56 lines
1.3 KiB
HCL
56 lines
1.3 KiB
HCL
resource "aws_kms_key" "vault" {
|
|
description = "Vault unseal key"
|
|
deletion_window_in_days = 10
|
|
|
|
tags = {
|
|
Name = "vault-kms-unseal-${random_pet.env.id}"
|
|
}
|
|
}
|
|
|
|
resource "aws_kms_alias" "vault-a" {
|
|
name = "alias/prod-vault-auto-unseal"
|
|
target_key_id = aws_kms_key.vault.key_id
|
|
}
|
|
|
|
data "aws_iam_policy_document" "assume_role" {
|
|
statement {
|
|
effect = "Allow"
|
|
actions = ["sts:AssumeRole"]
|
|
|
|
principals {
|
|
type = "Service"
|
|
identifiers = ["ec2.amazonaws.com"]
|
|
}
|
|
}
|
|
}
|
|
|
|
data "aws_iam_policy_document" "vault-kms-unseal" {
|
|
statement {
|
|
sid = "VaultKMSUnseal"
|
|
effect = "Allow"
|
|
resources = [aws_kms_key.vault.arn]
|
|
|
|
actions = [
|
|
"kms:Encrypt",
|
|
"kms:Decrypt",
|
|
"kms:DescribeKey",
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role" "vault-kms-unseal" {
|
|
name = "vault-kms-role-${random_pet.env.id}"
|
|
assume_role_policy = data.aws_iam_policy_document.assume_role.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy" "vault-kms-unseal" {
|
|
name = "Vault-KMS-Unseal-${random_pet.env.id}"
|
|
role = aws_iam_role.vault-kms-unseal.id
|
|
policy = data.aws_iam_policy_document.vault-kms-unseal.json
|
|
}
|
|
|
|
resource "aws_iam_instance_profile" "vault-kms-unseal" {
|
|
name = "vault-kms-unseal-${random_pet.env.id}"
|
|
role = aws_iam_role.vault-kms-unseal.name
|
|
}
|