網頁

2022/4/14

Terraform 設定KMS key範例

Terraform建立KMS key的範例如下。


範例環境

  • AWS CLI 2.2.44
  • Terraform v1.0.10


事前要求

安裝Terraform CLI

設定AWS CLI的存取密鑰


建立配置

在任意資料夾新增一個Terraform配置文件main.tf內容如下。此文件用來設定terraform配置、provider aws及KMS key resource。

main.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 1.1.0"
}

provider "aws" {
  profile = "default"
  region  = "ap-northeast-1" // Tokyo
}

// KMS key configs
resource "aws_kms_key" "demo_key" {
  description              = "terraform demo key"
  key_usage                = "ENCRYPT_DECRYPT"
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  deletion_window_in_days  = 7
}

resource "aws_kms_alias" "demo_key_alias" {
  name          = "alias/TerraformDemoKey"
  target_key_id = aws_kms_key.demo_key.key_id
}


檢驗配置

輸入terraform init將此目錄初始化為Terraform工作目錄及依配置下載aws provider。

輸入terraform fmt配置文件自動排版。

輸入terraform validate檢驗配置文件語法是否正確。


套用配置

輸入terraform apply執行配置計畫。

~/../terraform-demo$ terraform apply

Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_kms_alias.demo_key_alias will be created
  + resource "aws_kms_alias" "demo_key_alias" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/TerraformDemoKey"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # aws_kms_key.demo_key will be created
  + resource "aws_kms_key" "demo_key" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "terraform demo key"
      + enable_key_rotation                = false
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + tags_all                           = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_kms_key.demo_key: Creating...
aws_kms_key.demo_key: Creation complete after 1s [id=55e1b6e0-3576-450a-873d-608aa73b8283]
aws_kms_alias.demo_key_alias: Creating...
aws_kms_alias.demo_key_alias: Creation complete after 0s [id=alias/TerraformDemoKey]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

github


確認KMS key已建立

在AWS console的KMS的Customer managed keys確認key已建立,可看到Terraform建立的key TerraformDemoKey



由於沒設定policy,所以預設為AWS賬戶擁有者可存取及使用

TerraformDemoKey Key policy

{
    "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::400361196721:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}


沒有留言:

張貼留言