Security Modules 0.72.0Last updated in version 0.72.0
AWS KMS Grants
View SourceRelease NotesThis repo contains a Module for creating and managing KMS grants for managing permissions to use CMKs.
Features
- Create KMS Grants for different regions in one module
Learn
Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
Core concepts
KMS documentation: Amazon’s docs for KMS that cover core concepts such as various key types, how to encrypt and decrypt, deletion of keys, and automatic key rotation.
Repo organization
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
examples: This folder contains working examples of how to use the submodules.
test: Automated tests for the modules and examples.
Deploy
Non-production deployment (quick start for learning)
If you just want to try this out for experimenting and learning, check out the following resources:
- examples folder: The
examplesfolder contains sample code optimized for learning, experimenting, and testing (but not production usage).
Manage
Sample Usage
- Terraform
- Terragrunt
main.tf
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S KMS-GRANT-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------
module "kms_grant_multi_region" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/kms-grant-multi-region?ref=v0.72.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# The map of names of KMS grants to the region where the key resides in. There
# should be a one to one mapping between entries in this map and the entries
# of the kms_grants map. This is used to workaround a terraform limitation
# where the for_each value can not depend on resources.
kms_grant_regions = <map(string)>
# Create the specified KMS grants to allow entities to use the KMS key without
# modifying the KMS policy or IAM. This is necessary to allow AWS services
# (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of
# grant name to grant properties. The name must be unique per account.
kms_grants = <map(object(
kms_cmk_arn = string
grantee_principal = string
granted_operations = list(string)
))>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Create a dependency between the resources in this module to the interpolated
# values in this list (and thus the source resources). In other words, the
# resources in this module will now depend on the resources backing the values
# in this list such that those resources need to be created before the
# resources in this module, and the resources in this module need to be
# destroyed before the resources in the list.
dependencies = []
}
terragrunt.hcl
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S KMS-GRANT-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/kms-grant-multi-region?ref=v0.72.0"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# The map of names of KMS grants to the region where the key resides in. There
# should be a one to one mapping between entries in this map and the entries
# of the kms_grants map. This is used to workaround a terraform limitation
# where the for_each value can not depend on resources.
kms_grant_regions = <map(string)>
# Create the specified KMS grants to allow entities to use the KMS key without
# modifying the KMS policy or IAM. This is necessary to allow AWS services
# (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of
# grant name to grant properties. The name must be unique per account.
kms_grants = <map(object(
kms_cmk_arn = string
grantee_principal = string
granted_operations = list(string)
))>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Create a dependency between the resources in this module to the interpolated
# values in this list (and thus the source resources). In other words, the
# resources in this module will now depend on the resources backing the values
# in this list such that those resources need to be created before the
# resources in this module, and the resources in this module need to be
# destroyed before the resources in the list.
dependencies = []
}