diff --git a/README.md b/README.md index c6a50e5..c43c7b9 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,7 @@ | secret\_method | Use ssm for SSM parameters store which is the default option, or secretsmanager for AWS Secrets Manager | `string` | `"ssm"` | no | | skip\_final\_snapshot | Skips the final snapshot if the database is destroyed programatically | `bool` | `false` | no | | snapshot\_identifier | Pass a snapshot identifier for the database to be created from this snapshot | `string` | `""` | no | +| ssm\_kms\_key\_id | KMS Key Id to use a CMK instead of default shared key for SSM parameters | `string` | `""` | no | | storage\_encrypted | Enables storage encryption | `bool` | n/a | yes | | storage\_type | The instance storage type | `string` | `"gp2"` | no | | user | DB User | `string` | n/a | yes | diff --git a/_variables.tf b/_variables.tf index aa55c6d..d4b1bd8 100644 --- a/_variables.tf +++ b/_variables.tf @@ -133,6 +133,12 @@ variable "kms_key_arn" { description = "KMS Key ARN to use a CMK instead of default shared key, when storage_encrypted is true" } +variable "ssm_kms_key_id" { + type = string + default = "" + description = "KMS Key Id to use a CMK instead of default shared key for SSM parameters" +} + variable "backup" { type = bool description = "Enables automatic backup with AWS Backup" diff --git a/ssm.tf b/ssm.tf index 028cfbd..7d0456c 100644 --- a/ssm.tf +++ b/ssm.tf @@ -3,6 +3,7 @@ resource "aws_ssm_parameter" "rds_db_password" { name = "/rds/${var.environment_name}-${var.name}/PASSWORD" description = "RDS Password" type = "SecureString" + key_id = var.ssm_kms_key_id value = random_string.rds_db_password.result lifecycle { @@ -15,6 +16,7 @@ resource "aws_ssm_parameter" "rds_db_user" { name = "/rds/${var.environment_name}-${var.name}/USER" description = "RDS User" type = "SecureString" + key_id = var.ssm_kms_key_id value = var.db_type == "rds" ? aws_db_instance.rds_db[0].username : aws_rds_cluster.aurora_cluster[0].master_username }