2

Goal :

I am trying to create the following things A terraform template to create KMS keys This template should create the key and two IAM roles. The roles would be one for admin functions and one that allows encrypt/decrypt I have written the following code

Am I doing the correct thing to achieve my goal?

provider "aws"
{
access_key = "*****************"
secret_key = "4ZJaLh***********"
region     = "us-east-1"
}

resource "aws_kms_key" "test_key" {
  description             = "KMS Test key"
}

resource "aws_kms_alias" "alias" {
  name          = "alias/test_key"
  target_key_id = "${aws_kms_key.test_key.key_id}"
}

#IAM Role and Policy

resource "aws_iam_policy" "kms_user_policy" {
    name = "KMS-User-Policy"
    policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "kms:ReEncryptTo",
                "kms:DescribeKey",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*"
        }
    ]
}
EOF
}


resource "aws_iam_role" "kms_user_role" {
  name = "kms_user_role"
  path = "/"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
               "Service": "ec2.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOF
}

resource "aws_iam_policy_attachment" "test-attach" {
  name       = "test-attachment"
  roles      = ["${aws_iam_role.kms_user_role.name}"]
  policy_arn = "${aws_iam_policy.kms_user_policy.arn}"
}
Akshay Yeluru
  • 31
  • 7
  • 1
    What have you tried? What specifically are you confused about and having trouble with? – ydaetskcoR Mar 29 '18 at 12:27
  • What I want to do is to write a terraform script to create a KMS key, two roles(admin and User), I am confused on how to create a role and relate it to the key? – Akshay Yeluru Mar 29 '18 at 12:50
  • And what have you tried? Can you edit the question to show attempts at writing the Terraform code? – ydaetskcoR Mar 29 '18 at 13:08
  • Following is the code I've written I want to add roles to this key `provider "aws" { access_key = "*****************" secret_key = "4ZJaLh***********" region = "us-east-1" } resource "aws_kms_key" "Test_key" { description = "KMS Test key" } resource "aws_kms_alias" "alias" { name = "alias/test_key" target_key_id = "${aws_kms_key.test_key.key_id}" }` – Akshay Yeluru Mar 29 '18 at 13:14
  • You should edit your question to show code instead of adding it as a comment. Also you need to show what you are doing with your IAM roles. – ydaetskcoR Mar 29 '18 at 13:35

0 Answers0