X EC2 (or 1 ASG X:X); X external volumes; X network interfaces; KMS key for volumes; Key pair
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

45 lines
1.5KB

  1. ####
  2. # KMS
  3. ####
  4. locals {
  5. should_create_kms_key = var.volume_kms_key_create && (var.root_block_device_encrypted || var.extra_volume_count > 0)
  6. should_grant_asg_to_access_key = var.root_block_device_encrypted && var.use_autoscaling_group && (var.volume_kms_key_external_exist || local.should_create_kms_key)
  7. volume_kms_key_arn = local.should_create_kms_key ? aws_kms_key.this_volume.*.arn[0] : var.volume_kms_key_arn
  8. }
  9. resource "aws_kms_key" "this_volume" {
  10. count = local.should_create_kms_key ? 1 : 0
  11. description = "KMS key for ${format("%s%s", var.prefix, var.name)} instance(s) volume(s)."
  12. customer_master_key_spec = var.volume_kms_key_customer_master_key_spec
  13. policy = var.volume_kms_key_policy
  14. tags = merge(
  15. {
  16. "Name" = format("%s%s", var.prefix, var.volume_kms_key_name)
  17. },
  18. var.tags,
  19. var.volume_kms_key_tags,
  20. local.tags,
  21. )
  22. }
  23. resource "aws_kms_alias" "this_volume" {
  24. count = local.should_create_kms_key ? 1 : 0
  25. name = format("alias/%s%s", var.prefix, var.volume_kms_key_alias)
  26. target_key_id = aws_kms_key.this_volume[0].key_id
  27. }
  28. resource "aws_kms_grant" "this_volume" {
  29. count = local.should_grant_asg_to_access_key ? 1 : 0
  30. name = "AllowASGToAccessKMS"
  31. key_id = local.volume_kms_key_arn
  32. grantee_principal = aws_iam_service_linked_role.asg.*.arn[0]
  33. operations = ["Encrypt", "Decrypt", "GenerateDataKey", "DescribeKey", "CreateGrant", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "RetireGrant"]
  34. }