Merge pull request #31 from defenseunicorns/feat-add-keyspec

feat: add key spec as a variable
defenseunicorns · Aug 21, 2024 · adae722 · adae722
2 parents ab42b30 + c6a6380
commit adae722
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -20,7 +20,7 @@ go test -count 1 -v .
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.62.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.63.1 |
 
 ## Modules
 
@@ -49,6 +49,7 @@ go test -count 1 -v .
 | <a name="input_kms_key_description"></a> [kms\_key\_description](#input\_kms\_key\_description) | Description for the KMS key. | `string` | `""` | no |
 | <a name="input_kms_key_policy_default_identities"></a> [kms\_key\_policy\_default\_identities](#input\_kms\_key\_policy\_default\_identities) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
 | <a name="input_kms_key_policy_default_services"></a> [kms\_key\_policy\_default\_services](#input\_kms\_key\_policy\_default\_services) | A list of services that will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
+| <a name="input_kms_key_spec"></a> [kms\_key\_spec](#input\_kms\_key\_spec) | The key material specification (i.e. SYMMETRIC\_DEFAULT) | `string` | `"SYMMETRIC_DEFAULT"` | no |
 | <a name="input_kms_key_usage"></a> [kms\_key\_usage](#input\_kms\_key\_usage) | What the key is intended to be used for (ENCRYPT\_DECRYPT or SIGN\_VERIFY) | `string` | `"ENCRYPT_DECRYPT"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
 

diff --git a/main.tf b/main.tf
@@ -11,15 +11,16 @@ module "kms" {
   source  = "terraform-aws-modules/kms/aws"
   version = "3.1.0"
 
-  description             = var.kms_key_description
-  deletion_window_in_days = var.kms_key_deletion_window
-  enable_key_rotation     = true
-  policy                  = data.aws_iam_policy_document.kms_access.json
-  multi_region            = true
-  key_owners              = var.key_owners
-  tags                    = var.tags
-  create_external         = var.kms_external_key
-  key_usage               = var.kms_key_usage
+  description              = var.kms_key_description
+  deletion_window_in_days  = var.kms_key_deletion_window
+  enable_key_rotation      = true
+  policy                   = data.aws_iam_policy_document.kms_access.json
+  multi_region             = true
+  key_owners               = var.key_owners
+  tags                     = var.tags
+  create_external          = var.kms_external_key
+  key_usage                = var.kms_key_usage
+  customer_master_key_spec = var.kms_key_spec
 }
 
 resource "aws_kms_alias" "default" {

diff --git a/variables.tf b/variables.tf
@@ -50,3 +50,9 @@ variable "kms_key_usage" {
   type        = string
   default     = "ENCRYPT_DECRYPT"
 }
+
+variable "kms_key_spec" {
+  description = "The key material specification (i.e. SYMMETRIC_DEFAULT)"
+  type        = string
+  default     = "SYMMETRIC_DEFAULT"
+}