AWS KMS Grants
This repo contains a Module for creating and managing KMS grants for managing permissions to use CMKs.
Features
- Create KMS Grants for different regions in one module
Learn
Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
Core concepts
-
KMS documentation: Amazon’s docs for KMS that cover core concepts such as various key types, how to encrypt and decrypt, deletion of keys, and automatic key rotation.
Repo organization
-
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
-
examples: This folder contains working examples of how to use the submodules.
-
test: Automated tests for the modules and examples.
Deploy
Non-production deployment (quick start for learning)
If you just want to try this out for experimenting and learning, check out the following resources:
- examples folder: The
examples
folder contains sample code optimized for learning, experimenting, and testing (but not production usage).
Manage
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S KMS-GRANT-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------
module "kms_grant_multi_region" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/kms-grant-multi-region?ref=v0.75.3"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# The map of names of KMS grants to the region where the key resides in. There
# should be a one to one mapping between entries in this map and the entries
# of the kms_grants map. This is used to workaround a terraform limitation
# where the for_each value can not depend on resources.
kms_grant_regions = <map(string)>
# Create the specified KMS grants to allow entities to use the KMS key without
# modifying the KMS policy or IAM. This is necessary to allow AWS services
# (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of
# grant name to grant properties. The name must be unique per account.
kms_grants = <map(object(
kms_cmk_arn = string
grantee_principal = string
granted_operations = list(string)
))>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Create a dependency between the resources in this module to the interpolated
# values in this list (and thus the source resources). In other words, the
# resources in this module will now depend on the resources backing the values
# in this list such that those resources need to be created before the
# resources in this module, and the resources in this module need to be
# destroyed before the resources in the list.
dependencies = []
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S KMS-GRANT-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/kms-grant-multi-region?ref=v0.75.3"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# The map of names of KMS grants to the region where the key resides in. There
# should be a one to one mapping between entries in this map and the entries
# of the kms_grants map. This is used to workaround a terraform limitation
# where the for_each value can not depend on resources.
kms_grant_regions = <map(string)>
# Create the specified KMS grants to allow entities to use the KMS key without
# modifying the KMS policy or IAM. This is necessary to allow AWS services
# (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of
# grant name to grant properties. The name must be unique per account.
kms_grants = <map(object(
kms_cmk_arn = string
grantee_principal = string
granted_operations = list(string)
))>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Create a dependency between the resources in this module to the interpolated
# values in this list (and thus the source resources). In other words, the
# resources in this module will now depend on the resources backing the values
# in this list such that those resources need to be created before the
# resources in this module, and the resources in this module need to be
# destroyed before the resources in the list.
dependencies = []
}