From 7727773df35fadd9bf4e82ee6b78968c480fc06e Mon Sep 17 00:00:00 2001 From: sidnhs Date: Wed, 4 Jun 2025 15:37:01 +0100 Subject: [PATCH 1/7] CCM-10231: Adding multi-region kms key support --- infrastructure/modules/kms/README.md | 3 +++ infrastructure/modules/kms/kms_key.tf | 1 + infrastructure/modules/kms/kms_key_replica.tf | 7 +++++++ infrastructure/modules/kms/outputs.tf | 10 ++++++++++ infrastructure/modules/kms/variables.tf | 6 ++++++ infrastructure/modules/kms/versions.tf | 3 ++- 6 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 infrastructure/modules/kms/kms_key_replica.tf diff --git a/infrastructure/modules/kms/README.md b/infrastructure/modules/kms/README.md index cb24e79..45c29dd 100644 --- a/infrastructure/modules/kms/README.md +++ b/infrastructure/modules/kms/README.md @@ -18,6 +18,7 @@ | [deletion\_window](#input\_deletion\_window) | KMS key deletion window | `string` | n/a | yes | | [environment](#input\_environment) | The name of the terraformscaffold environment the module is called for | `string` | n/a | yes | | [iam\_delegation](#input\_iam\_delegation) | Whether to delegate administration of the key to the local account. Defaults to true | `bool` | `true` | no | +| [is\_multi\_region](#input\_is\_multi\_region) | Whether the KMS key is a multi-region key. Defaults to false | `bool` | `false` | no | | [key\_policy\_documents](#input\_key\_policy\_documents) | List of KMS key policy JSON documents | `list(string)` | `[]` | no | | [name](#input\_name) | A unique name to distinguish this module invocation from others within the same CSI scope | `string` | n/a | yes | | [project](#input\_project) | The name of the terraformscaffold project calling the module | `string` | n/a | yes | @@ -32,6 +33,8 @@ No modules. | [admin\_policy\_arn](#output\_admin\_policy\_arn) | ARN of the admin IAM policy | | [key\_arn](#output\_key\_arn) | ARN of the KMS key | | [key\_id](#output\_key\_id) | ID of the KMS key | +| [replica\_key\_arn](#output\_replica\_key\_arn) | ARN of the Replica KMS key | +| [replica\_key\_id](#output\_replica\_key\_id) | ID of the Replica KMS key | | [user\_policy\_arn](#output\_user\_policy\_arn) | ARN of the user IAM policy | diff --git a/infrastructure/modules/kms/kms_key.tf b/infrastructure/modules/kms/kms_key.tf index 787c01e..0900d62 100644 --- a/infrastructure/modules/kms/kms_key.tf +++ b/infrastructure/modules/kms/kms_key.tf @@ -3,6 +3,7 @@ resource "aws_kms_key" "main" { deletion_window_in_days = var.deletion_window description = local.csi enable_key_rotation = true + multi_region = var.is_multi_region policy = data.aws_iam_policy_document.key.json tags = local.default_tags } diff --git a/infrastructure/modules/kms/kms_key_replica.tf b/infrastructure/modules/kms/kms_key_replica.tf new file mode 100644 index 0000000..5fa1c44 --- /dev/null +++ b/infrastructure/modules/kms/kms_key_replica.tf @@ -0,0 +1,7 @@ +resource "aws_kms_replica_key" "replica" { + count = var.is_multi_region ? 1 : 0 + provider = aws.us-east-1 + description = "Multi-Region replica key" + deletion_window_in_days = var.deletion_window + primary_key_arn = aws_kms_key.main.arn +} diff --git a/infrastructure/modules/kms/outputs.tf b/infrastructure/modules/kms/outputs.tf index 8e1f335..bb1b20a 100644 --- a/infrastructure/modules/kms/outputs.tf +++ b/infrastructure/modules/kms/outputs.tf @@ -17,3 +17,13 @@ output "user_policy_arn" { description = "ARN of the user IAM policy" value = aws_iam_policy.user.arn } + +output "replica_key_arn" { + description = "ARN of the Replica KMS key" + value = try(aws_kms_key.replica[0].arn, null) +} + +output "replica_key_id" { + description = "ID of the Replica KMS key" + value = try(aws_kms_key.replica[0].key_id, null) +} diff --git a/infrastructure/modules/kms/variables.tf b/infrastructure/modules/kms/variables.tf index a05cd77..43e5cf5 100644 --- a/infrastructure/modules/kms/variables.tf +++ b/infrastructure/modules/kms/variables.tf @@ -66,3 +66,9 @@ variable "iam_delegation" { description = "Whether to delegate administration of the key to the local account. Defaults to true" default = true } + +variable "is_multi_region" { + type = bool + description = "Whether the KMS key is a multi-region key. Defaults to false" + default = false +} diff --git a/infrastructure/modules/kms/versions.tf b/infrastructure/modules/kms/versions.tf index f8dc86e..65a9e70 100644 --- a/infrastructure/modules/kms/versions.tf +++ b/infrastructure/modules/kms/versions.tf @@ -2,7 +2,8 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" + configuration_aliases = [aws.us-east-1] } } required_version = ">= 1.9.0" From 321a632b3962901caf69cf1f586705770ad96741 Mon Sep 17 00:00:00 2001 From: sidnhs Date: Wed, 4 Jun 2025 15:40:16 +0100 Subject: [PATCH 2/7] CCM-10231: Adding multi-region kms key support --- infrastructure/modules/kms/outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/modules/kms/outputs.tf b/infrastructure/modules/kms/outputs.tf index bb1b20a..1974bfa 100644 --- a/infrastructure/modules/kms/outputs.tf +++ b/infrastructure/modules/kms/outputs.tf @@ -20,10 +20,10 @@ output "user_policy_arn" { output "replica_key_arn" { description = "ARN of the Replica KMS key" - value = try(aws_kms_key.replica[0].arn, null) + value = try(aws_kms_replica_key.replica[0].arn, null) } output "replica_key_id" { description = "ID of the Replica KMS key" - value = try(aws_kms_key.replica[0].key_id, null) + value = try(aws_kms_replica_key.replica[0].key_id, null) } From e9b4d36b28b51038de5d69bee7a0bd9df7b5fe3c Mon Sep 17 00:00:00 2001 From: sidnhs Date: Wed, 4 Jun 2025 15:48:41 +0100 Subject: [PATCH 3/7] CCM-10231: Adding multi-region kms key support --- .../kms/{kms_key_replica.tf => kms_replica_key_replica.tf} | 0 infrastructure/modules/kms/outputs.tf | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename infrastructure/modules/kms/{kms_key_replica.tf => kms_replica_key_replica.tf} (100%) diff --git a/infrastructure/modules/kms/kms_key_replica.tf b/infrastructure/modules/kms/kms_replica_key_replica.tf similarity index 100% rename from infrastructure/modules/kms/kms_key_replica.tf rename to infrastructure/modules/kms/kms_replica_key_replica.tf diff --git a/infrastructure/modules/kms/outputs.tf b/infrastructure/modules/kms/outputs.tf index 1974bfa..c6ee632 100644 --- a/infrastructure/modules/kms/outputs.tf +++ b/infrastructure/modules/kms/outputs.tf @@ -25,5 +25,5 @@ output "replica_key_arn" { output "replica_key_id" { description = "ID of the Replica KMS key" - value = try(aws_kms_replica_key.replica[0].key_id, null) + value = length(aws_kms_replica_key.replica) > 0 ? aws_kms_replica_key.replica[0].key_id : null } From 9d6ded15aafcdea384440625ba2726bf2572a2f8 Mon Sep 17 00:00:00 2001 From: sidnhs Date: Thu, 5 Jun 2025 13:53:36 +0100 Subject: [PATCH 4/7] CCM-10231: Adding multi-region kms key support --- infrastructure/modules/kms/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/modules/kms/outputs.tf b/infrastructure/modules/kms/outputs.tf index c6ee632..1974bfa 100644 --- a/infrastructure/modules/kms/outputs.tf +++ b/infrastructure/modules/kms/outputs.tf @@ -25,5 +25,5 @@ output "replica_key_arn" { output "replica_key_id" { description = "ID of the Replica KMS key" - value = length(aws_kms_replica_key.replica) > 0 ? aws_kms_replica_key.replica[0].key_id : null + value = try(aws_kms_replica_key.replica[0].key_id, null) } From 6aedaf0712fe3920de439082e4494d3cc6132deb Mon Sep 17 00:00:00 2001 From: sidnhs Date: Fri, 6 Jun 2025 14:38:17 +0100 Subject: [PATCH 5/7] CCM-10231: Adding multi-region kms key support --- infrastructure/modules/kms/kms_replica_key_replica.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/modules/kms/kms_replica_key_replica.tf b/infrastructure/modules/kms/kms_replica_key_replica.tf index 5fa1c44..6668e4a 100644 --- a/infrastructure/modules/kms/kms_replica_key_replica.tf +++ b/infrastructure/modules/kms/kms_replica_key_replica.tf @@ -3,5 +3,6 @@ resource "aws_kms_replica_key" "replica" { provider = aws.us-east-1 description = "Multi-Region replica key" deletion_window_in_days = var.deletion_window + policy = data.aws_iam_policy_document.key.json primary_key_arn = aws_kms_key.main.arn } From b808128bbab64ebacd33be774033cedf919f4eda Mon Sep 17 00:00:00 2001 From: sidnhs Date: Mon, 9 Jun 2025 10:01:24 +0100 Subject: [PATCH 6/7] CCM-10231: Review comments --- infrastructure/modules/kms/kms_replica_key_replica.tf | 3 ++- infrastructure/modules/kms/variables.tf | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/infrastructure/modules/kms/kms_replica_key_replica.tf b/infrastructure/modules/kms/kms_replica_key_replica.tf index 6668e4a..93acadc 100644 --- a/infrastructure/modules/kms/kms_replica_key_replica.tf +++ b/infrastructure/modules/kms/kms_replica_key_replica.tf @@ -1,6 +1,7 @@ resource "aws_kms_replica_key" "replica" { - count = var.is_multi_region ? 1 : 0 provider = aws.us-east-1 + count = var.is_multi_region ? 1 : 0 + description = "Multi-Region replica key" deletion_window_in_days = var.deletion_window policy = data.aws_iam_policy_document.key.json diff --git a/infrastructure/modules/kms/variables.tf b/infrastructure/modules/kms/variables.tf index 43e5cf5..1a73d7c 100644 --- a/infrastructure/modules/kms/variables.tf +++ b/infrastructure/modules/kms/variables.tf @@ -69,6 +69,6 @@ variable "iam_delegation" { variable "is_multi_region" { type = bool - description = "Whether the KMS key is a multi-region key. Defaults to false" + description = "Whether the KMS key is a multi-region key, where secondary region would mostly be us-east-1. Defaults to false" default = false } From 9f8152c08b2fc70e81a5fef8ce3276c94cbb4f3b Mon Sep 17 00:00:00 2001 From: sidnhs Date: Mon, 9 Jun 2025 10:04:08 +0100 Subject: [PATCH 7/7] CCM-10231: Review comments --- infrastructure/modules/kms/README.md | 2 +- infrastructure/modules/kms/kms_replica_key_replica.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/modules/kms/README.md b/infrastructure/modules/kms/README.md index 45c29dd..4410c3d 100644 --- a/infrastructure/modules/kms/README.md +++ b/infrastructure/modules/kms/README.md @@ -18,7 +18,7 @@ | [deletion\_window](#input\_deletion\_window) | KMS key deletion window | `string` | n/a | yes | | [environment](#input\_environment) | The name of the terraformscaffold environment the module is called for | `string` | n/a | yes | | [iam\_delegation](#input\_iam\_delegation) | Whether to delegate administration of the key to the local account. Defaults to true | `bool` | `true` | no | -| [is\_multi\_region](#input\_is\_multi\_region) | Whether the KMS key is a multi-region key. Defaults to false | `bool` | `false` | no | +| [is\_multi\_region](#input\_is\_multi\_region) | Whether the KMS key is a multi-region key, where secondary region would mostly be us-east-1. Defaults to false | `bool` | `false` | no | | [key\_policy\_documents](#input\_key\_policy\_documents) | List of KMS key policy JSON documents | `list(string)` | `[]` | no | | [name](#input\_name) | A unique name to distinguish this module invocation from others within the same CSI scope | `string` | n/a | yes | | [project](#input\_project) | The name of the terraformscaffold project calling the module | `string` | n/a | yes | diff --git a/infrastructure/modules/kms/kms_replica_key_replica.tf b/infrastructure/modules/kms/kms_replica_key_replica.tf index 93acadc..c1ecc52 100644 --- a/infrastructure/modules/kms/kms_replica_key_replica.tf +++ b/infrastructure/modules/kms/kms_replica_key_replica.tf @@ -1,7 +1,7 @@ resource "aws_kms_replica_key" "replica" { provider = aws.us-east-1 count = var.is_multi_region ? 1 : 0 - + description = "Multi-Region replica key" deletion_window_in_days = var.deletion_window policy = data.aws_iam_policy_document.key.json