Skip to content

Commit

Permalink
Merge pull request #21 from DNXLabs/feature/ssm-kms-key
Browse files Browse the repository at this point in the history
Add ssm kms key
  • Loading branch information
lgothelipe authored Jul 8, 2022
2 parents ee02e19 + e36ccdb commit e87b6a1
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 0 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@
| secret\_method | Use ssm for SSM parameters store which is the default option, or secretsmanager for AWS Secrets Manager | `string` | `"ssm"` | no |
| skip\_final\_snapshot | Skips the final snapshot if the database is destroyed programatically | `bool` | `false` | no |
| snapshot\_identifier | Pass a snapshot identifier for the database to be created from this snapshot | `string` | `""` | no |
| ssm\_kms\_key\_id | KMS Key Id to use a CMK instead of default shared key for SSM parameters | `string` | `""` | no |
| storage\_encrypted | Enables storage encryption | `bool` | n/a | yes |
| storage\_type | The instance storage type | `string` | `"gp2"` | no |
| user | DB User | `string` | n/a | yes |
Expand Down
6 changes: 6 additions & 0 deletions _variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,12 @@ variable "kms_key_arn" {
description = "KMS Key ARN to use a CMK instead of default shared key, when storage_encrypted is true"
}

variable "ssm_kms_key_id" {
type = string
default = ""
description = "KMS Key Id to use a CMK instead of default shared key for SSM parameters"
}

variable "backup" {
type = bool
description = "Enables automatic backup with AWS Backup"
Expand Down
2 changes: 2 additions & 0 deletions ssm.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ resource "aws_ssm_parameter" "rds_db_password" {
name = "/rds/${var.environment_name}-${var.name}/PASSWORD"
description = "RDS Password"
type = "SecureString"
key_id = var.ssm_kms_key_id
value = random_string.rds_db_password.result

lifecycle {
Expand All @@ -15,6 +16,7 @@ resource "aws_ssm_parameter" "rds_db_user" {
name = "/rds/${var.environment_name}-${var.name}/USER"
description = "RDS User"
type = "SecureString"
key_id = var.ssm_kms_key_id
value = var.db_type == "rds" ? aws_db_instance.rds_db[0].username : aws_rds_cluster.aurora_cluster[0].master_username
}

Expand Down

0 comments on commit e87b6a1

Please sign in to comment.