Browse Source

fix: makes sure KMS grant is only created when needed

tags/11.0.0
Guillaume Donval 2 months ago
parent
commit
6ff937e9aa
Signed by: guillaume.donval <guillaume.donval@fxinnovation.com> GPG Key ID: 172AC3F9180CD64E
5 changed files with 16 additions and 7 deletions
  1. +1
    -0
      CHANGELOG.md
  2. +2
    -1
      README.md
  3. +5
    -4
      examples/autoscaling-group/main.tf
  4. +1
    -1
      kms.tf
  5. +7
    -1
      variables.tf

+ 1
- 0
CHANGELOG.md View File

@@ -4,6 +4,7 @@
* feat (BREAKING): upgrades to support Terraform 0.13 properly
* feat (BREAKING): adds validation to all the variables
* feat: adds `aws_autoscaling_schedule` to add ASG schedules
* feat: adds `var.volume_kms_key_external_exist`
* refactor (BREAKING): removes convoluted loops to handle module count
* refactor (BREAKING): renames `ec2_external_primary_network_insterface_id` to `var.ec2_external_primary_network_interface_id`
* refactor (BREAKING): removes `var.use_external_primary_network_interface`


+ 2
- 1
README.md View File

@@ -150,9 +150,10 @@ Therefore until we find a more permanent solution for this we do NOT test this f
| use\_num\_suffix | Whether or not to append numerical suffix when multiple same resources need to be created like extra EBS volumes. | `bool` | `true` | no |
| user\_data | The user data to provide when launching the EC2 instance (or launch template). | `string` | `null` | no |
| volume\_kms\_key\_alias | Alias of the KMS key used to encrypt the root and extra volumes of the EC2 instance (or launch template). Do not prefix this value with `alias/` nor with a `/`. | `string` | `"default/ec2"` | no |
| volume\_kms\_key\_arn | ARN of an external KMS key used to encrypt the root and extra volumes. To be used when var.volume\_kms\_key\_create is set to “false” (if “true”, this ARN will be ignored). | `string` | `null` | no |
| volume\_kms\_key\_arn | ARN of an external KMS key used to encrypt the root and extra volumes. To be used when `var.volume_kms_key_create` is set to `false` (if `true`, this ARN will be ignored). If this value is not null, also set `var.volume_kms_key_external_exist` to `true`. | `string` | `null` | no |
| volume\_kms\_key\_create | Whether or not to create a KMS key to be used for root and extra volumes. If set to `false`, you can specify a `var.volume_kms_key_arn` as an external KMS key to use instead. If this value is `false` and `var.volume_kms_key_arn` empty, the default AWS KMS key for volumes will be used. | `bool` | `false` | no |
| volume\_kms\_key\_customer\_master\_key\_spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports for the KMS key to be used for volumes. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`. | `string` | `null` | no |
| volume\_kms\_key\_external\_exist | Whether or not `var.volume_kms_key_arn` is empty`. Cannot be computed automatically in Terraform 0.13.` | `bool` | `false` | no |
| volume\_kms\_key\_name | Name (tag:Name) for the KMS key to be used for root and extra volumes of the EC2 instance (or launch template). | `string` | `"kms-for-vol"` | no |
| volume\_kms\_key\_policy | A valid policy JSON document for the KMS key to be used for root and extra volumes of the EC2 instance (or launch template). This document can give or restrict accesses for the key. | `string` | `null` | no |
| volume\_kms\_key\_tags | Tags for the KMS key to be used for root and extra volumes. Will be merge with `var.tags`. | `map` | `{}` | no |


+ 5
- 4
examples/autoscaling-group/main.tf View File

@@ -220,8 +220,9 @@ module "externals" {

root_block_device_volume_device = "/dev/sda1"

vpc_security_group_ids = [aws_security_group.example.id]
key_pair_name = aws_key_pair.default.key_name
volume_kms_key_arn = aws_kms_key.default.arn
iam_instance_profile_name = aws_iam_instance_profile.default.name
vpc_security_group_ids = [aws_security_group.example.id]
key_pair_name = aws_key_pair.default.key_name
volume_kms_key_external_exist = true
volume_kms_key_arn = aws_kms_key.default.arn
iam_instance_profile_name = aws_iam_instance_profile.default.name
}

+ 1
- 1
kms.tf View File

@@ -4,7 +4,7 @@

locals {
should_create_kms_key = var.volume_kms_key_create && (var.root_block_device_encrypted || var.extra_volume_count > 0)
should_grant_asg_to_access_key = var.root_block_device_encrypted && var.use_autoscaling_group && var.volume_kms_key_arn != null
should_grant_asg_to_access_key = var.root_block_device_encrypted && var.use_autoscaling_group && (var.volume_kms_key_external_exist || local.should_create_kms_key)

volume_kms_key_arn = local.should_create_kms_key ? aws_kms_key.this_volume.*.arn[0] : var.volume_kms_key_arn
}


+ 7
- 1
variables.tf View File

@@ -698,7 +698,7 @@ variable "volume_kms_key_alias" {
}

variable "volume_kms_key_arn" {
description = "ARN of an external KMS key used to encrypt the root and extra volumes. To be used when var.volume_kms_key_create is set to “false” (if “true”, this ARN will be ignored)."
description = "ARN of an external KMS key used to encrypt the root and extra volumes. To be used when `var.volume_kms_key_create` is set to `false` (if `true`, this ARN will be ignored). If this value is not null, also set `var.volume_kms_key_external_exist` to `true`."
type = string
default = null

@@ -714,6 +714,12 @@ variable "volume_kms_key_create" {
default = false
}

variable "volume_kms_key_external_exist" {
description = "Whether or not `var.volume_kms_key_arn` is empty`. Cannot be computed automatically in Terraform 0.13."
type = bool
default = false
}

variable "volume_kms_key_customer_master_key_spec" {
description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports for the KMS key to be used for volumes. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`."
type = string


Loading…
Cancel
Save