From f0b3388e8dc2f6fe536dea380a50ef046a126e50 Mon Sep 17 00:00:00 2001 From: = <=> Date: Sat, 21 Dec 2024 01:26:55 -0500 Subject: [PATCH] aws kms --- terraform/aws/kms/main.tf | 73 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 terraform/aws/kms/main.tf diff --git a/terraform/aws/kms/main.tf b/terraform/aws/kms/main.tf new file mode 100644 index 0000000..5086b85 --- /dev/null +++ b/terraform/aws/kms/main.tf @@ -0,0 +1,73 @@ +terraform { + required_version = ">= 1.8.7" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.82.2" + } + } + backend "local" { + # path = pathexpand("~/Backups/tfstate/cloudflare.tfstate") + } +} + +provider "aws" { + region = "us-east-1" +} + +resource "aws_iam_user" "vault_user" { + name = "vault-unseal-user" +} + +resource "aws_iam_access_key" "vault_user_key" { + user = aws_iam_user.vault_user.name +} + +resource "aws_iam_user_policy" "vault_policy" { + name = "vault-unseal-policy" + user = aws_iam_user.vault_user.name + policy = jsonencode( + { + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt" + ] + Resource = aws_kms_key.vault.arn + } + ] + } + ) +} + +output "access_key_id" { + value = aws_iam_access_key.vault_user_key.id +} + +output "secret_access_key" { + value = aws_iam_access_key.vault_user_key.secret + sensitive = true +} + +output "kms_key_id" { + value = aws_kms_key.vault.key_id +} + +resource "aws_kms_key" "vault" { + description = "Hashicorp Vault auto unseal key" + key_usage = "ENCRYPT_DECRYPT" + customer_master_key_spec = "SYMMETRIC_DEFAULT" + deletion_window_in_days = 30 + is_enabled = true + multi_region = false + enable_key_rotation = false +} + +resource "aws_kms_alias" "main" { + name = "alias/hashicorp-vault-unseal" + target_key_id = aws_kms_key.vault.key_id +} \ No newline at end of file