Merge pull request #88 from zama-ai/fred/fix/fix-terraform-module

fegmorte · web-flow · commit a34cc3709339 · 2026-02-19T19:50:38.000+01:00
fix: Fix teraform modules
diff --git a/modules/mpc-backup-key/README.md b/modules/mpc-backup-key/README.md
@@ -32,7 +32,7 @@ No modules.
 | <a name="input_mpc_party_cross_account_iam_role_arn"></a> [mpc\_party\_cross\_account\_iam\_role\_arn](#input\_mpc\_party\_cross\_account\_iam\_role\_arn) | ARN of cross-account IAM role allowed for usage of KMS key | `string` | `null` | no |
 | <a name="input_mpc_party_kms_alias"></a> [mpc\_party\_kms\_alias](#input\_mpc\_party\_kms\_alias) | Alias for the KMS key | `string` | `null` | no |
 | <a name="input_mpc_party_kms_backup_description"></a> [mpc\_party\_kms\_backup\_description](#input\_mpc\_party\_kms\_backup\_description) | Description of KMS Key | `string` | `"Asymmetric KMS key backup for MPC Party"` | no |
-| <a name="input_mpc_party_kms_backup_vault_customer_master_key_spec"></a> [mpc\_party\_kms\_backup\_vault\_customer\_master\_key\_spec](#input\_mpc\_party\_kms\_backup\_vault\_customer\_master\_key\_spec) | Key spec for the backup vault | `string` | `"ASYMMETRIC_DEFAULT"` | no |
+| <a name="input_mpc_party_kms_backup_vault_customer_master_key_spec"></a> [mpc\_party\_kms\_backup\_vault\_customer\_master\_key\_spec](#input\_mpc\_party\_kms\_backup\_vault\_customer\_master\_key\_spec) | Key spec for the backup vault | `string` | `"RSA_4096"` | no |
 | <a name="input_mpc_party_kms_backup_vault_key_usage"></a> [mpc\_party\_kms\_backup\_vault\_key\_usage](#input\_mpc\_party\_kms\_backup\_vault\_key\_usage) | Key usage for the backup vault | `string` | `"ENCRYPT_DECRYPT"` | no |
 | <a name="input_mpc_party_kms_deletion_window_in_days"></a> [mpc\_party\_kms\_deletion\_window\_in\_days](#input\_mpc\_party\_kms\_deletion\_window\_in\_days) | Deletion window in days for KMS key | `number` | `30` | no |
 | <a name="input_mpc_party_kms_image_attestation_sha"></a> [mpc\_party\_kms\_image\_attestation\_sha](#input\_mpc\_party\_kms\_image\_attestation\_sha) | Attestation SHA for KMS image | `string` | `null` | no |
diff --git a/modules/mpc-backup-key/variables.tf b/modules/mpc-backup-key/variables.tf
@@ -54,5 +54,5 @@ variable "mpc_party_kms_backup_vault_key_usage" {
 variable "mpc_party_kms_backup_vault_customer_master_key_spec" {
   type        = string
   description = "Key spec for the backup vault"
-  default     = "ASYMMETRIC_DEFAULT"
+  default     = "RSA_4096"
 }
diff --git a/modules/mpc-party/README.md b/modules/mpc-party/README.md
@@ -328,10 +328,8 @@ The module can optionally create:
 | [aws_iam_policy.mpc_core_kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_kms_alias.mpc_connector_tx_sender](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_alias.mpc_party](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
-| [aws_kms_alias.mpc_party_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_external_key.mpc_connector_tx_sender](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_external_key) | resource |
 | [aws_kms_key.mpc_party](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_kms_key.mpc_party_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_s3_bucket.vault_private_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.vault_public_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_cors_configuration.vault_public_bucket_cors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
@@ -376,10 +374,7 @@ The module can optionally create:
 | <a name="input_enable_rds"></a> [enable\_rds](#input\_enable\_rds) | Whether to create the RDS instance | `bool` | `true` | no |
 | <a name="input_k8s_namespace"></a> [k8s\_namespace](#input\_k8s\_namespace) | The Kubernetes namespace for MPC party resources | `string` | `"kms-decentralized"` | no |
 | <a name="input_k8s_service_account_name"></a> [k8s\_service\_account\_name](#input\_k8s\_service\_account\_name) | The name of the Kubernetes service account for MPC party | `string` | n/a | yes |
-| <a name="input_kms_backup_external_role_arn"></a> [kms\_backup\_external\_role\_arn](#input\_kms\_backup\_external\_role\_arn) | ARN of the backup vault for the KMS key | `string` | `null` | no |
 | <a name="input_kms_backup_vault_bucket_name"></a> [kms\_backup\_vault\_bucket\_name](#input\_kms\_backup\_vault\_bucket\_name) | Backup vault S3 bucket name | `string` | `null` | no |
-| <a name="input_kms_backup_vault_customer_master_key_spec"></a> [kms\_backup\_vault\_customer\_master\_key\_spec](#input\_kms\_backup\_vault\_customer\_master\_key\_spec) | Key spec for the backup vault | `string` | `"ASYMMETRIC_DEFAULT"` | no |
-| <a name="input_kms_backup_vault_key_usage"></a> [kms\_backup\_vault\_key\_usage](#input\_kms\_backup\_vault\_key\_usage) | Key usage for the backup vault | `string` | `"ENCRYPT_DECRYPT"` | no |
 | <a name="input_kms_backup_vault_kms_key_arn"></a> [kms\_backup\_vault\_kms\_key\_arn](#input\_kms\_backup\_vault\_kms\_key\_arn) | KMS key ARN for the backup vault | `string` | `null` | no |
 | <a name="input_kms_connector_enable_txsender_key"></a> [kms\_connector\_enable\_txsender\_key](#input\_kms\_connector\_enable\_txsender\_key) | Whether to enable the KMS key for the kms-connector txsender | `bool` | `false` | no |
 | <a name="input_kms_connector_txsender_key_spec"></a> [kms\_connector\_txsender\_key\_spec](#input\_kms\_connector\_txsender\_key\_spec) | Specification for the KMS-Connector txsender (e.g., ECC\_SECG\_P256K1 for Ethereum key signing) | `string` | `"ECC_SECG_P256K1"` | no |
diff --git a/modules/mpc-party/main.tf b/modules/mpc-party/main.tf
@@ -350,7 +350,6 @@ resource "kubernetes_service_account" "mpc_kms_connector_service_account" {
 # ***************************************
 locals {
   create_mpc_party_key              = var.kms_enabled_nitro_enclaves && !var.kms_use_cross_account_kms_key
-  create_mpc_party_key_backup       = var.kms_enabled_nitro_enclaves && var.kms_enable_backup_vault && !var.kms_use_cross_account_kms_key
   create_mpc_connector_txsender_key = var.kms_connector_enable_txsender_key && !var.kms_use_cross_account_kms_key
 
   kms_key_id = var.kms_enabled_nitro_enclaves ? (
@@ -434,87 +433,6 @@ resource "aws_kms_alias" "mpc_party" {
   target_key_id = aws_kms_key.mpc_party[0].key_id
 }
 
-# ***************************************
-#  ASYMMETRIC KMS Key Backup for MPC Party
-# ***************************************
-resource "aws_kms_key" "mpc_party_backup" {
-  count = local.create_mpc_party_key_backup ? 1 : 0
-
-  description              = "Asymmetric KMS key backup for MPC Party"
-  key_usage                = var.kms_backup_vault_key_usage
-  customer_master_key_spec = var.kms_backup_vault_customer_master_key_spec
-  enable_key_rotation      = false
-  deletion_window_in_days  = var.kms_deletion_window_in_days
-  tags                     = var.tags
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow",
-        Principal = {
-          AWS = var.kms_backup_external_role_arn
-        },
-        Action = [
-          "kms:GetPublicKey",
-          "kms:DescribeKey",
-          "kms:GetKeyPolicy",
-        ],
-        Resource = "*"
-      },
-      {
-        Effect = "Allow",
-        Principal = {
-          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${module.iam_assumable_role_mpc_party.iam_role_name}"
-        },
-        Action = [
-          "kms:Decrypt",
-          "kms:GenerateDataKey",
-        ],
-        Resource = "*",
-        Condition = {
-          StringEqualsIgnoreCase = {
-            "kms:RecipientAttestation:ImageSha384" : var.kms_image_attestation_sha
-          }
-        }
-      },
-      {
-        Effect = "Allow",
-        Principal = {
-          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
-        },
-        Action = [
-          "kms:Create*",
-          "kms:Describe*",
-          "kms:Enable*",
-          "kms:List*",
-          "kms:Put*",
-          "kms:Update*",
-          "kms:Revoke*",
-          "kms:Disable*",
-          "kms:Get*",
-          "kms:Delete*",
-          "kms:TagResource",
-          "kms:UntagResource",
-          "kms:ScheduleKeyDeletion",
-          "kms:CancelKeyDeletion"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
-}
-
-# ***************************************
-#  KMS Key Alias for MPC Party Backup
-# ***************************************
-resource "aws_kms_alias" "mpc_party_backup" {
-  count = local.create_mpc_party_key_backup ? 1 : 0
-
-  name          = "alias/mpc-${var.party_name}-backup"
-  target_key_id = aws_kms_key.mpc_party_backup[0].key_id
-}
-
 # ***************************************
 #  KMS-Connector Ethereum TxSender Key
 # ***************************************
diff --git a/modules/mpc-party/variables.tf b/modules/mpc-party/variables.tf
@@ -404,6 +404,9 @@ variable "kms_connector_txsender_key_spec" {
 
 #******************************************************
 # Backup Vault Configuration
+# We use :
+# - mpc-backup-key terraform module to create the kms backup key
+# - mpc-backup-vault terraform module to create the kms backup bucket
 #******************************************************
 variable "kms_enable_backup_vault" {
   type        = bool
@@ -422,28 +425,6 @@ variable "kms_backup_vault_kms_key_arn" {
   description = "KMS key ARN for the backup vault"
   default     = null
 }
-
-#******************************************************
-# We use :
-# - mpc-backup-key terraform module to create the kms backup key
-# - mpc-backup-vault terraform module to create the kms backup bucket
-#******************************************************
-variable "kms_backup_external_role_arn" {
-  type        = string
-  description = "ARN of the backup vault for the KMS key"
-  default     = null
-}
-variable "kms_backup_vault_key_usage" {
-  type        = string
-  description = "Key usage for the backup vault"
-  default     = "ENCRYPT_DECRYPT"
-}
-
-variable "kms_backup_vault_customer_master_key_spec" {
-  type        = string
-  description = "Key spec for the backup vault"
-  default     = "ASYMMETRIC_DEFAULT"
-}
 #******************************************************
 
 variable "nodegroup_enable_ssm_managed_instance" {

Original file line number	Diff line number	Diff line change
`@@ -54,5 +54,5 @@ variable "mpc_party_kms_backup_vault_key_usage" {`
`54`	`54`	`variable "mpc_party_kms_backup_vault_customer_master_key_spec" {`
`55`	`55`	`type = string`
`56`	`56`	`description = "Key spec for the backup vault"`
`57`		`- default = "ASYMMETRIC_DEFAULT"`
	`57`	`+ default = "RSA_4096"`
`58`	`58`	`}`