~wombelix/aws-sideprojects-infrastructure

02169def2e151efdff5e388a0ad33dad2617269d — Dominik Wombacher 4 months ago aba9f26
feat(cfn): Templates to create KMS Multi-Region primary and replica key for backend encryption
2 files changed, 97 insertions(+), 0 deletions(-)

A cfn/kms-key-backend-encryption-replica.yaml
A cfn/kms-key-backend-encryption.yaml
A cfn/kms-key-backend-encryption-replica.yaml => cfn/kms-key-backend-encryption-replica.yaml +48 -0
@@ 0,0 1,48 @@
# KMSKeyForBackendEncryptionReplica

AWSTemplateFormatVersion: 2010-09-09
Description: AWS KMS symetric key for backend encryption - Multi-Region Replica Key (e.g. S3, etcd, OpenTofu)

Parameters:
  KMSKeyBackendEncryptionPrimaryArn:
    Type: String

Resources:
  KMSKeyBackendEncryptionReplica:
    Type: AWS::KMS::ReplicaKey
    Properties:
      Description: AWS KMS symetric key for backend encryption - Multi-Region Replica Key (e.g. S3, etcd, OpenTofu)
      Enabled: True
      KeyPolicy:
        Version: 2012-10-17
        Id: key-backend-encryption
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
            Action: 'kms:*'
            Resource: '*'
          - Sid: DeleteProtection
            Principal: "*"
            Effect: Deny
            Action:
              - kms:ScheduleKeyDeletion
            Resource: "*"
      PendingWindowInDays: 30
      PrimaryKeyArn: !Ref KMSKeyBackendEncryptionPrimaryArn
      Tags:
        - Key: Environment 
          Value: Production
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain

Outputs:
  KMSKeyBackendEncryptionReplicaName:
    Value: !Ref KMSKeyBackendEncryptionReplica
    Export:
      Name: 'KMSKeyBackendEncryptionReplicaName'
  KMSKeyBackendEncryptionReplicaArn:
    Value: !GetAtt KMSKeyBackendEncryptionReplica.Arn
    Export:
      Name: 'KMSKeyBackendEncryptionReplicaArn'
\ No newline at end of file

A cfn/kms-key-backend-encryption.yaml => cfn/kms-key-backend-encryption.yaml +49 -0
@@ 0,0 1,49 @@
# Stack-KMSKeyForBackendEncryption

AWSTemplateFormatVersion: 2010-09-09
Description: AWS KMS symetric key for backend encryption - Multi-Region Primary Key (e.g. S3, etcd, OpenTofu)

Resources:
  KMSKeyBackendEncryption:
    Type: AWS::KMS::Key
    Properties:
      BypassPolicyLockoutSafetyCheck: False
      Description: AWS KMS symetric key for backend encryption - Multi-Region Primary Key (e.g. S3, etcd, OpenTofu)
      Enabled: True
      EnableKeyRotation: False
      KeyPolicy:
        Version: 2012-10-17
        Id: key-backend-encryption
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: 
                - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
            Action: 'kms:*'
            Resource: '*'
          - Sid: DeleteProtection
            Principal: "*"
            Effect: Deny
            Action:
              - kms:ScheduleKeyDeletion
            Resource: "*"
      KeySpec: SYMMETRIC_DEFAULT
      MultiRegion: True
      Origin: AWS_KMS
      PendingWindowInDays: 30
      Tags: 
        - Key: Environment 
          Value: Production
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain

Outputs:
  KMSKeyBackendEncryptionName:
    Value: !Ref KMSKeyBackendEncryption
    Export:
      Name: 'KMSKeyBackendEncryptionName'
  KMSKeyBackendEncryptionArn:
    Value: !GetAtt KMSKeyBackendEncryption.Arn
    Export:
      Name: 'KMSKeyBackendEncryptionArn'
\ No newline at end of file