Merge pull request #71 from zama-ai/darwin/feat/cross-account-kms-key

deasydoesit · web-flow · commit 4dd98e9ee0ff · 2025-10-29T15:13:31.000-04:00
feat(mpc-party): add support for usage of cross-account aws kms key
diff --git a/modules/mpc-party/README.md b/modules/mpc-party/README.md
@@ -365,12 +365,14 @@ The module can optionally create:
 | <a name="input_kms_backup_external_role_arn"></a> [kms\_backup\_external\_role\_arn](#input\_kms\_backup\_external\_role\_arn) | ARN of the backup vault for the KMS key | `string` | `null` | no |
 | <a name="input_kms_backup_vault_customer_master_key_spec"></a> [kms\_backup\_vault\_customer\_master\_key\_spec](#input\_kms\_backup\_vault\_customer\_master\_key\_spec) | Key spec for the backup vault | `string` | `"ASYMMETRIC_DEFAULT"` | no |
 | <a name="input_kms_backup_vault_key_usage"></a> [kms\_backup\_vault\_key\_usage](#input\_kms\_backup\_vault\_key\_usage) | Key usage for the backup vault | `string` | `"ENCRYPT_DECRYPT"` | no |
+| <a name="input_kms_cross_account_kms_key_id"></a> [kms\_cross\_account\_kms\_key\_id](#input\_kms\_cross\_account\_kms\_key\_id) | KMS key ID of KMS key created in a different AWS account | `string` | `""` | no |
 | <a name="input_kms_customer_master_key_spec"></a> [kms\_customer\_master\_key\_spec](#input\_kms\_customer\_master\_key\_spec) | Specification for the KMS customer master key (e.g., SYMMETRIC\_DEFAULT, RSA\_2048) | `string` | `"SYMMETRIC_DEFAULT"` | no |
 | <a name="input_kms_deletion_window_in_days"></a> [kms\_deletion\_window\_in\_days](#input\_kms\_deletion\_window\_in\_days) | Deletion window in days for KMS key | `number` | `30` | no |
 | <a name="input_kms_enable_backup_vault"></a> [kms\_enable\_backup\_vault](#input\_kms\_enable\_backup\_vault) | Whether to enable the backup vault for the KMS key | `bool` | `false` | no |
 | <a name="input_kms_enabled_nitro_enclaves"></a> [kms\_enabled\_nitro\_enclaves](#input\_kms\_enabled\_nitro\_enclaves) | Whether to enable KMS for Nitro Enclaves | `bool` | n/a | yes |
 | <a name="input_kms_image_attestation_sha"></a> [kms\_image\_attestation\_sha](#input\_kms\_image\_attestation\_sha) | Attestation SHA for KMS image | `string` | n/a | yes |
 | <a name="input_kms_key_usage"></a> [kms\_key\_usage](#input\_kms\_key\_usage) | Key usage for KMS | `string` | `"ENCRYPT_DECRYPT"` | no |
+| <a name="input_kms_use_cross_account_kms_key"></a> [kms\_use\_cross\_account\_kms\_key](#input\_kms\_use\_cross\_account\_kms\_key) | Whether a KMS key has been created in a different AWS account | `bool` | `false` | no |
 | <a name="input_namespace_annotations"></a> [namespace\_annotations](#input\_namespace\_annotations) | Additional annotations to apply to the namespace | `map(string)` | `{}` | no |
 | <a name="input_namespace_labels"></a> [namespace\_labels](#input\_namespace\_labels) | Additional labels to apply to the namespace | `map(string)` | `{}` | no |
 | <a name="input_network_environment"></a> [network\_environment](#input\_network\_environment) | MPC network environment that determines region constraints | `string` | `"testnet"` | no |
diff --git a/modules/mpc-party/main.tf b/modules/mpc-party/main.tf
@@ -3,7 +3,6 @@
 # ***************************************
 data "aws_caller_identity" "current" {}
 
-
 data "aws_eks_cluster" "cluster" {
   name = var.cluster_name
   lifecycle {
@@ -226,6 +225,7 @@ module "iam_assumable_role_mpc_party" {
 
 resource "kubernetes_service_account" "mpc_party_service_account" {
   count = var.create_service_account ? 1 : 0
+
   metadata {
     name      = var.k8s_service_account_name
     namespace = var.k8s_namespace
@@ -248,16 +248,23 @@ resource "kubernetes_service_account" "mpc_party_service_account" {
 }
 
 # ***************************************
-#  aws kms key for mpc party
+#  AWS KMS Key for MPC Party
 # ***************************************
+locals {
+  create_mpc_party_key        = var.kms_enabled_nitro_enclaves && !var.kms_use_cross_account_kms_key
+  create_mpc_party_key_backup = var.kms_enabled_nitro_enclaves && var.kms_enable_backup_vault && !var.kms_use_cross_account_kms_key
+}
+
 resource "aws_kms_key" "mpc_party" {
-  count                    = var.kms_enabled_nitro_enclaves ? 1 : 0
+  count = local.create_mpc_party_key ? 1 : 0
+
   description              = "KMS key for MPC Party"
   key_usage                = var.kms_key_usage
   customer_master_key_spec = var.kms_customer_master_key_spec
   enable_key_rotation      = false
   deletion_window_in_days  = var.kms_deletion_window_in_days
   tags                     = var.tags
+
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -315,7 +322,8 @@ resource "aws_kms_key" "mpc_party" {
 }
 
 resource "aws_kms_alias" "mpc_party" {
-  count         = var.kms_enabled_nitro_enclaves ? 1 : 0
+  count = local.create_mpc_party_key ? 1 : 0
+
   name          = "alias/mpc-${var.party_name}"
   target_key_id = aws_kms_key.mpc_party[0].key_id
 }
@@ -324,12 +332,15 @@ resource "aws_kms_alias" "mpc_party" {
 #  ASYMMETRIC KMS Key Backup for MPC Party
 # ***************************************
 resource "aws_kms_key" "mpc_party_backup" {
-  count                    = var.kms_enabled_nitro_enclaves && var.kms_enable_backup_vault ? 1 : 0
+  count = local.create_mpc_party_key_backup ? 1 : 0
+
   description              = "Asymmetric KMS key backup for MPC Party"
   key_usage                = var.kms_backup_vault_key_usage
   customer_master_key_spec = var.kms_backup_vault_customer_master_key_spec
   enable_key_rotation      = false
   deletion_window_in_days  = var.kms_deletion_window_in_days
+  tags                     = var.tags
+
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -382,24 +393,29 @@ resource "aws_kms_key" "mpc_party_backup" {
         ],
         Resource = "*"
       }
-
     ]
   })
-  tags = var.tags
 }
 
 # ***************************************
 #  KMS Key Alias for MPC Party Backup
 # ***************************************
 resource "aws_kms_alias" "mpc_party_backup" {
-  count         = var.kms_enabled_nitro_enclaves && var.kms_enable_backup_vault ? 1 : 0
+  count = local.create_mpc_party_key_backup ? 1 : 0
+
   name          = "alias/mpc-${var.party_name}-backup"
   target_key_id = aws_kms_key.mpc_party_backup[0].key_id
 }
 
 # ***************************************
 #  ConfigMap for MPC Party
 # ***************************************
+locals {
+  kms_key_id = var.kms_enabled_nitro_enclaves ? (
+    var.kms_use_cross_account_kms_key ? var.kms_cross_account_kms_key_id : aws_kms_key.mpc_party[0].key_id
+  ) : null
+}
+
 resource "kubernetes_config_map" "mpc_party_config" {
   count = var.create_config_map ? 1 : 0
 
@@ -428,7 +444,7 @@ resource "kubernetes_config_map" "mpc_party_config" {
     "KMS_CORE__PRIVATE_VAULT__STORAGE__S3__PREFIX"              = ""
     "KMS_CORE__PUBLIC_VAULT__STORAGE__S3__BUCKET"               = aws_s3_bucket.vault_public_bucket.id
     "KMS_CORE__PUBLIC_VAULT__STORAGE__S3__PREFIX"               = ""
-    "KMS_CORE__PRIVATE_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_ID"   = var.kms_enabled_nitro_enclaves ? aws_kms_key.mpc_party[0].key_id : null
+    "KMS_CORE__PRIVATE_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_ID"   = local.kms_key_id
     "KMS_CORE__PRIVATE_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_SPEC" = var.kms_enabled_nitro_enclaves ? "symm" : null
   }
 
@@ -439,18 +455,19 @@ resource "kubernetes_config_map" "mpc_party_config" {
 #  EKS Managed Node Group
 # ***************************************
 data "aws_ec2_instance_type" "this" {
+  count = var.nodegroup_enable_nitro_enclaves ? 1 : 0
+
   instance_type = var.nodegroup_instance_types[0]
-  count         = var.nodegroup_enable_nitro_enclaves ? 1 : 0
 }
 
 locals {
   cluster_security_group_id = var.nodegroup_auto_assign_security_group ? try(tolist(data.aws_eks_cluster.cluster.vpc_config[0].security_group_ids)[0], null) : null
 }
 
-
 # Get all rule IDs on the cluster SG (ingress and egress)
 data "aws_vpc_security_group_rules" "cluster_rules" {
   count = var.nodegroup_auto_assign_security_group && local.cluster_security_group_id != null ? 1 : 0
+
   filter {
     name   = "group-id"
     values = [local.cluster_security_group_id]
@@ -459,7 +476,8 @@ data "aws_vpc_security_group_rules" "cluster_rules" {
 
 # Read each rule to find which ones reference another SG
 data "aws_vpc_security_group_rule" "cluster_sg_rules_by_id" {
-  for_each               = toset(try(data.aws_vpc_security_group_rules.cluster_rules[0].ids, []))
+  for_each = toset(try(data.aws_vpc_security_group_rules.cluster_rules[0].ids, []))
+
   security_group_rule_id = each.value
 }
 
@@ -475,14 +493,16 @@ locals {
 
 data "aws_vpc_security_group_rules" "node_group_sg_rules" {
   count = var.nodegroup_auto_assign_security_group && local.auto_resolved_node_sg != null ? 1 : 0
+
   filter {
     name   = "group-id"
     values = [local.auto_resolved_node_sg]
   }
 }
 
 data "aws_vpc_security_group_rule" "node_group_sg_rules_by_id" {
-  for_each               = toset(try(data.aws_vpc_security_group_rules.node_group_sg_rules[0].ids, []))
+  for_each = toset(try(data.aws_vpc_security_group_rules.node_group_sg_rules[0].ids, []))
+
   security_group_rule_id = each.value
 }
 
@@ -496,6 +516,7 @@ locals {
 
 resource "null_resource" "validate_auto_resolved_node_sg" {
   count = var.nodegroup_auto_assign_security_group ? 1 : 0
+
   lifecycle {
     precondition {
       # Ensure the auto resolved node group SG is valid
@@ -528,7 +549,8 @@ locals {
 }
 
 module "eks_managed_node_group" {
-  count   = var.create_nodegroup ? 1 : 0
+  count = var.create_nodegroup ? 1 : 0
+
   source  = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
   version = "21.0.6"
 
@@ -764,7 +786,8 @@ locals {
 }
 
 module "rds_instance" {
-  count   = var.enable_rds ? 1 : 0
+  count = var.enable_rds ? 1 : 0
+
   source  = "terraform-aws-modules/rds/aws"
   version = "~> 6.10"
 
@@ -808,7 +831,8 @@ module "rds_instance" {
 }
 
 module "rds_security_group" {
-  count   = var.enable_rds ? 1 : 0
+  count = var.enable_rds ? 1 : 0
+
   source  = "terraform-aws-modules/security-group/aws"
   version = "~> 5.3.0"
 
diff --git a/modules/mpc-party/variables.tf b/modules/mpc-party/variables.tf
@@ -8,16 +8,12 @@ variable "network_environment" {
   }
 }
 
-
-
-
 variable "bucket_prefix" {
   type        = string
   description = "The prefix for the S3 bucket names"
   default     = "mpc-vault"
 }
 
-
 # MPC Party Configuration
 variable "party_id" {
   description = "Party ID for the MPC service"
@@ -109,7 +105,6 @@ variable "config_map_name" {
   default     = "mpc-party"
 }
 
-
 # Deprecated Tagging
 variable "common_tags" {
   type        = map(string)
@@ -130,7 +125,9 @@ variable "tags" {
   }
 }
 
+# ******************************************************
 # EKS Node Group Core Configuration
+# ******************************************************
 variable "create_nodegroup" {
   type        = bool
   description = "Whether to create an EKS managed node group"
@@ -142,14 +139,12 @@ variable "nodegroup_name" {
   description = "Name of the EKS managed node group"
 }
 
-
 variable "nodegroup_use_latest_ami_release_version" {
   type        = bool
   description = "Whether to use the latest AMI release version"
   default     = false
 }
 
-
 variable "nodegroup_ami_release_version" {
   type        = string
   description = "AMI release version for the node group"
@@ -210,7 +205,6 @@ variable "nodegroup_disk_size" {
   default     = 20
 }
 
-
 # Remote Access Configuration
 variable "nodegroup_enable_remote_access" {
   type        = bool
@@ -230,7 +224,6 @@ variable "nodegroup_source_security_group_ids" {
   default     = []
 }
 
-
 variable "nodegroup_additional_security_group_ids" {
   type        = list(string)
   description = "List of additional security group IDs to associate with the node group"
@@ -322,13 +315,31 @@ variable "nodegroup_update_config" {
   }
 }
 
-
-# kms configuration
+# ******************************************************
+# KMS Configuration
+# ******************************************************
 variable "kms_enabled_nitro_enclaves" {
   type        = bool
   description = "Whether to enable KMS for Nitro Enclaves"
 }
 
+variable "kms_use_cross_account_kms_key" {
+  type        = bool
+  description = "Whether a KMS key has been created in a different AWS account"
+  default     = false
+}
+
+variable "kms_cross_account_kms_key_id" {
+  type        = string
+  description = "KMS key ID of KMS key created in a different AWS account"
+  default     = ""
+
+  validation {
+    condition     = !var.kms_use_cross_account_kms_key || (var.kms_use_cross_account_kms_key && var.kms_cross_account_kms_key_id != "")
+    error_message = "kms_cross_account_kms_key_id must be provided when kms_use_cross_account_kms_key is true."
+  }
+}
+
 variable "kms_key_usage" {
   type        = string
   description = "Key usage for KMS"
@@ -364,8 +375,6 @@ variable "kms_backup_external_role_arn" {
   default     = null
 }
 
-
-
 variable "kms_backup_vault_key_usage" {
   type        = string
   description = "Key usage for the backup vault"
@@ -378,16 +387,14 @@ variable "kms_backup_vault_customer_master_key_spec" {
   default     = "ASYMMETRIC_DEFAULT"
 }
 
-
 variable "nodegroup_enable_ssm_managed_instance" {
   type        = bool
   description = "Whether to enable SSM managed instance"
   default     = false
 }
 
-
 # ******************************************************
-# variables for the RDS instance
+# RDS instance
 # ******************************************************
 variable "enable_rds" {
   type        = bool
@@ -514,7 +521,6 @@ variable "rds_parameters" {
   }]
 }
 
-
 variable "rds_create_externalname_service" {
   description = "Whether to create a Kubernetes ExternalName service for RDS database access"
   type        = bool
