Skip to content

Commit

Permalink
docs(examples): Terraform KMS Policies
Browse files Browse the repository at this point in the history
  • Loading branch information
@jshlbrd
jshlbrd committed Jan 4, 2024
1 parent 38941c9 commit 17962cb
Show file tree
Hide file tree
Showing 9 changed files with 47 additions and 214 deletions.
28 changes: 1 addition & 27 deletions examples/build/terraform/aws/dynamodb/cdc/terraform/_resources.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,33 +5,7 @@ module "kms" {
source = "../../../../../../../build/terraform/aws/kms"

config = {
name = "alias/substation"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.caller.account_id}:root"
},
"Resource": "*"
}
]
}
POLICY
name = "alias/substation"
}
}

Expand Down
28 changes: 1 addition & 27 deletions examples/build/terraform/aws/kinesis/firehose/terraform/_resources.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,33 +9,7 @@ module "kms" {
source = "../../../../../../../build/terraform/aws/kms"

config = {
name = "alias/substation"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.caller.account_id}:root"
},
"Resource": "*"
}
]
}
POLICY
name = "alias/substation"
}
}

Expand Down
61 changes: 37 additions & 24 deletions examples/build/terraform/aws/kinesis/multistream/terraform/_resources.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,32 +6,45 @@ module "kms" {

config = {
name = "alias/substation"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.caller.account_id}:root"
},
"Resource": "*"
}
policy = data.aws_iam_policy_document.kms.json
}
}

# This policy is required to support encrypted SNS topics.
# More information: https://repost.aws/knowledge-center/cloudwatch-receive-sns-for-alarm-trigger
data "aws_iam_policy_document" "kms" {
# Allows CloudWatch to access encrypted SNS topic.
statement {
sid = "CloudWatch"
effect = "Allow"
actions = [
"kms:Decrypt",
"kms:GenerateDataKey"
]

principals {
type = "Service"
identifiers = ["cloudwatch.amazonaws.com"]
}

resources = ["*"]
}
POLICY

# Default key policy for KMS.
# https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html
statement {
sid = "KMS"
effect = "Allow"
actions = [
"kms:*",
]

principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.caller.account_id}:root"]
}

resources = ["*"]
}
}

Expand Down
28 changes: 1 addition & 27 deletions examples/build/terraform/aws/lambda/microservice/terraform/_resources.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,33 +4,7 @@ data "aws_caller_identity" "caller" {}
module "kms" {
source = "../../../../../../../build/terraform/aws/kms"
config = {
name = "alias/substation"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.caller.account_id}:root"
},
"Resource": "*"
}
]
}
POLICY
name = "alias/substation"
}
}

Expand Down
28 changes: 1 addition & 27 deletions examples/build/terraform/aws/lambda/vpc/terraform/_resources.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,33 +4,7 @@ data "aws_caller_identity" "caller" {}
module "kms" {
source = "../../../../../../../build/terraform/aws/kms"
config = {
name = "alias/substation"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.caller.account_id}:root"
},
"Resource": "*"
}
]
}
POLICY
name = "alias/substation"
}
}

Expand Down
28 changes: 1 addition & 27 deletions examples/build/terraform/aws/s3/data_lake/terraform/_resources.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,33 +5,7 @@ module "kms" {
source = "../../../../../../../build/terraform/aws/kms"

config = {
name = "alias/substation"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.caller.account_id}:root"
},
"Resource": "*"
}
]
}
POLICY
name = "alias/substation"
}
}

Expand Down
4 changes: 3 additions & 1 deletion examples/build/terraform/aws/s3/sns/terraform/_resources.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,10 @@ module "kms" {
}
}

# This policy is required to support encrypted SNS topics.
# More information: https://repost.aws/knowledge-center/cloudwatch-receive-sns-for-alarm-trigger
data "aws_iam_policy_document" "kms" {
# Allows CloudWatch to access encrypted resources.
# Allows CloudWatch to access encrypted SNS topic.
statement {
sid = "CloudWatch"
effect = "Allow"
Expand Down
28 changes: 1 addition & 27 deletions examples/build/terraform/aws/sns/pub_sub/terraform/_resources.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,33 +5,7 @@ module "kms" {
source = "../../../../../../../build/terraform/aws/kms"

config = {
name = "alias/substation"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.caller.account_id}:root"
},
"Resource": "*"
}
]
}
POLICY
name = "alias/substation"
}
}

Expand Down
28 changes: 1 addition & 27 deletions examples/build/terraform/aws/sqs/microservice/terraform/_resources.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,33 +4,7 @@ data "aws_caller_identity" "caller" {}
module "kms" {
source = "../../../../../../../build/terraform/aws/kms"
config = {
name = "alias/substation"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.caller.account_id}:root"
},
"Resource": "*"
}
]
}
POLICY
name = "alias/substation"
}
}

Expand Down

0 comments on commit 17962cb

Please sign in to comment.