├── .gitignore
├── aws_iam_group.tf
├── aws_iam_group_membership.tf
├── aws_iam_policy_attachment.tf
├── aws_iam_user.tf
├── main.tf
├── modules
    └── kms
    │   ├── aws_iam_policy.tf
    │   ├── aws_iam_policy_document.tf
    │   ├── aws_kms_alias.tf
    │   ├── aws_kms_key.tf
    │   ├── kms_policy.json.tpl
    │   ├── output.tf
    │   ├── template_file.tf
    │   └── variable.tf
└── provider.tf


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | .terraform/
3 | terraform.tfstate
4 | terraform.tfstate.backup
5 | .envrc
6 | 


--------------------------------------------------------------------------------
/aws_iam_group.tf:
--------------------------------------------------------------------------------
1 | resource "aws_iam_group" "group1" {
2 |   name = "group1"
3 | }
4 | 


--------------------------------------------------------------------------------
/aws_iam_group_membership.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_group_membership" "group1_membership" {
 2 |   name  = "group1-membership"
 3 |   group = "${aws_iam_group.group1.name}"
 4 | 
 5 |   users = [
 6 |     "${aws_iam_user.user1.name}",
 7 |     "${aws_iam_user.user2.name}",
 8 |   ]
 9 | }
10 | 


--------------------------------------------------------------------------------
/aws_iam_policy_attachment.tf:
--------------------------------------------------------------------------------
1 | resource "aws_iam_policy_attachment" "test_kms_policy_attachment" {
2 |   name = "test-kms-policy-attachment"
3 | 
4 |   groups = ["${aws_iam_group.group1.name}"]
5 | 
6 |   policy_arn = "${module.test_kms.iam_policy_arn}"
7 | }
8 | 


--------------------------------------------------------------------------------
/aws_iam_user.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_user" "user1" {
 2 |   name = "user1"
 3 |   path = "/"
 4 | }
 5 | 
 6 | resource "aws_iam_user" "user2" {
 7 |   name = "user2"
 8 |   path = "/"
 9 | }
10 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
1 | module "test_kms" {
2 |   source     = "./modules/kms"
3 |   key_name   = "test"
4 |   account_id = "111122223333"
5 | }
6 | 


--------------------------------------------------------------------------------
/modules/kms/aws_iam_policy.tf:
--------------------------------------------------------------------------------
1 | resource "aws_iam_policy" "kms" {
2 |   name        = "kms-${var.key_name}-policy"
3 |   path        = "/"
4 |   description = ""
5 |   policy      = "${data.aws_iam_policy_document.kms.json}"
6 | }
7 | 


--------------------------------------------------------------------------------
/modules/kms/aws_iam_policy_document.tf:
--------------------------------------------------------------------------------
 1 | data "aws_iam_policy_document" "kms" {
 2 |   statement {
 3 |     sid = "AllowUseOfTheKey"
 4 | 
 5 |     # https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
 6 |     actions = [
 7 |       "kms:Encrypt",
 8 |       "kms:Decrypt",
 9 |       "kms:ReEncrypt*",
10 |       "kms:GenerateDataKey*",
11 |       "kms:DescribeKey",
12 |     ]
13 | 
14 |     resources = ["${aws_kms_key.key.arn}"]
15 |   }
16 | }
17 | 


--------------------------------------------------------------------------------
/modules/kms/aws_kms_alias.tf:
--------------------------------------------------------------------------------
1 | resource "aws_kms_alias" "alias" {
2 |   name          = "alias/${var.key_name}"
3 |   target_key_id = "${aws_kms_key.key.key_id}"
4 | }
5 | 


--------------------------------------------------------------------------------
/modules/kms/aws_kms_key.tf:
--------------------------------------------------------------------------------
1 | resource "aws_kms_key" "key" {
2 |   policy = "${data.template_file.kms_policy.rendered}"
3 | }
4 | 


--------------------------------------------------------------------------------
/modules/kms/kms_policy.json.tpl:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Id": "kms-key-policy",
 4 |   "Statement": [
 5 |     {
 6 |       "Sid": "Enable IAM User Permissions",
 7 |       "Effect": "Allow",
 8 |       "Principal": {"AWS": "arn:aws:iam::${account_id}:root"},
 9 |       "Action": "kms:*",
10 |       "Resource": "*"
11 |     }
12 |   ]
13 | }
14 | 


--------------------------------------------------------------------------------
/modules/kms/output.tf:
--------------------------------------------------------------------------------
1 | output "iam_policy_arn" {
2 |   value = "${aws_iam_policy.kms.arn}"
3 | }
4 | 


--------------------------------------------------------------------------------
/modules/kms/template_file.tf:
--------------------------------------------------------------------------------
1 | data "template_file" "kms_policy" {
2 |   template = "${file("${path.module}/kms_policy.json.tpl")}"
3 | 
4 |   vars {
5 |     account_id = "${var.account_id}"
6 |   }
7 | }
8 | 


--------------------------------------------------------------------------------
/modules/kms/variable.tf:
--------------------------------------------------------------------------------
1 | variable "key_name" {}
2 | 
3 | variable "account_id" {}
4 | 


--------------------------------------------------------------------------------
/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 |   region = "us-east-1"
3 | }
4 | 


--------------------------------------------------------------------------------