From cdf20ba9ef233302399882b4f7613018253b6fe9 Mon Sep 17 00:00:00 2001
From: = <=>
Date: Mon, 23 Dec 2024 18:35:04 -0500
Subject: [PATCH] Add sops kms keys

---
 terraform/aws/kms/main.tf | 89 +++++++++++++++++++++++++++++++--------
 1 file changed, 72 insertions(+), 17 deletions(-)

diff --git a/terraform/aws/kms/main.tf b/terraform/aws/kms/main.tf
index 5086b85..a40ae82 100644
--- a/terraform/aws/kms/main.tf
+++ b/terraform/aws/kms/main.tf
@@ -19,10 +19,47 @@ resource "aws_iam_user" "vault_user" {
     name = "vault-unseal-user"
 }
 
+resource "aws_iam_user" "sops_user" {
+    name = "sops-user"
+}
+
 resource "aws_iam_access_key" "vault_user_key" {
     user = aws_iam_user.vault_user.name
 }
 
+resource "aws_iam_access_key" "sops_user_key" {
+    user = aws_iam_user.sops_user.name
+}
+
+resource "aws_kms_key" "vault" {
+    description                 = "Hashicorp Vault auto unseal key"
+    key_usage                   = "ENCRYPT_DECRYPT"
+    customer_master_key_spec    = "SYMMETRIC_DEFAULT"
+    deletion_window_in_days     = 30
+    is_enabled                  = true
+    multi_region                = false
+    enable_key_rotation         = false
+}
+
+resource "aws_kms_key" "sops" {
+    description                 = "SOPS operational key"
+    key_usage                   = "ENCRYPT_DECRYPT"
+    customer_master_key_spec    = "SYMMETRIC_DEFAULT"
+    deletion_window_in_days     = 30
+    is_enabled                  = true
+    multi_region                = false
+    enable_key_rotation         = false
+}
+
+resource "aws_kms_alias" "vault" {
+    name          = "alias/hashicorp-vault-unseal"
+    target_key_id = aws_kms_key.vault.key_id
+}
+resource "aws_kms_alias" "sops" {
+    name          = "alias/sops"
+    target_key_id = aws_kms_key.vault.key_id
+}
+
 resource "aws_iam_user_policy" "vault_policy" {
     name = "vault-unseal-policy"
     user = aws_iam_user.vault_user.name
@@ -44,30 +81,48 @@ resource "aws_iam_user_policy" "vault_policy" {
     )
 }
 
-output "access_key_id" {
+resource "aws_iam_user_policy" "sops_policy" {
+    name = "sops-policy"
+    user = aws_iam_user.sops_user.name
+    policy = jsonencode(
+        {
+            Version = "2012-10-17"
+            Statement = [
+                {
+                    Effect = "Allow"
+                    Action = [
+                        "kms:Decrypt",
+                        "kms:DescribeKey",
+                        "kms:Encrypt"
+                    ]
+                    Resource = aws_kms_key.sops.arn
+                }
+            ]
+        }
+    )
+}
+
+output "vault_access_key_id" {
     value = aws_iam_access_key.vault_user_key.id
 }
 
-output "secret_access_key" {
-    value = aws_iam_access_key.vault_user_key.secret
-    sensitive = true
+output "vault_secret_access_key" {
+    value = nonsensitive(aws_iam_access_key.vault_user_key.secret)
 }
 
-output "kms_key_id" {
+output "vault_kms_key_id" {
     value = aws_kms_key.vault.key_id
 }
 
-resource "aws_kms_key" "vault" {
-    description                 = "Hashicorp Vault auto unseal key"
-    key_usage                   = "ENCRYPT_DECRYPT"
-    customer_master_key_spec    = "SYMMETRIC_DEFAULT"
-    deletion_window_in_days     = 30
-    is_enabled                  = true
-    multi_region                = false
-    enable_key_rotation         = false
+output "sops_access_key_id" {
+    value = aws_iam_access_key.sops_user_key.id
+}
+
+output "sops_secret_access_key" {
+    value = nonsensitive(aws_iam_access_key.sops_user_key.secret)
+}
+
+output "sops_kms_key_id" {
+    value = aws_kms_key.sops.key_id
 }
 
-resource "aws_kms_alias" "main" {
-    name          = "alias/hashicorp-vault-unseal"
-    target_key_id = aws_kms_key.vault.key_id
-}
\ No newline at end of file