generated from NHSDigital/repository-template
-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathkms.tf
More file actions
59 lines (59 loc) · 1.83 KB
/
kms.tf
File metadata and controls
59 lines (59 loc) · 1.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# KMS CMK to encrypt/decrypt secrets
resource "aws_kms_key" "secrets_cmk" {
#checkov:skip=CKV_AWS_111: Root user needs full KMS key management
#checkov:skip=CKV_AWS_356: Root user needs full KMS key management
#checkov:skip=CKV_AWS_109: Root user needs full KMS key management
description = "CMK for Secrets Manager - ${var.project_name}-${var.environment}"
enable_key_rotation = true
deletion_window_in_days = 30
policy = jsonencode({
Version = "2012-10-17"
Statement = [
# Allow your account root full control
{
Sid = "AllowAccountAdminsFullAccess"
Effect = "Allow"
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = "kms:*"
Resource = "*"
},
# Allow Secrets Manager service to use the key
{
Sid = "AllowSecretsManagerServiceUse"
Effect = "Allow"
Principal = { Service = "secretsmanager.amazonaws.com" }
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
]
Resource = "*"
},
# Allow external role to decrypt for reading the secret
{
Sid = "AllowExternalRoleDecrypt"
Effect = "Allow"
Principal = { AWS = var.external_write_access_role_arn }
Action = [
"kms:Decrypt",
"kms:DescribeKey"
]
Resource = "*"
},
# Allow Lambda role to decrypt for reading the secret
{
Sid = "AllowLambdaRoleDecrypt"
Effect = "Allow"
Principal = { AWS = var.eligibility_lambda_role_arn }
Action = [
"kms:Decrypt",
"kms:DescribeKey"
]
Resource = "*"
}
]
})
tags = var.tags
}