├── .gitignore ├── README.md ├── cdktf.json ├── help └── main.py /.gitignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | imports/* 3 | !imports/__init__.py 4 | .terraform 5 | cdktf.out 6 | cdktf.log 7 | *terraform.*.tfstate* 8 | 9 | 10 | # Byte-compiled / optimized / DLL files 11 | __pycache__/ 12 | *.py[cod] 13 | *$py.class 14 | 15 | # Distribution / packaging 16 | .Python 17 | build/ 18 | develop-eggs/ 19 | dist/ 20 | downloads/ 21 | eggs/ 22 | .eggs/ 23 | lib/ 24 | lib64/ 25 | parts/ 26 | sdist/ 27 | var/ 28 | wheels/ 29 | share/python-wheels/ 30 | *.egg-info/ 31 | .installed.cfg 32 | *.egg 33 | MANIFEST -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # cdktf-python-aws-kms 2 | 3 | The Cloud Development Kit for Terraform (CDKTF) allows you to define your infrastructure in a familiar programming language such as TypeScript, Python, Go, C#, or Java. 4 | 5 | In this tutorial, you will provision an EC2 instance on AWS using your preferred programming language. 6 | 7 | ## Prerequisites 8 | 9 | * [Terraform](https://www.terraform.io/downloads) >= v1.0 10 | * [CDK for Terraform](https://learn.hashicorp.com/tutorials/terraform/cdktf-install) >= v0.8 11 | * A [Terraform Cloud](https://app.terraform.io/) account, with [CLI authentication](https://learn.hashicorp.com/tutorials/terraform/cloud-login) configured 12 | * [an AWS account](https://portal.aws.amazon.com/billing/signup?nc2=h_ct&src=default&redirect_url=https%3A%2F%2Faws.amazon.com%2Fregistration-confirmation#/start) 13 | * AWS Credentials [configured for use with Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication) 14 | 15 | 16 | Credentials can be provided by using the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optionally AWS_SESSION_TOKEN environment variables. The region can be set using the AWS_REGION or AWS_DEFAULT_REGION environment variables. 17 | 18 | ```shell 19 | $ export AWS_ACCESS_KEY_ID="anaccesskey" 20 | $ export AWS_SECRET_ACCESS_KEY="asecretkey" 21 | $ export AWS_REGION="us-west-2" 22 | ``` 23 | 24 | ## Install project dependencies 25 | 26 | ```shell 27 | mkdir learn-cdktf 28 | cd learn-cdktf 29 | cdktf init --template="python" 30 | ``` 31 | 32 | ## Install AWS provider 33 | 34 | ```shell 35 | pipenv install cdktf-cdktf-provider-aws 36 | ``` 37 | 38 | ## Define your CDK for Terraform Application 39 | 40 | Replace the contents of main.py with the following code for a new Python application 41 | 42 | ```python 43 | #!/usr/bin/env python 44 | from constructs import Construct 45 | from cdktf import App, TerraformStack 46 | from cdktf_cdktf_provider_aws import AwsProvider, kms, datasources 47 | 48 | class MyStack(TerraformStack): 49 | def __init__(self, scope: Construct, ns: str): 50 | super().__init__(scope, ns) 51 | 52 | # define resources here 53 | myregion = "us-east-1" 54 | AwsProvider(self, "aws", region=myregion) 55 | 56 | datasources.DataAwsCallerIdentity(self, "aws_id") 57 | 58 | policy = """{ 59 | "Version": "2012-10-17", 60 | "Statement": [ 61 | { 62 | "Sid": "Enable IAM User Permissions", 63 | "Effect": "Allow", 64 | "Principal": { 65 | "AWS": "arn:aws:iam::${awsAccountid.id}:root" 66 | }, 67 | "Action": [ 68 | "kms:*" 69 | ], 70 | "Resource": [ 71 | "*" 72 | ] 73 | }, { 74 | "Sid": "Allow autoscalling to use the key", 75 | "Effect": "Allow", 76 | "Principal": { 77 | "AWS": [ 78 | "arn:aws:iam::${awsAccountid.id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" 79 | ] 80 | }, 81 | "Action": [ 82 | "kms:Create*", 83 | "kms:Describe*", 84 | "kms:Enable*", 85 | "kms:List*", 86 | "kms:Put*", 87 | "kms:Update*", 88 | "kms:Revoke*", 89 | "kms:Disable*", 90 | "kms:Get*", 91 | "kms:Delete*", 92 | "kms:TagResource", 93 | "kms:UntagResource", 94 | "kms:ScheduleKeyDeletion", 95 | "kms:CancelKeyDeletion" 96 | ], 97 | "Resource": "*" 98 | },{ 99 | "Sid": "Allow use of the key", 100 | "Effect": "Allow", 101 | "Principal": { 102 | "AWS": [ 103 | "arn:aws:iam::${awsAccountid.id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" 104 | ] 105 | }, 106 | "Action": [ 107 | "kms:Encrypt", 108 | "kms:Decrypt", 109 | "kms:ReEncrypt*", 110 | "kms:GenerateDataKey*", 111 | "kms:DescribeKey" 112 | ], 113 | "Resource": "*" 114 | }, { 115 | "Sid": "Allow attachment of persistent resources", 116 | "Effect": "Allow", 117 | "Principal": { 118 | "AWS": [ 119 | "arn:aws:iam::${awsAccountid.id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" 120 | ] 121 | }, 122 | "Action": [ 123 | "kms:CreateGrant", 124 | "kms:ListGrants", 125 | "kms:RevokeGrant" 126 | ], 127 | "Resource": "*", 128 | "Condition": { 129 | "Bool": { 130 | "kms:GrantIsForAWSResource": "true" 131 | } 132 | } 133 | } 134 | ] 135 | }""" 136 | mykmskey=kms.KmsKey(self, "aws_kms",enable_key_rotation=True, policy=policy,tags={"Name": "CDKtf-python-Demo-KMS-key"}) 137 | 138 | kms.KmsAlias(self, "kms_alias", target_key_id=mykmskey.id) 139 | 140 | app = App() 141 | MyStack(app, "cdktf-python-aws-kms") 142 | 143 | app.synth() 144 | ``` 145 | ## Provision infrastructure 146 | ```shell 147 | cdktf deploy 148 | ``` 149 | After the instance is created, visit the AWS EC2 Dashboard. 150 | 151 | ## Clean up your infrastructure 152 | ```shell 153 | cdktf destroy 154 | ``` -------------------------------------------------------------------------------- /cdktf.json: -------------------------------------------------------------------------------- 1 | { 2 | "language": "python", 3 | "app": "pipenv run python main.py", 4 | "projectId": "7850ad05-4c8e-4c66-9572-4df0bd0cd511", 5 | "terraformProviders": [], 6 | "terraformModules": [], 7 | "codeMakerOutput": "imports", 8 | "context": { 9 | "excludeStackIdFromLogicalIds": "true", 10 | "allowSepCharsInLogicalIds": "true" 11 | } 12 | } -------------------------------------------------------------------------------- /help: -------------------------------------------------------------------------------- 1 | ======================================================================================================== 2 | 3 | Your cdktf Python project is ready! 4 | 5 | cat help Prints this message 6 | 7 | Compile: 8 | pipenv run ./main.py Compile and run the python code. 9 | 10 | Synthesize: 11 | cdktf synth [stack] Synthesize Terraform resources to cdktf.out/ 12 | 13 | Diff: 14 | cdktf diff [stack] Perform a diff (terraform plan) for the given stack 15 | 16 | Deploy: 17 | cdktf deploy [stack] Deploy the given stack 18 | 19 | Destroy: 20 | cdktf destroy [stack] Destroy the given stack 21 | 22 | Learn more about using modules and providers https://cdk.tf/modules-and-providers 23 | 24 | ======================================================================================================== -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from constructs import Construct 3 | from cdktf import App, TerraformStack 4 | from cdktf_cdktf_provider_aws import AwsProvider, kms, datasources 5 | 6 | class MyStack(TerraformStack): 7 | def __init__(self, scope: Construct, ns: str): 8 | super().__init__(scope, ns) 9 | 10 | # define resources here 11 | myregion = "us-east-1" 12 | AwsProvider(self, "aws", region=myregion) 13 | 14 | datasources.DataAwsCallerIdentity(self, "aws_id") 15 | 16 | policy = """{ 17 | "Version": "2012-10-17", 18 | "Statement": [ 19 | { 20 | "Sid": "Enable IAM User Permissions", 21 | "Effect": "Allow", 22 | "Principal": { 23 | "AWS": "arn:aws:iam::${awsAccountid.id}:root" 24 | }, 25 | "Action": [ 26 | "kms:*" 27 | ], 28 | "Resource": [ 29 | "*" 30 | ] 31 | }, { 32 | "Sid": "Allow autoscalling to use the key", 33 | "Effect": "Allow", 34 | "Principal": { 35 | "AWS": [ 36 | "arn:aws:iam::${awsAccountid.id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" 37 | ] 38 | }, 39 | "Action": [ 40 | "kms:Create*", 41 | "kms:Describe*", 42 | "kms:Enable*", 43 | "kms:List*", 44 | "kms:Put*", 45 | "kms:Update*", 46 | "kms:Revoke*", 47 | "kms:Disable*", 48 | "kms:Get*", 49 | "kms:Delete*", 50 | "kms:TagResource", 51 | "kms:UntagResource", 52 | "kms:ScheduleKeyDeletion", 53 | "kms:CancelKeyDeletion" 54 | ], 55 | "Resource": "*" 56 | },{ 57 | "Sid": "Allow use of the key", 58 | "Effect": "Allow", 59 | "Principal": { 60 | "AWS": [ 61 | "arn:aws:iam::${awsAccountid.id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" 62 | ] 63 | }, 64 | "Action": [ 65 | "kms:Encrypt", 66 | "kms:Decrypt", 67 | "kms:ReEncrypt*", 68 | "kms:GenerateDataKey*", 69 | "kms:DescribeKey" 70 | ], 71 | "Resource": "*" 72 | }, { 73 | "Sid": "Allow attachment of persistent resources", 74 | "Effect": "Allow", 75 | "Principal": { 76 | "AWS": [ 77 | "arn:aws:iam::${awsAccountid.id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" 78 | ] 79 | }, 80 | "Action": [ 81 | "kms:CreateGrant", 82 | "kms:ListGrants", 83 | "kms:RevokeGrant" 84 | ], 85 | "Resource": "*", 86 | "Condition": { 87 | "Bool": { 88 | "kms:GrantIsForAWSResource": "true" 89 | } 90 | } 91 | } 92 | ] 93 | }""" 94 | mykmskey=kms.KmsKey(self, "aws_kms",enable_key_rotation=True, policy=policy,tags={"Name": "CDKtf-python-Demo-KMS-key"}) 95 | 96 | kms.KmsAlias(self, "kms_alias", target_key_id=mykmskey.id) 97 | 98 | app = App() 99 | MyStack(app, "cdktf-python-aws-kms") 100 | 101 | app.synth() 102 | --------------------------------------------------------------------------------