From 91522b4a4a4ec16c0d9f502853bd3e59bbd1f0eb Mon Sep 17 00:00:00 2001 From: Lucas Gothelipe Date: Fri, 8 Jul 2022 06:30:43 +0000 Subject: [PATCH 1/3] Add ssm kms key --- _variables.tf | 6 ++++++ ssm.tf | 2 ++ 2 files changed, 8 insertions(+) diff --git a/_variables.tf b/_variables.tf index aa55c6d..bd10207 100644 --- a/_variables.tf +++ b/_variables.tf @@ -133,6 +133,12 @@ variable "kms_key_arn" { description = "KMS Key ARN to use a CMK instead of default shared key, when storage_encrypted is true" } +variable "ssm_kms_key_arn" { + type = string + default = "" + description = "KMS Key ARN to use a CMK instead of default shared key for SSM parameters" +} + variable "backup" { type = bool description = "Enables automatic backup with AWS Backup" diff --git a/ssm.tf b/ssm.tf index 028cfbd..c6a0b52 100644 --- a/ssm.tf +++ b/ssm.tf @@ -3,6 +3,7 @@ resource "aws_ssm_parameter" "rds_db_password" { name = "/rds/${var.environment_name}-${var.name}/PASSWORD" description = "RDS Password" type = "SecureString" + key_id = var.ssm_kms_key_arn value = random_string.rds_db_password.result lifecycle { @@ -15,6 +16,7 @@ resource "aws_ssm_parameter" "rds_db_user" { name = "/rds/${var.environment_name}-${var.name}/USER" description = "RDS User" type = "SecureString" + key_id = var.ssm_kms_key_arn value = var.db_type == "rds" ? aws_db_instance.rds_db[0].username : aws_rds_cluster.aurora_cluster[0].master_username } From e5e8b7db3d79da27d6964269dcd1b70302aa9ded Mon Sep 17 00:00:00 2001 From: Lucas Gothelipe Date: Fri, 8 Jul 2022 06:37:37 +0000 Subject: [PATCH 2/3] Update variable name --- _variables.tf | 4 ++-- ssm.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/_variables.tf b/_variables.tf index bd10207..d4b1bd8 100644 --- a/_variables.tf +++ b/_variables.tf @@ -133,10 +133,10 @@ variable "kms_key_arn" { description = "KMS Key ARN to use a CMK instead of default shared key, when storage_encrypted is true" } -variable "ssm_kms_key_arn" { +variable "ssm_kms_key_id" { type = string default = "" - description = "KMS Key ARN to use a CMK instead of default shared key for SSM parameters" + description = "KMS Key Id to use a CMK instead of default shared key for SSM parameters" } variable "backup" { diff --git a/ssm.tf b/ssm.tf index c6a0b52..7d0456c 100644 --- a/ssm.tf +++ b/ssm.tf @@ -3,7 +3,7 @@ resource "aws_ssm_parameter" "rds_db_password" { name = "/rds/${var.environment_name}-${var.name}/PASSWORD" description = "RDS Password" type = "SecureString" - key_id = var.ssm_kms_key_arn + key_id = var.ssm_kms_key_id value = random_string.rds_db_password.result lifecycle { @@ -16,7 +16,7 @@ resource "aws_ssm_parameter" "rds_db_user" { name = "/rds/${var.environment_name}-${var.name}/USER" description = "RDS User" type = "SecureString" - key_id = var.ssm_kms_key_arn + key_id = var.ssm_kms_key_id value = var.db_type == "rds" ? aws_db_instance.rds_db[0].username : aws_rds_cluster.aurora_cluster[0].master_username } From e36ccdbd979a06ea214a03d0752b9cba23639504 Mon Sep 17 00:00:00 2001 From: lgothelipe Date: Fri, 8 Jul 2022 06:39:43 +0000 Subject: [PATCH 3/3] terraform-docs: automated update action --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index c6a50e5..c43c7b9 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,7 @@ | secret\_method | Use ssm for SSM parameters store which is the default option, or secretsmanager for AWS Secrets Manager | `string` | `"ssm"` | no | | skip\_final\_snapshot | Skips the final snapshot if the database is destroyed programatically | `bool` | `false` | no | | snapshot\_identifier | Pass a snapshot identifier for the database to be created from this snapshot | `string` | `""` | no | +| ssm\_kms\_key\_id | KMS Key Id to use a CMK instead of default shared key for SSM parameters | `string` | `""` | no | | storage\_encrypted | Enables storage encryption | `bool` | n/a | yes | | storage\_type | The instance storage type | `string` | `"gp2"` | no | | user | DB User | `string` | n/a | yes |