CCM-6250: init modules

Author: sidnhs

infrastructure/modules/kms/data_iam_kms_admin_policy.tf

@@ -0,0 +1,31 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
+data "aws_iam_policy_document" "admin" {
+  policy_id = "${local.csi}-admin"
+
+  statement {
+    sid    = "AllowKeyAdmin"
+    effect = "Allow"
+
+    actions = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:TagResource",
+      "kms:UntagResource",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion",
+    ]
+
+    resources = [
+      aws_kms_key.main.arn,
+      aws_kms_alias.main.arn,
+    ]
+  }
+}

infrastructure/modules/kms/data_iam_kms_user_policy.tf

@@ -0,0 +1,43 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
+data "aws_iam_policy_document" "user" {
+  policy_id = "${local.csi}-user"
+
+  statement {
+    sid    = "AllowUseOfTheKmskey"
+    effect = "Allow"
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+
+    resources = [
+      aws_kms_key.main.arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowDelegationToAwsServiceViaGrant"
+    effect = "Allow"
+
+    actions = [
+      "kms:CreateGrant",
+    ]
+
+    resources = [
+      aws_kms_key.main.arn,
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+
+      values = [
+        "true",
+      ]
+    }
+  }
+}

infrastructure/modules/kms/data_iam_policy_document_key.tf

@@ -0,0 +1,27 @@
+data "aws_iam_policy_document" "key" {
+  source_policy_documents = var.key_policy_documents
+
+  dynamic "statement" {
+    for_each = var.iam_delegation ? [1] : []
+    content {
+      sid    = "AllowFullLocalAdministration"
+      effect = "Allow"
+
+      principals {
+        type = "AWS"
+
+        identifiers = [
+          "arn:aws:iam::${var.aws_account_id}:root",
+        ]
+      }
+
+      actions = [
+        "kms:*",
+      ]
+
+      resources = [
+        "*",
+      ]
+    }
+  }
+}

infrastructure/modules/kms/iam_policy_admin.tf

@@ -0,0 +1,13 @@
+# Create the Key Policy for the AWS KMS Key
+resource "aws_iam_policy" "admin" {
+  name   = "${local.csi_account}-admin"
+  path   = "/"
+  policy = data.aws_iam_policy_document.admin.json
+
+  tags = merge(
+    local.default_tags,
+    {
+      Name = "${local.csi_account}-admin",
+    },
+  )
+}

infrastructure/modules/kms/iam_policy_user.tf

@@ -0,0 +1,13 @@
+# Create the Key Policy for the AWS KMS Key
+resource "aws_iam_policy" "user" {
+  name   = "${local.csi_account}-user"
+  path   = "/"
+  policy = data.aws_iam_policy_document.user.json
+
+  tags = merge(
+    local.default_tags,
+    {
+      Name = "${local.csi_account}-user",
+    },
+  )
+}

infrastructure/modules/kms/kms_key.tf

@@ -0,0 +1,8 @@
+resource "aws_kms_key" "main" {
+  bypass_policy_lockout_safety_check = false
+  deletion_window_in_days            = var.deletion_window
+  description                        = local.csi
+  enable_key_rotation                = true
+  policy                             = data.aws_iam_policy_document.key.json
+  tags                               = local.default_tags
+}

infrastructure/modules/kms/kms_key_alias.tf

@@ -0,0 +1,4 @@
+resource "aws_kms_alias" "main" {
+  name          = var.alias
+  target_key_id = aws_kms_key.main.key_id
+}

infrastructure/modules/kms/locals.tf

@@ -0,0 +1,33 @@
+locals {
+  csi = format(
+    "%s-%s-%s-%s-%s",
+    var.project,
+    var.environment,
+    var.component,
+    var.module,
+    var.name,
+  )
+
+  # CSI for use in resources with an account namespace, eg IAM roles
+  csi_account = replace(
+    format(
+      "%s-%s-%s-%s-%s-%s",
+      var.project,
+      var.region,
+      var.environment,
+      var.component,
+      var.module,
+      var.name,
+    ),
+    "_",
+    "",
+  )
+
+  default_tags = merge(
+    var.default_tags,
+    {
+      Module = var.module
+      Name   = local.csi
+    },
+  )
+}

infrastructure/modules/kms/outputs.tf

@@ -0,0 +1,15 @@
+output "key_arn" {
+  value = aws_kms_key.main.arn
+}
+
+output "key_id" {
+  value = aws_kms_key.main.key_id
+}
+
+output "admin_policy_arn" {
+  value = aws_iam_policy.admin.arn
+}
+
+output "user_policy_arn" {
+  value = aws_iam_policy.user.arn
+}

infrastructure/modules/kms/variables.tf

@@ -0,0 +1,78 @@
+##
+# Basic inherited variables for terraformscaffold modules
+##
+
+variable "project" {
+  type        = string
+  description = "The name of the terraformscaffold project calling the module"
+}
+
+variable "environment" {
+  type        = string
+  description = "The name of the terraformscaffold environment the module is called for"
+}
+
+variable "component" {
+  type        = string
+  description = "The name of the terraformscaffold component calling this module"
+}
+
+variable "aws_account_id" {
+  type        = string
+  description = "The AWS Account ID (numeric)"
+}
+
+##
+# Module self-identification
+##
+
+variable "module" {
+  type        = string
+  description = "The name of this module. This is a special variable, it should be set only here and never overridden."
+  default     = "kms"
+}
+
+##
+# Variable specific to the module
+##
+
+# We presume this will always be specified. The default of {} will cause an error if a valid map is not specified.
+# If we ever want to define this but allow it to not be specified, then we must provide a default tag keypair will be applied
+# as the true default. In any other case default_tags should be removed from the module.
+variable "default_tags" {
+  type        = map(string)
+  description = "Default tag map for application to all taggable resources in the module"
+  default     = {}
+}
+
+variable "region" {
+  type        = string
+  description = "The AWS Region"
+}
+
+variable "name" {
+  type        = string
+  description = "A unique name to distinguish this module invocation from others within the same CSI scope"
+}
+
+variable "deletion_window" {
+  type        = string
+  description = "KMS key deletion window"
+}
+
+variable "alias" {
+  type        = string
+  description = "Alias name for the hieradata KMS key"
+}
+
+variable "key_policy_documents" {
+  type        = list(string)
+  description = "List of KMS key policy JSON documents"
+  default     = []
+}
+
+variable "iam_delegation" {
+  type        = bool
+  description = "Whether to delegate administration of the key to the local account. Defaults to true"
+  default     = true
+}