Generic module to creates SSM Parameters for AWS.
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.

189 lignes
5.3KB

  1. ####
  2. # SSM Parameters
  3. ####
  4. resource "aws_ssm_parameter" "do_not_ignore_changes_on_value" {
  5. count = var.enabled && false == var.ignore_changes_on_value ? var.parameters_count : 0
  6. name = "/${var.prefix}${element(var.names, count.index)}"
  7. description = element(concat(var.descriptions, [null]), count.index)
  8. type = element(var.types, count.index)
  9. value = element(var.values, count.index)
  10. overwrite = element(concat(var.overwrites, [null]), count.index)
  11. key_id = element(var.types, count.index) == "SecureString" ? var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.kms_key_arn != "" ? var.kms_key_arn : null : null
  12. allowed_pattern = element(concat(var.allowed_patterns, [""]), count.index)
  13. tags = merge(
  14. {
  15. "Terraform" = "true"
  16. },
  17. var.tags,
  18. )
  19. }
  20. resource "aws_ssm_parameter" "ignore_changes_on_value" {
  21. count = var.enabled && var.ignore_changes_on_value ? var.parameters_count : 0
  22. name = "/${var.prefix}${element(var.names, count.index)}"
  23. description = element(concat(var.descriptions, [null]), count.index)
  24. type = element(var.types, count.index)
  25. value = element(var.values, count.index)
  26. overwrite = element(concat(var.overwrites, [null]), count.index)
  27. key_id = element(var.types, count.index) == "SecureString" ? var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.kms_key_arn != "" ? var.kms_key_arn : null : null
  28. allowed_pattern = element(concat(var.allowed_patterns, [""]), count.index)
  29. lifecycle {
  30. ignore_changes = [value]
  31. }
  32. tags = merge(
  33. {
  34. "Terraform" = "true"
  35. },
  36. var.tags,
  37. )
  38. }
  39. resource "aws_kms_key" "this" {
  40. count = var.enabled && var.kms_key_create && !var.use_default_kms_key ? 1 : 0
  41. description = "KMS Key for ${var.prefix} SSM secure strings parameters encryption."
  42. tags = merge(
  43. {
  44. "Terraform" = "true"
  45. },
  46. {
  47. "Name" = var.kms_key_name
  48. },
  49. var.tags,
  50. var.kms_tags,
  51. )
  52. }
  53. resource "aws_kms_alias" "this" {
  54. count = var.enabled && var.kms_key_create && !var.use_default_kms_key ? 1 : 0
  55. name = "alias/${var.kms_key_alias_name}"
  56. target_key_id = aws_kms_key.this[0].key_id
  57. }
  58. ####
  59. # IAM Policy
  60. ####
  61. data "aws_iam_policy_document" "read_only" {
  62. count = var.enabled && var.iam_policy_create ? 1 : 0
  63. source_json = local.kms_key_needed ? element(concat(data.aws_iam_policy_document.kms_key_read_only.*.json, [""]), 0) : null
  64. statement {
  65. sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterAccess"
  66. effect = "Allow"
  67. actions = [
  68. "ssm:DescribeAssociation",
  69. "ssm:GetDocument",
  70. "ssm:DescribeDocument",
  71. "ssm:GetParameter",
  72. "ssm:GetParameters",
  73. ]
  74. resources = formatlist(
  75. "arn:aws:ssm:*:%s:parameter/%s%s",
  76. data.aws_caller_identity.current.account_id,
  77. var.prefix,
  78. var.names,
  79. )
  80. }
  81. }
  82. data "aws_iam_policy_document" "kms_key_read_only" {
  83. count = var.enabled && var.iam_policy_create && !var.use_default_kms_key ? 1 : 0
  84. statement {
  85. sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterKMSAccess"
  86. effect = "Allow"
  87. actions = [
  88. "kms:Decrypt",
  89. "kms:ListKeyPolicies",
  90. "kms:GetKeyPolicy",
  91. "kms:DescribeKey",
  92. ]
  93. resources = [var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.kms_key_arn]
  94. }
  95. }
  96. data "aws_iam_policy_document" "read_write" {
  97. count = var.enabled && var.iam_policy_create ? 1 : 0
  98. source_json = local.kms_key_needed ? element(concat(data.aws_iam_policy_document.kms_key_read_write.*.json, [""]), 0) : null
  99. statement {
  100. sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterAccess"
  101. effect = "Allow"
  102. actions = [
  103. "ssm:DescribeAssociation",
  104. "ssm:GetDocument",
  105. "ssm:DescribeDocument",
  106. "ssm:GetParameter",
  107. "ssm:GetParameters",
  108. "ssm:PutParameter",
  109. ]
  110. resources = formatlist(
  111. "arn:aws:ssm:*:%s:parameter/%s%s",
  112. data.aws_caller_identity.current.account_id,
  113. var.prefix,
  114. var.names,
  115. )
  116. }
  117. }
  118. data "aws_iam_policy_document" "kms_key_read_write" {
  119. count = var.enabled && var.iam_policy_create && !var.use_default_kms_key ? 1 : 0
  120. statement {
  121. sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterKMSAccess"
  122. effect = "Allow"
  123. actions = [
  124. "kms:Decrypt",
  125. "kms:Encrypt",
  126. "kms:ListKeyPolicies",
  127. "kms:GetKeyPolicy",
  128. "kms:DescribeKey",
  129. ]
  130. resources = [var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.kms_key_arn]
  131. }
  132. }
  133. resource "aws_iam_policy" "read_only" {
  134. count = var.enabled && var.iam_policy_create ? 1 : 0
  135. name_prefix = var.iam_policy_name_prefix_read_only
  136. path = var.iam_policy_path
  137. policy = element(concat(data.aws_iam_policy_document.read_only.*.json, [""]), 0)
  138. description = "Read only policy to get access to ${var.prefix} SSM parameters."
  139. }
  140. resource "aws_iam_policy" "read_write" {
  141. count = var.enabled && var.iam_policy_create ? 1 : 0
  142. name_prefix = var.iam_policy_name_prefix_read_write
  143. path = var.iam_policy_path
  144. policy = element(concat(data.aws_iam_policy_document.read_write.*.json, [""]), 0)
  145. description = "Read write policy to get access to ${var.prefix} SSM parameters."
  146. }