Generic module to creates SSM Parameters for AWS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

188 lines
5.3KB

  1. ####
  2. # SSM Parameters
  3. ####
  4. resource "aws_ssm_parameter" "do_not_ignore_changes_on_value" {
  5. count = var.enabled && false == var.ignore_changes_on_value ? var.parameters_count : 0
  6. name = "/${var.prefix}${element(var.names, count.index)}"
  7. description = element(concat(var.descriptions, [null]), count.index)
  8. type = element(var.types, count.index)
  9. value = element(var.values, count.index)
  10. overwrite = element(concat(var.overwrites, [null]), count.index)
  11. key_id = element(var.types, count.index) == "SecureString" ? var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.kms_key_arn != "" ? var.kms_key_arn : null : null
  12. allowed_pattern = element(concat(var.allowed_patterns, [""]), count.index)
  13. tags = merge(
  14. {
  15. "Terraform" = "true"
  16. },
  17. var.tags,
  18. )
  19. }
  20. resource "aws_ssm_parameter" "ignore_changes_on_value" {
  21. count = var.enabled && var.ignore_changes_on_value ? var.parameters_count : 0
  22. name = "/${var.prefix}${element(var.names, count.index)}"
  23. description = element(concat(var.descriptions, [null]), count.index)
  24. type = element(var.types, count.index)
  25. value = element(var.values, count.index)
  26. overwrite = element(concat(var.overwrites, [null]), count.index)
  27. key_id = element(var.types, count.index) == "SecureString" ? var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.kms_key_arn != "" ? var.kms_key_arn : null : null
  28. allowed_pattern = element(concat(var.allowed_patterns, [""]), count.index)
  29. lifecycle {
  30. ignore_changes = [value]
  31. }
  32. tags = merge(
  33. {
  34. "Terraform" = "true"
  35. },
  36. var.tags,
  37. )
  38. }
  39. resource "aws_kms_key" "this" {
  40. count = var.enabled && var.kms_key_create && ! var.use_default_kms_key ? 1 : 0
  41. description = "KMS Key for ${var.prefix} SSM secure strings parameters encryption."
  42. tags = merge(
  43. {
  44. "Terraform" = "true"
  45. },
  46. {
  47. "Name" = var.kms_key_name
  48. },
  49. var.tags,
  50. var.kms_tags,
  51. )
  52. }
  53. resource "aws_kms_alias" "this" {
  54. count = var.enabled && var.kms_key_create && ! var.use_default_kms_key ? 1 : 0
  55. name = "alias/${var.kms_key_alias_name}"
  56. target_key_id = aws_kms_key.this[0].key_id
  57. }
  58. ####
  59. # IAM Policy
  60. ####
  61. data "aws_iam_policy_document" "read_only" {
  62. count = var.enabled && var.iam_policy_create ? 1 : 0
  63. source_json = local.kms_key_needed ? element(concat(data.aws_iam_policy_document.kms_key_read_only.*.json, [""]), 0) : null
  64. statement {
  65. sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterAccess"
  66. effect = "Allow"
  67. actions = [
  68. "ssm:DescribeAssociation",
  69. "ssm:GetDocument",
  70. "ssm:DescribeDocument",
  71. "ssm:GetParameter",
  72. "ssm:GetParameters",
  73. ]
  74. resources = formatlist(
  75. "arn:aws:ssm:*:%s:parameter/%s%s",
  76. data.aws_caller_identity.current.account_id,
  77. var.prefix,
  78. var.names,
  79. )
  80. }
  81. }
  82. data "aws_iam_policy_document" "kms_key_read_only" {
  83. count = var.enabled && var.iam_policy_create && var.use_default_kms_key ? 1 : 0
  84. statement {
  85. sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterKMSAccess"
  86. effect = "Allow"
  87. actions = [
  88. "kms:Decrypt",
  89. "kms:ListKeyPolicies",
  90. "kms:GetKeyPolicy",
  91. "kms:DescribeKey",
  92. ]
  93. resources = [var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.kms_key_arn]
  94. }
  95. }
  96. data "aws_iam_policy_document" "read_write" {
  97. count = var.enabled && var.iam_policy_create ? 1 : 0
  98. source_json = local.kms_key_needed ? element(concat(data.aws_iam_policy_document.kms_key_read_write.*.json, [""]), 0) : null
  99. statement {
  100. sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterAccess"
  101. effect = "Allow"
  102. actions = [
  103. "ssm:DescribeAssociation",
  104. "ssm:GetDocument",
  105. "ssm:DescribeDocument",
  106. "ssm:GetParameter",
  107. "ssm:GetParameters",
  108. "ssm:PutParameter",
  109. ]
  110. resources = formatlist(
  111. "arn:aws:ssm:*:%s:parameter/%s%s",
  112. data.aws_caller_identity.current.account_id,
  113. var.prefix,
  114. var.names,
  115. )
  116. }
  117. }
  118. data "aws_iam_policy_document" "kms_key_read_write" {
  119. count = var.enabled && var.iam_policy_create && var.use_default_kms_key ? 1 : 0
  120. statement {
  121. sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterKMSAccess"
  122. effect = "Allow"
  123. actions = [
  124. "kms:Decrypt",
  125. "kms:Encrypt",
  126. "kms:ListKeyPolicies",
  127. "kms:GetKeyPolicy",
  128. "kms:DescribeKey",
  129. ]
  130. resources = [var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.kms_key_arn]
  131. }
  132. }
  133. resource "aws_iam_policy" "read_only" {
  134. count = var.enabled && var.iam_policy_create ? 1 : 0
  135. name_prefix = var.iam_policy_name_prefix_read_only
  136. path = var.iam_policy_path
  137. policy = element(concat(data.aws_iam_policy_document.read_only.*.json, [""]), 0)
  138. description = "Read only policy to get access to ${var.prefix} SSM parameters."
  139. }
  140. resource "aws_iam_policy" "read_write" {
  141. count = var.enabled && var.iam_policy_create ? 1 : 0
  142. name_prefix = var.iam_policy_name_prefix_read_write
  143. path = var.iam_policy_path
  144. policy = element(concat(data.aws_iam_policy_document.read_write.*.json, [""]), 0)
  145. description = "Read write policy to get access to ${var.prefix} SSM parameters."
  146. }