Clean Code

01-old/terraform/aws_vault/01-instance-profile.tf

@@ -0,0 +1,55 @@
+ resource "aws_kms_key" "vault" {
+   description             = "Vault unseal key"
+   deletion_window_in_days = 10
+ 
+   tags = {
+     Name = "vault-kms-unseal-${random_pet.env.id}"
+   }
+ }
+
+resource "aws_kms_alias" "vault-a" {
+  name          = "alias/prod-vault-auto-unseal"
+  target_key_id = aws_kms_key.vault.key_id
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "vault-kms-unseal" {
+  statement {
+    sid       = "VaultKMSUnseal"
+    effect    = "Allow"
+    resources = [aws_kms_key.vault.arn]
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:DescribeKey",
+    ]
+  }
+}
+
+resource "aws_iam_role" "vault-kms-unseal" {
+  name               = "vault-kms-role-${random_pet.env.id}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+resource "aws_iam_role_policy" "vault-kms-unseal" {
+  name   = "Vault-KMS-Unseal-${random_pet.env.id}"
+  role   = aws_iam_role.vault-kms-unseal.id
+  policy = data.aws_iam_policy_document.vault-kms-unseal.json
+}
+
+resource "aws_iam_instance_profile" "vault-kms-unseal" {
+  name = "vault-kms-unseal-${random_pet.env.id}"
+  role = aws_iam_role.vault-kms-unseal.name
+}