From 5a9cbc46d6e70d9b4b38ab26ab50a8c1b39f19f4 Mon Sep 17 00:00:00 2001
From: Dmitry Dunaev <dmitry@opsfleet.com>
Date: Thu, 27 May 2021 12:48:31 +0300
Subject: [PATCH] [TOOLS-133] Add: Terraform KMS manifest for Helm secrets

---
 .../wifi-289708231103/cloudsdk_cicd/kms.tf    | 96 +++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100644 terraform/wifi-289708231103/cloudsdk_cicd/kms.tf

diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/kms.tf b/terraform/wifi-289708231103/cloudsdk_cicd/kms.tf
new file mode 100644
index 0000000..0f8c281
--- /dev/null
+++ b/terraform/wifi-289708231103/cloudsdk_cicd/kms.tf
@@ -0,0 +1,96 @@
+data "aws_iam_policy_document" "kms" {
+  statement {
+    sid       = "Enable IAM User Permissions"
+    actions   = ["kms:*"]
+    resources = ["arn:aws:s3:::*"]
+    effect    = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+
+  statement {
+    sid = "Allow access for Key Administrators"
+    actions = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:TagResource",
+      "kms:UntagResource",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion"
+    ]
+    resources = ["*"]
+    effect    = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_5b24211378e8344f",
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SystemAdministrator_622371b0ceece6f8",
+      ]
+    }
+  }
+
+  statement {
+    sid = "Allow use of the key"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = ["*"]
+    effect    = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_5b24211378e8344f",
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SystemAdministrator_622371b0ceece6f8",
+      ]
+    }
+  }
+
+  statement {
+    sid = "Allow attachment of persistent resources"
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+    effect    = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_5b24211378e8344f",
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SystemAdministrator_622371b0ceece6f8",
+      ]
+    }
+    condition {
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+      values   = ["true"]
+    }
+  }
+
+}
+
+resource "aws_kms_key" "kms" {
+  description = "Helm secrets key"
+  policy      = data.aws_iam_policy_document.kms.json
+  tags        = local.common_tags
+}
+
+resource "aws_kms_alias" "kms" {
+  name          = "alias/helm-secrets"
+  target_key_id = aws_kms_key.kms.key_id
+}