Add primary kms key (#31)

* add primary kms key
bryborge · Dec 7, 2023 · 4da541c · 4da541c
1 parent c3a1c98
commit 4da541c
Show file tree

Hide file tree

Showing 11 changed files with 228 additions and 0 deletions.
diff --git a/aws/environments/production/_bootstrap/README.md b/aws/environments/production/_bootstrap/README.md
@@ -0,0 +1,12 @@
+# Bootstrap
+
+This service contains the Terraform for establishing a standard AWS account baseline. Every new AWS account should run
+this service once.
+
+## Deployment
+
+The services should be deployed in this order:
+
+1.  `default-vpc`
+2.  `primary-kms-key`
+3.  `circleci`
diff --git a/aws/environments/production/_bootstrap/primary-kms-key/.terraform.lock.hcl b/aws/environments/production/_bootstrap/primary-kms-key/.terraform.lock.hcl
diff --git a/aws/environments/production/_bootstrap/primary-kms-key/README.md b/aws/environments/production/_bootstrap/primary-kms-key/README.md
@@ -0,0 +1,52 @@
+# Primary (`default`) KMS Key
+
+Creates the primary KMS key with the default policy.
+
+## Prerequisites
+
+*   [Secret OPerationS (sops)](https://github.com/getsops/sops) - An editor of encrypted files that supports YAML, JSON,
+    ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
+
+## SOPS Example Usage
+
+```sh
+KMS_ARN="arn:aws:kms:us-west-2:$(aws sts get-caller-identity --query 'Account' --output text):alias/primary"
+sops --kms $(echo $KMS_ARN) <FILE_TO_EDIT>
+```
+
+## Deployment
+
+```bash
+terragrunt init
+terragrunt apply
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kms"></a> [kms](#module\_kms) | ../../../../modules/kms | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region this is hosted in. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/aws/environments/production/_bootstrap/primary-kms-key/main.tf b/aws/environments/production/_bootstrap/primary-kms-key/main.tf
@@ -0,0 +1,10 @@
+provider "aws" {
+  region = var.aws_region
+}
+
+module "kms" {
+  source = "../../../../modules/kms"
+
+  alias       = "primary"
+  description = "The primary KMS key with the default KMS policy."
+}
diff --git a/aws/environments/production/_bootstrap/primary-kms-key/terragrunt.hcl b/aws/environments/production/_bootstrap/primary-kms-key/terragrunt.hcl
@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}
diff --git a/aws/environments/production/_bootstrap/primary-kms-key/variables.tf b/aws/environments/production/_bootstrap/primary-kms-key/variables.tf
@@ -0,0 +1,4 @@
+variable "aws_region" {
+  type        = string
+  description = "The AWS region this is hosted in."
+}
diff --git a/aws/modules/kms/README.md b/aws/modules/kms/README.md
@@ -0,0 +1,54 @@
+# Key Management Service
+
+Creates a basic kms encryption key.
+
+## Deployment
+
+```bash
+terragrunt init
+terragrunt apply
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | <= 1.5.5 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.primary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.primary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_alias"></a> [alias](#input\_alias) | The name of the KMS key alias. | `string` | n/a | yes |
+| <a name="input_auto_rotate"></a> [auto\_rotate](#input\_auto\_rotate) | Whether to enable automatic KMS key rotation. Defaults to true. | `bool` | `true` | no |
+| <a name="input_deletion_window_in_days"></a> [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration (in days) to wait before deleting a key that is scheduled for deletion. Defaults to 10 days. | `number` | `10` | no |
+| <a name="input_description"></a> [description](#input\_description) | The KMS key description. | `string` | `""` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | A valid policy JSON document to attach to the key. | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_alias"></a> [alias](#output\_alias) | n/a |
+| <a name="output_arn"></a> [arn](#output\_arn) | n/a |
+| <a name="output_key_id"></a> [key\_id](#output\_key\_id) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/aws/modules/kms/main.tf b/aws/modules/kms/main.tf
@@ -0,0 +1,12 @@
+resource "aws_kms_key" "main" {
+  description             = var.description
+  enable_key_rotation     = var.auto_rotate
+  deletion_window_in_days = var.deletion_window_in_days
+
+  policy = var.policy
+}
+
+resource "aws_kms_alias" "main" {
+  name          = "alias/${var.alias}"
+  target_key_id = aws_kms_key.main.id
+}
diff --git a/aws/modules/kms/outputs.tf b/aws/modules/kms/outputs.tf
@@ -0,0 +1,11 @@
+output "arn" {
+  value = aws_kms_key.main.arn
+}
+
+output "key_id" {
+  value = aws_kms_key.main.arn
+}
+
+output "alias" {
+  value = aws_kms_alias.main.name
+}
diff --git a/aws/modules/kms/providers.tf b/aws/modules/kms/providers.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_version = "<= 1.5.5"
+
+  required_providers {
+    # Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
diff --git a/aws/modules/kms/variables.tf b/aws/modules/kms/variables.tf
@@ -0,0 +1,34 @@
+variable "alias" {
+  type        = string
+  description = "The name of the KMS key alias."
+}
+
+variable "description" {
+  type        = string
+  default     = ""
+  description = "The KMS key description."
+}
+
+variable "auto_rotate" {
+  type        = bool
+  default     = true
+  description = "Whether to enable automatic KMS key rotation. Defaults to true."
+}
+
+variable "deletion_window_in_days" {
+  type        = number
+  default     = 10
+  description = "Duration (in days) to wait before deleting a key that is scheduled for deletion. Defaults to 10 days."
+}
+
+// Note:
+//   All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy
+//   that gives all principals in the owning account unlimited access to all KMS operations for the key. This default
+//   key policy effectively delegates all access control to IAM policies and KMS grants.
+//    - Link: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#argument-reference
+//    - Link: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+variable "policy" {
+  type        = string
+  default     = null
+  description = "A valid policy JSON document to attach to the key."
+}