thoughtbot · jferris · Jan 5, 2024 · Jun 21, 2023
@@ -0,0 +1,55 @@
+# Generic Secret
+
+Creates a customer managed [KMS] key with a policy to allow the current account principal to decrypt it.
+
+Example:
+
+``` terraform
+module "customer_kms" {
+  source = "github.com/thoughtbot/terraform-aws-secrets//customer-managed-kms"
+
+  name          = "auth-key"
+}
+```
+
+[KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.read_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | Unique name for this kms key | `string` | n/a | yes |
+| <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Tags to be applied to created resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_kms_key_alias"></a> [kms\_key\_alias](#output\_kms\_key\_alias) | Alias of the KMS key encrypting the secret |
+| <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | Alias of the KMS key encrypting the secret |
+| <a name="output_policy_json"></a> [policy\_json](#output\_policy\_json) | Policy json for consuming this secret |
+<!-- END_TF_DOCS -->
@@ -0,0 +1,47 @@
+resource "aws_kms_key" "this" {
+  description         = var.name
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.key.json
+  tags                = var.resource_tags
+}
+
+resource "aws_kms_alias" "this" {
+  name          = "alias/${var.name}"
+  target_key_id = aws_kms_key.this.arn
+}
+
+data "aws_iam_policy_document" "key" {
+  statement {
+    sid = "AllowAdmin"
+    not_actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*"
+    ]
+    resources = ["*"]
+    principals {
+      identifiers = local.admin_principals
+      type        = "AWS"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "read_secret" {
+  statement {
+    sid = "DecryptSecret${local.sid_suffix}"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [aws_kms_key.this.arn]
+  }
+}
+
+data "aws_caller_identity" "this" {}
+
+locals {
+  account_arn      = "arn:aws:iam::${local.account_id}:root"
+  account_id       = data.aws_caller_identity.this.account_id
+  sid_suffix       = join("", regexall("[[:alnum:]]+", var.name))
+  admin_principals = [local.account_arn]
+}
@@ -0,0 +1,59 @@
+TFLINTRC    := ../.tflint.hcl
+TFDOCSRC    ?= ../.terraform-docs.yml
+MODULEFILES := $(wildcard *.tf)
+
+.PHONY: default
+default: checkfmt validate docs lint
+
+.PHONY: checkfmt
+checkfmt: .fmt
+
+.PHONY: fmt
+fmt: $(MODULEFILES)
+	terraform fmt
+	@touch .fmt
+
+.PHONY: validate
+validate: .validate
+
+.PHONY: docs
+docs: README.md
+
+.PHONY: lint
+lint: .lint
+
+.lint: $(MODULEFILES) .lintinit
+	tflint --config=$(TFLINTRC)
+	@touch .lint
+
+.lintinit: $(TFLINTRC)
+	tflint --init --config=$(TFLINTRC)
+	@touch .lintinit
+
+README.md: $(MODULEFILES)
+	terraform-docs --config "$(TFDOCSRC)" markdown table . --output-file README.md
+
+.fmt: $(MODULEFILES)
+	terraform fmt -check
+	@touch .fmt
+
+.PHONY: init
+init: .init
+
+.init: versions.tf
+	terraform init -backend=false
+	@touch .init
+
+.validate: .init $(MODULEFILES) $(wildcard *.tf.example)
+	echo | cat - $(wildcard *.tf.example) > test.tf
+	if AWS_DEFAULT_REGION=us-east-1 terraform validate; then \
+		rm test.tf; \
+		touch .validate; \
+	else \
+		rm test.tf; \
+		false; \
+	fi
+
+.PHONY: clean
+clean:
+	rm -rf .fmt .init .lint .lintinit .terraform .terraform.lock.hcl .validate
@@ -0,0 +1,14 @@
+output "kms_key_alias" {
+  description = "Alias of the KMS key"
+  value       = aws_kms_alias.this.name
+}
+
+output "kms_key_arn" {
+  description = "Arn of the KMS key"
+  value       = aws_kms_alias.this.arn
+}
+
+output "policy_json" {
+  description = "Policy json for consuming this secret"
+  value       = data.aws_iam_policy_document.read_secret.json
+}
@@ -0,0 +1,10 @@
+variable "name" {
+  description = "Unique name for this kms key"
+  type        = string
+}
+
+variable "resource_tags" {
+  description = "Tags to be applied to created resources"
+  type        = map(string)
+  default     = {}
+}
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.15.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}