feat(mpc-party): add kms-connector awskms key and service account

piizama · piizama · commit 76fe63ea6f74 · 2025-10-31T11:44:20.000+01:00
diff --git a/modules/mpc-party/main.tf b/modules/mpc-party/main.tf
@@ -247,12 +247,51 @@ resource "kubernetes_service_account" "mpc_party_service_account" {
   depends_on = [kubernetes_namespace.mpc_party_namespace, module.iam_assumable_role_mpc_party]
 }
 
+module "iam_assumable_role_kms_connector" {
+  count = local.create_mpc_connector_txsender_key ? 1 : 0
+
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "5.48.0"
+  provider_url                  = data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer
+  create_role                   = true
+  role_name                     = "mpc-${var.cluster_name}-${var.party_name}-connector"
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_namespace}:${var.k8s_service_account_name}-connector"]
+  role_policy_arns              = []
+  depends_on                    = [kubernetes_namespace.mpc_party_namespace]
+}
+
+resource "kubernetes_service_account" "mpc_kms_connector_service_account" {
+  count = var.create_service_account ? 1 : 0
+
+  metadata {
+    name      = "${var.k8s_service_account_name}-connector"
+    namespace = var.k8s_namespace
+
+    labels = merge({
+      "app.kubernetes.io/name"       = "mpc-connector"
+      "app.kubernetes.io/component"  = "service-account"
+      "app.kubernetes.io/part-of"    = "mpc-cluster"
+      "app.kubernetes.io/managed-by" = "terraform"
+      "mpc.io/party-name"            = var.party_name
+    }, var.service_account_labels)
+
+    annotations = merge({
+      "terraform.io/module"        = "mpc-party"
+      "mpc.io/party-name"          = var.party_name
+      "eks.amazonaws.com/role-arn" = module.iam_assumable_role_kms_connector.iam_role_arn
+    }, var.service_account_annotations)
+  }
+  depends_on = [kubernetes_namespace.mpc_party_namespace, module.iam_assumable_role_kms_connector]
+}
+
+
 # ***************************************
 #  AWS KMS Key for MPC Party
 # ***************************************
 locals {
   create_mpc_party_key        = var.kms_enabled_nitro_enclaves && !var.kms_use_cross_account_kms_key
   create_mpc_party_key_backup = var.kms_enabled_nitro_enclaves && var.kms_enable_backup_vault && !var.kms_use_cross_account_kms_key
+  create_mpc_connector_txsender_key = var.kms_enable_kms_connector_txsender && !var.kms_use_cross_account_kms_key
 }
 
 resource "aws_kms_key" "mpc_party" {
@@ -407,6 +446,72 @@ resource "aws_kms_alias" "mpc_party_backup" {
   target_key_id = aws_kms_key.mpc_party_backup[0].key_id
 }
 
+# ***************************************
+#  KMS-Connector Ethereum TxSender Key
+# ***************************************
+resource "aws_kms_key" "mpc_connector_tx_sender" {
+  count = local.create_mpc_connector_txsender_key ? 1 : 0
+
+  description              = "KMS Connector tx sender key for MPC Party"
+  key_usage                = var.kms_connector_txsender_key_usage
+  customer_master_key_spec = var.kms_connector_txsender_master_key_spec
+  enable_key_rotation      = false
+  deletion_window_in_days  = var.kms_deletion_window_in_days
+  tags                     = var.tags
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${module.iam_assumable_role_kms_connector.iam_role_name}"
+        },
+        Action = [
+          "kms:DescribeKey",
+          "kms:GetPublicKey",
+          "kms:Sign",
+          "kms:Verify"
+        ],
+        Resource = "*",
+      },
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        Action = [
+          "kms:Create*",
+          "kms:Describe*",
+          "kms:Enable*",
+          "kms:List*",
+          "kms:Put*",
+          "kms:Update*",
+          "kms:Revoke*",
+          "kms:Disable*",
+          "kms:Get*",
+          "kms:Delete*",
+          "kms:TagResource",
+          "kms:UntagResource",
+          "kms:ScheduleKeyDeletion",
+          "kms:CancelKeyDeletion"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+# ***************************************
+#  KMS Key Alias for KMS-Connector Ethereum TxSender Key
+# ***************************************
+resource "aws_kms_alias" "mpc_connector_tx_sender" {
+  count = local.create_mpc_connector_txsender_key ? 1 : 0
+
+  name          = "alias/mpc-${var.party_name}-connector-txsender"
+  target_key_id = aws_kms_key.mpc_connector_tx_sender[0].key_id
+}
+
 # ***************************************
 #  ConfigMap for MPC Party
 # ***************************************
diff --git a/modules/mpc-party/variables.tf b/modules/mpc-party/variables.tf
@@ -363,6 +363,25 @@ variable "kms_deletion_window_in_days" {
   default     = 30
 }
 
+variable "kms_enable_kms_connector_txsender" {
+  type        = bool
+  description = "Whether to enable the KMS key for the kms-connector txsender"
+  default     = false
+}
+
+
+variable "kms_connector_txsender_key_usage" {
+  type        = string
+  description = "Key usage for KMS-Connector txsender"
+  default     = "SIGN_VERIFY"
+}
+
+variable "kms_connector_txsender_master_key_spec" {
+  description = "Specification for the KMS-Connector txsender (e.g., ECC_SECG_P256K1 for Ethereum key signing)"
+  type        = string
+  default     = "ECC_SECG_P256K1"
+}
+
 variable "kms_enable_backup_vault" {
   type        = bool
   description = "Whether to enable the backup vault for the KMS key"
