy_document.default.json
 }
 
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
+##----------------------------------------------------------------------------------
+## Data block called to get Permissions that will be used in creating policy.
+##----------------------------------------------------------------------------------
 data "aws_iam_policy_document" "default" {
   version = "2012-10-17"
   statement {
@@ -111,4 +127,4 @@ data "aws_iam_policy_document" "default" {
     actions   = ["kms:CreateAlias"]
     resources = ["*"]
   }
-}
+}

main.tf

@@ -1,11 +1,6 @@
-## Managed By : CloudDrove
-# Description : This Script is used to create KMS on AWS.
-## Copyright @ CloudDrove. All Right Reserved.
-
-#Module      : labels
-#Description : This terraform module is designed to generate consistent label names and tags
-#              for resources. You can use terraform-labels to implement a strict naming
-#              convention.
+##----------------------------------------------------------------------------------
+## Labels module callled that will be used for naming and tags.
+##----------------------------------------------------------------------------------
 module "labels" {
   source      = "clouddrove/labels/aws"
   version     = "1.3.0"
@@ -16,10 +11,12 @@ module "labels" {
   label_order = var.label_order
 }
 
-# Module      : KMS KEY
-# Description : This terraform module creates a KMS Customer Master Key (CMK) and its alias.
+####----------------------------------------------------------------------------------
+## This terraform resource creates a KMS Customer Master Key (CMK) and its alias.
+####----------------------------------------------------------------------------------
 resource "aws_kms_key" "default" {
-  count                    = var.enabled ? 1 : 0
+  count = var.enabled && var.kms_key_enabled ? 1 : 0
+
   description              = var.description
   key_usage                = var.key_usage
   deletion_window_in_days  = var.deletion_window_in_days
@@ -31,10 +28,30 @@ resource "aws_kms_key" "default" {
   tags                     = module.labels.tags
 }
 
-# Module      : KMS ALIAS
-# Description : Provides an alias for a KMS customer master key..
+####----------------------------------------------------------------------------------
+## Create KMS keys in an external key store backed by your cryptographic keys outside of AWS.
+####----------------------------------------------------------------------------------
+resource "aws_kms_external_key" "external" {
+  count = var.enabled && var.create_external_enabled ? 1 : 0
+
+  bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
+  deletion_window_in_days            = var.deletion_window_in_days
+  description                        = var.description
+  enabled                            = var.is_enabled
+  key_material_base64                = var.key_material_base64
+  multi_region                       = var.multi_region
+  policy                             = var.policy
+  valid_to                           = var.valid_to
+
+  tags = module.labels.tags
+}
+
+##----------------------------------------------------------------------------------
+## Provides an alias for a KMS customer master key.
+##----------------------------------------------------------------------------------
 resource "aws_kms_alias" "default" {
-  count         = var.enabled ? 1 : 0
+  count = var.enabled ? 1 : 0
+
   name          = coalesce(var.alias, format("alias/%v", module.labels.id))
   target_key_id = join("", aws_kms_key.default.*.id)
-}
+}

outputs.tf

@@ -1,5 +1,3 @@
-# Module      : KMS KEY
-# Description : This terraform module creates a KMS Customer Master Key (CMK) and its alias.
 output "key_arn" {
   value       = join("", aws_kms_key.default.*.arn)
   description = "Key ARN."

variables.tf

@@ -67,6 +67,11 @@ variable "enabled" {
   default     = true
   description = "Specifies whether the kms is enabled or disabled."
 }
+variable "kms_key_enabled" {
+  type        = bool
+  default     = true
+  description = "Specifies whether the kms is enabled or disabled."
+}
 
 
 variable "key_usage" {
@@ -82,13 +87,6 @@ variable "alias" {
   description = "The display name of the alias. The name must start with the word `alias` followed by a forward slash."
 }
 
-variable "policy" {
-  type        = string
-  default     = ""
-  sensitive   = true
-  description = "A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform."
-}
-
 variable "customer_master_key_spec" {
   type        = string
   default     = "SYMMETRIC_DEFAULT"
@@ -107,3 +105,57 @@ variable "multi_region" {
   default     = true
   description = "Indicates whether the KMS key is a multi-Region (true) or regional (false) key."
 }
+
+variable "bypass_policy_lockout_safety_check" {
+  type        = bool
+  default     = null
+  description = "A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable"
+}
+
+variable "valid_to" {
+  type        = string
+  default     = ""
+  description = "Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire"
+}
+
+variable "key_material_base64" {
+  type        = string
+  default     = null
+  description = "Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only"
+}
+
+variable "create_external_enabled" {
+  type        = bool
+  default     = false
+  description = "Determines whether an external CMK (externally provided material) will be created or a standard CMK (AWS provided material)"
+}
+
+variable "primary_external_key_arn" {
+  type        = string
+  default     = null
+  description = "The primary external key arn of a multi-region replica external key"
+}
+
+variable "primary_key_arn" {
+  type        = string
+  default     = ""
+  description = "The primary key arn of a multi-region replica key"
+}
+
+variable "policy" {
+  type        = string
+  default     = null
+  description = "A valid policy JSON document. Although this is a key policy, not an IAM policy, an `aws_iam_policy_document`, in the form that designates a principal, can be used"
+}
+
+variable "computed_aliases" {
+  description = "A map of aliases to create. Values provided via the `name` key of the map can be computed from upstream resources"
+  type        = any
+  default     = {}
+}
+
+variable "aliases_use_name_prefix" {
+  description = "Determines whether the alias name is used as a prefix"
+  type        = bool
+  default     = false
+}