-
-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathkms_oauth.tf
More file actions
65 lines (61 loc) · 1.74 KB
/
kms_oauth.tf
File metadata and controls
65 lines (61 loc) · 1.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# KMS Key for OAuth Token Encryption
# Provides field-level encryption for OAuth tokens stored in DynamoDB
resource "aws_kms_key" "oauth_tokens" {
description = "Encryption key for OAuth tokens in ${local.naming_prefix} bot"
deletion_window_in_days = 30
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Statement = [
# Allow root account full access
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
}
Action = "kms:*"
Resource = "*"
},
# Allow worker runtime role to encrypt/decrypt tokens
{
Sid = "Allow Worker Runtime Access"
Effect = "Allow"
Principal = {
AWS = module.worker.worker_task_role_arn
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey"
]
Resource = "*"
},
# Allow auth portal lambda role to encrypt/decrypt tokens
{
Sid = "Allow Auth Portal Lambda Access"
Effect = "Allow"
Principal = {
AWS = module.auth_portal.lambda_role_arn
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey"
]
Resource = "*"
}
]
})
tags = {
Name = "${local.naming_prefix}OAuthTokensKey"
Environment = var.environment
ManagedBy = "Terraform"
}
}
resource "aws_kms_alias" "oauth_tokens" {
name = "alias/${lower(local.naming_prefix)}-oauth-tokens"
target_key_id = aws_kms_key.oauth_tokens.key_id
}