-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathaws.tf
107 lines (93 loc) · 2.18 KB
/
aws.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
variable "aws_key" {
type = string
}
variable "aws_secret" {
type = string
}
variable "aws_session_token" {
type = string
default = ""
}
locals {
tags = {
Name = var.service_name
}
}
provider "aws" {
region = var.region
access_key = var.aws_key
secret_key = var.aws_secret
token = var.aws_session_token
}
data "aws_caller_identity" "current" {}
data "aws_iam_policy_document" "policy" {
# Allow root user on the account all access.
statement {
sid = "AllowRoot"
actions = ["kms:*"]
resources = ["*"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
# Allow user that runs terraform to manage the KMS key.
statement {
sid = "AllowAdmins"
actions = [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:RotateKeyOnDemand",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
resources = ["*"]
principals {
type = "AWS"
identifiers = [data.aws_caller_identity.current.arn]
}
}
# Allow clickhouse's accounts to access the KMS key.
statement {
sid = "AllowClickHouse"
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:DescribeKey",
]
resources = ["*"]
principals {
type = "AWS"
identifiers = [clickhouse_service.service.transparent_data_encryption.role_id]
}
}
}
resource "aws_kms_key" "enc" {
customer_master_key_spec = "SYMMETRIC_DEFAULT"
deletion_window_in_days = 7
description = var.service_name
enable_key_rotation = false
is_enabled = true
key_usage = "ENCRYPT_DECRYPT"
multi_region = false
policy = data.aws_iam_policy_document.policy.json
tags = local.tags
}