This module creates the necessary resources to store your Terraform code remotely in AWS.
FedRAMP Compliance: Moderate, High
- IAM AWS Accounts
- Any resources requiring KMS keys - IAM policy must be created upon key creation.
Insert a high-level list of resources created as a part of this module. E.g.
- KMS Key
- KMS Key alias
This module can be called as outlined below.
- Change directories to the
kmsdirectory. - From the
terraform/aws/kmsdirectory runterraform init. - Run
terraform planto review the resources being created. - If everything looks correct in the plan output, run
terraform apply.
Include example for how to call the module below with generic variables
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "=4.58"
}
}
}
#this can be called in region setup
module "kms" {
source = "github.com/Coalfire-CF/ACE-AWS-KMS?ref=vX.X.X"
resource_prefix = var.resource_prefix
kms_key_resource_type = "s3"
key_policy = data.aws_iam_policy_document.s3_kms_policy.json
}
#this should be created where the module is called within the project. such as in region-setup or account setup if desired.
data "aws_iam_policy_document" "s3_kms_policy" {
statement {
sid = "source-account-full-access"
effect = "Allow"
actions = ["kms:*"]
resources = ["*"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.mgmt_account_id}:root"]
}
}
statement {
sid = "target-account-allow-grant"
effect = "Allow"
# the following actions are required by Terraform to read/create/remove grants
actions = [
"kms:CreateGrant",
"kms:DescribeKey",
"kms:ListGrants",
"kms:RevokeGrant"
]
resources = ["*"]
# This allows any IAM role in the target account that has permission to create the grant to create the grant.
# Can lock this down to a specific account in the target account so only that role is able to create grant for this key
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.app_account_id}:root"]
}
}
# Resource to be called where KMS access is required by a resource/service deployment
resource "aws_kms_grant" "cross-account-grant" {
name = "grant-s3-kms-key"
key_id = module.kms.arn # key above that was deployed
grantee_principal = data.aws_iam_role.my_role.arn #cross-account role or resource/service role you want to grant to
operations = ["Encrypt", "Decrypt", "GenerateDataKey"]
}
}
| Name | Version |
|---|---|
| terraform | >= 1.5 |
| aws | >= 3.26 |
| Name | Version |
|---|---|
| aws | >= 3.26 |
No modules.
| Name | Type |
|---|---|
| aws_kms_alias.kms_key_alias | resource |
| aws_kms_key.kms_key | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| key_description | The description given to the created CMK | string |
"" |
no |
| key_policy | IAM key policy for the kms key | any |
null |
no |
| kms_key_resource_type | the type of resource/service this key is for, such as S3, EBS or RDS | string |
n/a | yes |
| resource_prefix | The prefix of the KMS key alias | string |
n/a | yes |
| Name | Description |
|---|---|
| kms_key_arn | The arn of the s3 kms key |
| kms_key_id | The id of the s3 key |
Relative or absolute link to contributing.md
Absolute link to any relevant Coalfire Pages
Copyright © 2023 Coalfire Systems Inc.