Add sops kms keys
This commit is contained in:
=
parent
f0b3388e8d
commit
cdf20ba9ef
@ -19,10 +19,47 @@ resource "aws_iam_user" "vault_user" {
|
||||
name = "vault-unseal-user"
|
||||
}
|
||||
|
||||
resource "aws_iam_user" "sops_user" {
|
||||
name = "sops-user"
|
||||
}
|
||||
|
||||
resource "aws_iam_access_key" "vault_user_key" {
|
||||
user = aws_iam_user.vault_user.name
|
||||
}
|
||||
|
||||
resource "aws_iam_access_key" "sops_user_key" {
|
||||
user = aws_iam_user.sops_user.name
|
||||
}
|
||||
|
||||
resource "aws_kms_key" "vault" {
|
||||
description = "Hashicorp Vault auto unseal key"
|
||||
key_usage = "ENCRYPT_DECRYPT"
|
||||
customer_master_key_spec = "SYMMETRIC_DEFAULT"
|
||||
deletion_window_in_days = 30
|
||||
is_enabled = true
|
||||
multi_region = false
|
||||
enable_key_rotation = false
|
||||
}
|
||||
|
||||
resource "aws_kms_key" "sops" {
|
||||
description = "SOPS operational key"
|
||||
key_usage = "ENCRYPT_DECRYPT"
|
||||
customer_master_key_spec = "SYMMETRIC_DEFAULT"
|
||||
deletion_window_in_days = 30
|
||||
is_enabled = true
|
||||
multi_region = false
|
||||
enable_key_rotation = false
|
||||
}
|
||||
|
||||
resource "aws_kms_alias" "vault" {
|
||||
name = "alias/hashicorp-vault-unseal"
|
||||
target_key_id = aws_kms_key.vault.key_id
|
||||
}
|
||||
resource "aws_kms_alias" "sops" {
|
||||
name = "alias/sops"
|
||||
target_key_id = aws_kms_key.vault.key_id
|
||||
}
|
||||
|
||||
resource "aws_iam_user_policy" "vault_policy" {
|
||||
name = "vault-unseal-policy"
|
||||
user = aws_iam_user.vault_user.name
|
||||
@ -44,30 +81,48 @@ resource "aws_iam_user_policy" "vault_policy" {
|
||||
)
|
||||
}
|
||||
|
||||
output "access_key_id" {
|
||||
resource "aws_iam_user_policy" "sops_policy" {
|
||||
name = "sops-policy"
|
||||
user = aws_iam_user.sops_user.name
|
||||
policy = jsonencode(
|
||||
{
|
||||
Version = "2012-10-17"
|
||||
Statement = [
|
||||
{
|
||||
Effect = "Allow"
|
||||
Action = [
|
||||
"kms:Decrypt",
|
||||
"kms:DescribeKey",
|
||||
"kms:Encrypt"
|
||||
]
|
||||
Resource = aws_kms_key.sops.arn
|
||||
}
|
||||
]
|
||||
}
|
||||
)
|
||||
}
|
||||
|
||||
output "vault_access_key_id" {
|
||||
value = aws_iam_access_key.vault_user_key.id
|
||||
}
|
||||
|
||||
output "secret_access_key" {
|
||||
value = aws_iam_access_key.vault_user_key.secret
|
||||
sensitive = true
|
||||
output "vault_secret_access_key" {
|
||||
value = nonsensitive(aws_iam_access_key.vault_user_key.secret)
|
||||
}
|
||||
|
||||
output "kms_key_id" {
|
||||
output "vault_kms_key_id" {
|
||||
value = aws_kms_key.vault.key_id
|
||||
}
|
||||
|
||||
resource "aws_kms_key" "vault" {
|
||||
description = "Hashicorp Vault auto unseal key"
|
||||
key_usage = "ENCRYPT_DECRYPT"
|
||||
customer_master_key_spec = "SYMMETRIC_DEFAULT"
|
||||
deletion_window_in_days = 30
|
||||
is_enabled = true
|
||||
multi_region = false
|
||||
enable_key_rotation = false
|
||||
output "sops_access_key_id" {
|
||||
value = aws_iam_access_key.sops_user_key.id
|
||||
}
|
||||
|
||||
output "sops_secret_access_key" {
|
||||
value = nonsensitive(aws_iam_access_key.sops_user_key.secret)
|
||||
}
|
||||
|
||||
output "sops_kms_key_id" {
|
||||
value = aws_kms_key.sops.key_id
|
||||
}
|
||||
|
||||
resource "aws_kms_alias" "main" {
|
||||
name = "alias/hashicorp-vault-unseal"
|
||||
target_key_id = aws_kms_key.vault.key_id
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user