Merge pull request #84 from NHSDigital/feature/CCM-10231_kms

sidnhs · web-flow · commit 2d3c6335e602 · 2025-06-09T10:54:43.000Z
CCM-10231: Enable support for multi-region KMS key
diff --git a/infrastructure/modules/kms/README.md b/infrastructure/modules/kms/README.md
@@ -18,6 +18,7 @@
 | <a name="input_deletion_window"></a> [deletion\_window](#input\_deletion\_window) | KMS key deletion window | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the terraformscaffold environment the module is called for | `string` | n/a | yes |
 | <a name="input_iam_delegation"></a> [iam\_delegation](#input\_iam\_delegation) | Whether to delegate administration of the key to the local account. Defaults to true | `bool` | `true` | no |
+| <a name="input_is_multi_region"></a> [is\_multi\_region](#input\_is\_multi\_region) | Whether the KMS key is a multi-region key, where secondary region would mostly be us-east-1. Defaults to false | `bool` | `false` | no |
 | <a name="input_key_policy_documents"></a> [key\_policy\_documents](#input\_key\_policy\_documents) | List of KMS key policy JSON documents | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | A unique name to distinguish this module invocation from others within the same CSI scope | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the terraformscaffold project calling the module | `string` | n/a | yes |
@@ -32,6 +33,8 @@ No modules.
 | <a name="output_admin_policy_arn"></a> [admin\_policy\_arn](#output\_admin\_policy\_arn) | ARN of the admin IAM policy |
 | <a name="output_key_arn"></a> [key\_arn](#output\_key\_arn) | ARN of the KMS key |
 | <a name="output_key_id"></a> [key\_id](#output\_key\_id) | ID of the KMS key |
+| <a name="output_replica_key_arn"></a> [replica\_key\_arn](#output\_replica\_key\_arn) | ARN of the Replica KMS key |
+| <a name="output_replica_key_id"></a> [replica\_key\_id](#output\_replica\_key\_id) | ID of the Replica KMS key |
 | <a name="output_user_policy_arn"></a> [user\_policy\_arn](#output\_user\_policy\_arn) | ARN of the user IAM policy |
 <!-- vale on -->
 <!-- markdownlint-enable -->
diff --git a/infrastructure/modules/kms/kms_key.tf b/infrastructure/modules/kms/kms_key.tf
@@ -3,6 +3,7 @@ resource "aws_kms_key" "main" {
   deletion_window_in_days            = var.deletion_window
   description                        = local.csi
   enable_key_rotation                = true
+  multi_region                       = var.is_multi_region
   policy                             = data.aws_iam_policy_document.key.json
   tags                               = local.default_tags
 }
diff --git a/infrastructure/modules/kms/kms_replica_key_replica.tf b/infrastructure/modules/kms/kms_replica_key_replica.tf
@@ -0,0 +1,9 @@
+resource "aws_kms_replica_key" "replica" {
+  provider                = aws.us-east-1
+  count                   = var.is_multi_region ? 1 : 0
+
+  description             = "Multi-Region replica key"
+  deletion_window_in_days = var.deletion_window
+  policy                  = data.aws_iam_policy_document.key.json
+  primary_key_arn         = aws_kms_key.main.arn
+}
diff --git a/infrastructure/modules/kms/outputs.tf b/infrastructure/modules/kms/outputs.tf
@@ -17,3 +17,13 @@ output "user_policy_arn" {
   description = "ARN of the user IAM policy"
   value       = aws_iam_policy.user.arn
 }
+
+output "replica_key_arn" {
+  description = "ARN of the Replica KMS key"
+  value       = try(aws_kms_replica_key.replica[0].arn, null)
+}
+
+output "replica_key_id" {
+  description = "ID of the Replica KMS key"
+  value       = try(aws_kms_replica_key.replica[0].key_id, null)
+}
diff --git a/infrastructure/modules/kms/variables.tf b/infrastructure/modules/kms/variables.tf
@@ -66,3 +66,9 @@ variable "iam_delegation" {
   description = "Whether to delegate administration of the key to the local account. Defaults to true"
   default     = true
 }
+
+variable "is_multi_region" {
+  type        = bool
+  description = "Whether the KMS key is a multi-region key, where secondary region would mostly be us-east-1. Defaults to false"
+  default     = false
+}
diff --git a/infrastructure/modules/kms/versions.tf b/infrastructure/modules/kms/versions.tf
@@ -2,7 +2,8 @@
 terraform {
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source                = "hashicorp/aws"
+      configuration_aliases = [aws.us-east-1]
     }
   }
   required_version = ">= 1.9.0"

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ resource "aws_kms_key" "main" {`
`3`	`3`	`deletion_window_in_days = var.deletion_window`
`4`	`4`	`description = local.csi`
`5`	`5`	`enable_key_rotation = true`
	`6`	`+ multi_region = var.is_multi_region`
`6`	`7`	`policy = data.aws_iam_policy_document.key.json`
`7`	`8`	`tags = local.default_tags`
`8`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,8 @@`
`2`	`2`	`terraform {`
`3`	`3`	`required_providers {`
`4`	`4`	`aws = {`
`5`		`- source = "hashicorp/aws"`
	`5`	`+ source = "hashicorp/aws"`
	`6`	`+ configuration_aliases = [aws.us-east-1]`
`6`	`7`	`}`
`7`	`8`	`}`
`8`	`9`	`required_version = ">= 1.9.0"`