From f300a8c11302463c93f36d11bb05d1efc90e031b Mon Sep 17 00:00:00 2001 From: lolli001 Date: Wed, 31 Jul 2024 18:50:44 -0400 Subject: [PATCH] Updated KMS --- kms.tf | 50 ++++++-------------------------------------------- playbook.yml | 0 2 files changed, 6 insertions(+), 44 deletions(-) delete mode 100644 playbook.yml diff --git a/kms.tf b/kms.tf index bffb2ee..4820dfe 100644 --- a/kms.tf +++ b/kms.tf @@ -1,11 +1,10 @@ locals { - kms_key_name = "rhel-x86-codepipeline-key" # Name for the KMS key alias - account_id = "229685449397" # Replace with your AWS account ID - partition = "aws-us-gov" - region = "us-gov-west-1" + kms_key_name = "rhel-x86-codepipeline-key" # Name for the KMS key alias + account_id = "229685449397" # Replace with your AWS account ID + partition = "aws-us-gov" + region = "us-gov-west-1" } -# Define the KMS Key resource resource "aws_kms_key" "rhel_x86_codepipeline_key" { description = "KMS key for RHEL x86 CodePipeline" enable_key_rotation = true @@ -13,13 +12,11 @@ resource "aws_kms_key" "rhel_x86_codepipeline_key" { policy = data.aws_iam_policy_document.key_policy_combined.json } -# Define the KMS Key Alias resource "aws_kms_alias" "rhel_x86_codepipeline_alias" { name = "alias/${local.kms_key_name}" target_key_id = aws_kms_key.rhel_x86_codepipeline_key.key_id } -# Define the key policy document data "aws_iam_policy_document" "key_policy_combined" { statement { sid = "Enable IAM User Permissions" @@ -32,46 +29,13 @@ data "aws_iam_policy_document" "key_policy_combined" { resources = ["*"] } - statement { - sid = "Allow access for Key Administrators" - effect = "Allow" - principals { - type = "AWS" - identifiers = [ - "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role", - "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role", - "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role" - ] - } - actions = [ - "kms:Create*", - "kms:Describe*", - "kms:Enable*", - "kms:List*", - "kms:Put*", - "kms:Update*", - "kms:Revoke*", - "kms:Disable*", - "kms:Get*", - "kms:Delete*", - "kms:TagResource", - "kms:UntagResource", - "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion", - "kms:RotateKeyOnDemand" - ] - resources = ["*"] - } - statement { sid = "Allow use of the key" effect = "Allow" principals { type = "AWS" identifiers = [ - "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role", - "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role", - "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role" + "arn:${local.partition}:iam::${local.account_id}:user/tf-pipeline/rhel-image-pipeline-demo" ] } actions = [ @@ -90,9 +54,7 @@ data "aws_iam_policy_document" "key_policy_combined" { principals { type = "AWS" identifiers = [ - "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role", - "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role", - "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role" + "arn:${local.partition}:iam::${local.account_id}:user/tf-pipeline/rhel-image-pipeline-demo" ] } actions = [ diff --git a/playbook.yml b/playbook.yml deleted file mode 100644 index e69de29..0000000