· 7 years ago · Mar 29, 2018, 04:10 PM
1provider "aws"
2{
3access_key = "*****************"
4secret_key = "4ZJaLh***********"
5region = "us-east-1"
6}
7
8resource "aws_kms_key" "test_key" {
9 description = "KMS Test key"
10}
11
12resource "aws_kms_alias" "alias" {
13 name = "alias/test_key"
14 target_key_id = "${aws_kms_key.test_key.key_id}"
15}
16
17#IAM Role and Policy
18
19resource "aws_iam_policy" "kms_user_policy" {
20 name = "KMS-User-Policy"
21 policy = <<EOF
22{
23 "Version": "2012-10-17",
24 "Statement": [
25 {
26 "Sid": "VisualEditor0",
27 "Effect": "Allow",
28 "Action": [
29 "kms:Decrypt",
30 "kms:Encrypt",
31 "kms:GenerateDataKey",
32 "kms:ReEncryptTo",
33 "kms:DescribeKey",
34 "kms:ReEncryptFrom"
35 ],
36 "Resource": "*"
37 }
38 ]
39}
40EOF
41}
42
43
44resource "aws_iam_role" "kms_user_role" {
45 name = "kms_user_role"
46 path = "/"
47
48 assume_role_policy = <<EOF
49{
50 "Version": "2012-10-17",
51 "Statement": [
52 {
53 "Action": "sts:AssumeRole",
54 "Principal": {
55 "Service": "ec2.amazonaws.com"
56 },
57 "Effect": "Allow",
58 "Sid": ""
59 }
60 ]
61}
62EOF
63}
64
65resource "aws_iam_policy_attachment" "test-attach" {
66 name = "test-attachment"
67 roles = ["${aws_iam_role.kms_user_role.name}"]
68 policy_arn = "${aws_iam_policy.kms_user_policy.arn}"
69}