Encrypt SSL SSM parameters with KMS CMK

aaroncarlucci · Nov 28, 2023 · 82e46a1 · 82e46a1
1 parent 606aeb3
commit 82e46a1
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/terraform/ecs.tf b/terraform/ecs.tf
@@ -68,6 +68,12 @@ data "aws_iam_policy_document" "hello_world_task_execution_role_policy" {
       aws_ssm_parameter.app_ssl_cert.arn
     ]
   }
+
+  statement {
+    actions   = ["kms:Decrypt"]
+    effect    = "Allow"
+    resources = [aws_kms_key.primary.arn]
+  }
 }
 
 resource "aws_iam_role_policy" "hello_world_task_execution_role_policy" {

diff --git a/terraform/ssm.tf b/terraform/ssm.tf
@@ -1,5 +1,7 @@
 resource "aws_ssm_parameter" "app_ssl_key" {
   description = "The self-signed SSL certificate key for the ECS application tasks."
+  key_id      = aws_kms_key.primary.id
+
   # Parameter name cannot start with "aws", so using the awkward /terraform namespace
   name  = "/terraform/${local.application_name}/${var.environment}/ssl-certificate-key"
   type  = "SecureString"
@@ -8,6 +10,8 @@ resource "aws_ssm_parameter" "app_ssl_key" {
 
 resource "aws_ssm_parameter" "app_ssl_cert" {
   description = "The self-signed SSL certificate for the ECS application tasks."
+  key_id      = aws_kms_key.primary.id
+
   # Parameter name cannot start with "aws", so using the awkward /terraform namespace
   name  = "/terraform/${local.application_name}/${var.environment}/ssl-certificate"
   type  = "SecureString"