feat: add reusable KMS module with key rotation and CloudTrail support (#195)

* feat: add reusable KMS module with key rotation and CloudTrail support

* chore: update terraform lock files for all platforms

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: marekaf

README.md

@@ -234,6 +234,20 @@ terraform-docs  markdown . > README.md
 This is useful for some people and takes no effort on our side. We do this manually so far. Automating this and having this in pre-commit would be far better.
 I'm writing this here as a TODO.
 
+## Modules
+
+Reusable Terraform modules in `modules/`:
+
+| Module | Description |
+|--------|-------------|
+| `aws-bootstrap` | S3 backend + optional DynamoDB table for state management |
+| `certificate` | ACM certificate with DNS validation |
+| `cluster-autoscaler` | Kubernetes Cluster Autoscaler with IRSA |
+| `eks` | EKS cluster with managed/self-managed node groups |
+| `github-oidc` | GitHub Actions OIDC provider + IAM role |
+| `kms` | Shared KMS key with key rotation, CloudWatch Logs and CloudTrail encryption |
+| `wireguard-ec2` | WireGuard VPN on EC2 with Packer AMI |
+
 ## naming conventions
 Basically just [this](https://www.terraform-best-practices.com/naming)
 

examples/03-aws-github-actions-oidc/.terraform.lock.hcl

@@ -0,0 +1,59 @@
+locals {
+  kms_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "Allow everything in this AWS account to use this KMS key"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${var.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow cloudwatch log group encryption"
+        Effect = "Allow"
+        Principal = {
+          Service = "logs.${var.region}.amazonaws.com"
+        }
+        Action = [
+          "kms:Encrypt*",
+          "kms:Decrypt*",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:Describe*"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow cloudtrail encryption"
+        Effect = "Allow"
+        Principal = {
+          Service = "cloudtrail.amazonaws.com"
+        }
+        Action = [
+          "kms:Encrypt*",
+          "kms:Decrypt*",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:Describe*"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_kms_key" "main" {
+  #checkov:skip=CKV_AWS_109:The asterisk identifies the KMS key to which the key policy is attached
+  #checkov:skip=CKV_AWS_111:The asterisk identifies the KMS key to which the key policy is attached
+  #checkov:skip=CKV_AWS_356:The asterisk identifies the KMS key to which the key policy is attached
+  description             = "Shared KMS key"
+  deletion_window_in_days = var.deletion_window_in_days
+  key_usage               = "ENCRYPT_DECRYPT"
+  enable_key_rotation     = var.key_rotation_enabled
+  is_enabled              = true
+
+  policy = local.kms_policy
+}

examples/04-aws-wireguard-vpn/.terraform.lock.hcl

@@ -0,0 +1,14 @@
+output "kms_key" {
+  description = "KMS key resource"
+  value       = aws_kms_key.main
+}
+
+output "kms_key_arn" {
+  description = "KMS key ARN"
+  value       = aws_kms_key.main.arn
+}
+
+output "kms_key_id" {
+  description = "KMS key ID"
+  value       = aws_kms_key.main.key_id
+}

examples/05-aws-complete/.terraform.lock.hcl

@@ -0,0 +1,21 @@
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region name for the KMS key"
+  type        = string
+}
+
+variable "key_rotation_enabled" {
+  description = "Enable automatic key rotation"
+  type        = bool
+  default     = true
+}
+
+variable "deletion_window_in_days" {
+  description = "Duration in days after which the key is deleted after destruction"
+  type        = number
+  default     = 10
+}

examples/06-minimal-aws-terraform-bootstrap/bootstrap/.terraform.lock.hcl

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.57.0, < 6.0.0"
+    }
+  }
+}