aws kms

terraform/aws/kms/main.tf

@@ -0,0 +1,73 @@
+terraform {
+  required_version = ">= 1.8.7"
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = ">= 5.82.2"
+    }
+  }
+  backend "local" {
+    # path = pathexpand("~/Backups/tfstate/cloudflare.tfstate")
+  }
+}
+
+provider "aws" {
+    region = "us-east-1"
+}
+
+resource "aws_iam_user" "vault_user" {
+    name = "vault-unseal-user"
+}
+
+resource "aws_iam_access_key" "vault_user_key" {
+    user = aws_iam_user.vault_user.name
+}
+
+resource "aws_iam_user_policy" "vault_policy" {
+    name = "vault-unseal-policy"
+    user = aws_iam_user.vault_user.name
+    policy = jsonencode(
+        {
+            Version = "2012-10-17"
+            Statement = [
+                {
+                    Effect = "Allow"
+                    Action = [
+                        "kms:Decrypt",
+                        "kms:DescribeKey",
+                        "kms:Encrypt"
+                    ]
+                    Resource = aws_kms_key.vault.arn
+                }
+            ]
+        }
+    )
+}
+
+output "access_key_id" {
+    value = aws_iam_access_key.vault_user_key.id
+}
+
+output "secret_access_key" {
+    value = aws_iam_access_key.vault_user_key.secret
+    sensitive = true
+}
+
+output "kms_key_id" {
+    value = aws_kms_key.vault.key_id
+}
+
+resource "aws_kms_key" "vault" {
+    description                 = "Hashicorp Vault auto unseal key"
+    key_usage                   = "ENCRYPT_DECRYPT"
+    customer_master_key_spec    = "SYMMETRIC_DEFAULT"
+    deletion_window_in_days     = 30
+    is_enabled                  = true
+    multi_region                = false
+    enable_key_rotation         = false
+}
+
+resource "aws_kms_alias" "main" {
+    name          = "alias/hashicorp-vault-unseal"
+    target_key_id = aws_kms_key.vault.key_id
+}