|
- ####
- # KMS
- ####
-
- locals {
- should_create_kms_key = var.volume_kms_key_create && (var.root_block_device_encrypted || var.extra_volume_count > 0)
- should_grant_asg_to_access_key = var.root_block_device_encrypted && var.use_autoscaling_group && (var.volume_kms_key_external_exist || local.should_create_kms_key)
-
- volume_kms_key_arn = local.should_create_kms_key ? aws_kms_key.this_volume.*.arn[0] : var.volume_kms_key_arn
- }
-
- resource "aws_kms_key" "this_volume" {
- count = local.should_create_kms_key ? 1 : 0
-
- description = "KMS key for ${format("%s%s", var.prefix, var.name)} instance(s) volume(s)."
- customer_master_key_spec = var.volume_kms_key_customer_master_key_spec
- policy = var.volume_kms_key_policy
-
-
- tags = merge(
- {
- "Name" = format("%s%s", var.prefix, var.volume_kms_key_name)
- },
- var.tags,
- var.volume_kms_key_tags,
- local.tags,
- )
- }
-
- resource "aws_kms_alias" "this_volume" {
- count = local.should_create_kms_key ? 1 : 0
-
- name = format("alias/%s%s", var.prefix, var.volume_kms_key_alias)
- target_key_id = aws_kms_key.this_volume[0].key_id
- }
-
- resource "aws_kms_grant" "this_volume" {
- count = local.should_grant_asg_to_access_key ? 1 : 0
-
- name = "AllowASGToAccessKMS"
- key_id = local.volume_kms_key_arn
- grantee_principal = aws_iam_service_linked_role.asg.*.arn[0]
- operations = ["Encrypt", "Decrypt", "GenerateDataKey", "DescribeKey", "CreateGrant", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "RetireGrant"]
- }
|
