2024-12-21 06:26:55 +00:00
|
|
|
terraform {
|
|
|
|
|
required_version = ">= 1.8.7"
|
|
|
|
|
required_providers {
|
|
|
|
|
aws = {
|
|
|
|
|
source = "hashicorp/aws"
|
|
|
|
|
version = ">= 5.82.2"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
backend "local" {
|
|
|
|
|
# path = pathexpand("~/Backups/tfstate/cloudflare.tfstate")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
provider "aws" {
|
|
|
|
|
region = "us-east-1"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "aws_iam_user" "vault_user" {
|
|
|
|
|
name = "vault-unseal-user"
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-23 23:35:04 +00:00
|
|
|
resource "aws_iam_user" "sops_user" {
|
|
|
|
|
name = "sops-user"
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-21 06:26:55 +00:00
|
|
|
resource "aws_iam_access_key" "vault_user_key" {
|
|
|
|
|
user = aws_iam_user.vault_user.name
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-23 23:35:04 +00:00
|
|
|
resource "aws_iam_access_key" "sops_user_key" {
|
|
|
|
|
user = aws_iam_user.sops_user.name
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "aws_kms_key" "vault" {
|
|
|
|
|
description = "Hashicorp Vault auto unseal key"
|
|
|
|
|
key_usage = "ENCRYPT_DECRYPT"
|
|
|
|
|
customer_master_key_spec = "SYMMETRIC_DEFAULT"
|
|
|
|
|
deletion_window_in_days = 30
|
|
|
|
|
is_enabled = true
|
|
|
|
|
multi_region = false
|
|
|
|
|
enable_key_rotation = false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "aws_kms_key" "sops" {
|
|
|
|
|
description = "SOPS operational key"
|
|
|
|
|
key_usage = "ENCRYPT_DECRYPT"
|
|
|
|
|
customer_master_key_spec = "SYMMETRIC_DEFAULT"
|
|
|
|
|
deletion_window_in_days = 30
|
|
|
|
|
is_enabled = true
|
|
|
|
|
multi_region = false
|
|
|
|
|
enable_key_rotation = false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "aws_kms_alias" "vault" {
|
|
|
|
|
name = "alias/hashicorp-vault-unseal"
|
|
|
|
|
target_key_id = aws_kms_key.vault.key_id
|
|
|
|
|
}
|
|
|
|
|
resource "aws_kms_alias" "sops" {
|
|
|
|
|
name = "alias/sops"
|
|
|
|
|
target_key_id = aws_kms_key.vault.key_id
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-21 06:26:55 +00:00
|
|
|
resource "aws_iam_user_policy" "vault_policy" {
|
|
|
|
|
name = "vault-unseal-policy"
|
|
|
|
|
user = aws_iam_user.vault_user.name
|
|
|
|
|
policy = jsonencode(
|
|
|
|
|
{
|
|
|
|
|
Version = "2012-10-17"
|
|
|
|
|
Statement = [
|
|
|
|
|
{
|
|
|
|
|
Effect = "Allow"
|
|
|
|
|
Action = [
|
|
|
|
|
"kms:Decrypt",
|
|
|
|
|
"kms:DescribeKey",
|
|
|
|
|
"kms:Encrypt"
|
|
|
|
|
]
|
|
|
|
|
Resource = aws_kms_key.vault.arn
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-23 23:35:04 +00:00
|
|
|
resource "aws_iam_user_policy" "sops_policy" {
|
|
|
|
|
name = "sops-policy"
|
|
|
|
|
user = aws_iam_user.sops_user.name
|
|
|
|
|
policy = jsonencode(
|
|
|
|
|
{
|
|
|
|
|
Version = "2012-10-17"
|
|
|
|
|
Statement = [
|
|
|
|
|
{
|
|
|
|
|
Effect = "Allow"
|
|
|
|
|
Action = [
|
|
|
|
|
"kms:Decrypt",
|
|
|
|
|
"kms:DescribeKey",
|
|
|
|
|
"kms:Encrypt"
|
|
|
|
|
]
|
|
|
|
|
Resource = aws_kms_key.sops.arn
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
output "vault_access_key_id" {
|
2024-12-21 06:26:55 +00:00
|
|
|
value = aws_iam_access_key.vault_user_key.id
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-23 23:35:04 +00:00
|
|
|
output "vault_secret_access_key" {
|
|
|
|
|
value = nonsensitive(aws_iam_access_key.vault_user_key.secret)
|
2024-12-21 06:26:55 +00:00
|
|
|
}
|
|
|
|
|
|
2024-12-23 23:35:04 +00:00
|
|
|
output "vault_kms_key_id" {
|
2024-12-21 06:26:55 +00:00
|
|
|
value = aws_kms_key.vault.key_id
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-23 23:35:04 +00:00
|
|
|
output "sops_access_key_id" {
|
|
|
|
|
value = aws_iam_access_key.sops_user_key.id
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
output "sops_secret_access_key" {
|
|
|
|
|
value = nonsensitive(aws_iam_access_key.sops_user_key.secret)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
output "sops_kms_key_id" {
|
|
|
|
|
value = aws_kms_key.sops.key_id
|
2024-12-21 06:26:55 +00:00
|
|
|
}
|
|
|
|
|
|
