Merge pull request #6074 from ministryofjustice/feature/kms-keys-mult…

…i-region added pagerduty kms multi-region
ministryofjustice · Jan 30, 2024 · 009be64 · 009be64
2 parents b11ff73 + 62e56e3
commit 009be64
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 0 deletions.
diff --git a/terraform/environments/secrets.tf b/terraform/environments/secrets.tf
@@ -65,6 +65,22 @@ resource "aws_kms_alias" "environment_management" {
   target_key_id = aws_kms_key.environment_management.id
 }
 
+# Environment secret KMS key multi-Region
+resource "aws_kms_key" "environment_management_multi_region" {
+  provider                = aws.modernisation-platform
+  description             = "environment-management-multi-region"
+  policy                  = data.aws_iam_policy_document.kms_environment_management.json
+  enable_key_rotation     = true
+  deletion_window_in_days = 30
+  multi_region            = true
+}
+
+resource "aws_kms_alias" "environment_management_multi_region" {
+  provider      = aws.modernisation-platform
+  name          = "alias/environment-management-multi-region"
+  target_key_id = aws_kms_key.environment_management_multi_region.id
+}
+
 data "aws_iam_policy_document" "kms_environment_management" {
 
   # checkov:skip=CKV_AWS_111: "policy is directly related to the resource"

diff --git a/terraform/modernisation-platform-account/dynamodb.tf b/terraform/modernisation-platform-account/dynamodb.tf
@@ -15,6 +15,23 @@ resource "aws_kms_alias" "dynamo_encryption" {
   target_key_id = aws_kms_key.dynamo_encryption.id
 }
 
+resource "aws_kms_key" "dynamo_encryption_multi_region" {
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.dynamo_encryption.json
+  multi_region        = true
+  tags = merge(
+  local.tags,
+  {
+    Name = "dynamo_encryption_multi_region"
+  }
+  )
+}
+
+resource "aws_kms_alias" "dynamo_encryption_multi_region" {
+  name          = "alias/dynamodb-state-lock-multi-region"
+  target_key_id = aws_kms_key.dynamo_encryption_multi_region.id
+}
+
 data "aws_iam_policy_document" "dynamo_encryption" {
 
   # checkov:skip=CKV_AWS_109: "Key policy requires asterisk resource"

diff --git a/terraform/modernisation-platform-account/s3.tf b/terraform/modernisation-platform-account/s3.tf
@@ -11,6 +11,20 @@ resource "aws_kms_alias" "s3_state_bucket" {
   target_key_id = aws_kms_key.s3_state_bucket.id
 }
 
+# State bucket KMS multi-Region
+resource "aws_kms_key" "s3_state_bucket_multi_region" {
+  description             = "s3-state-bucket-multi-region"
+  policy                  = data.aws_iam_policy_document.kms_state_bucket.json
+  enable_key_rotation     = true
+  deletion_window_in_days = 30
+  multi_region            = true
+}
+
+resource "aws_kms_alias" "s3_state_bucket_multi_region" {
+  name          = "alias/s3-state-bucket-multi-region"
+  target_key_id = aws_kms_key.s3_state_bucket_multi_region.id
+}
+
 data "aws_iam_policy_document" "kms_state_bucket" {
   # checkov:skip=CKV_AWS_111: "policy is directly related to the resource"
   # checkov:skip=CKV_AWS_356: "policy is directly related to the resource"

diff --git a/terraform/pagerduty/kms.tf b/terraform/pagerduty/kms.tf
@@ -7,4 +7,16 @@ resource "aws_kms_key" "pagerduty" {
 resource "aws_kms_alias" "pagerduty" {
   name          = "alias/pagerduty-secret"
   target_key_id = aws_kms_key.pagerduty.id
+}
+
+resource "aws_kms_key" "pagerduty_multi_region" {
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.pagerduty_kms.json
+  multi_region        = true
+  tags                = local.tags
+}
+
+resource "aws_kms_alias" "pagerduty_multi_region" {
+  name          = "alias/pagerduty-secret-multi-region"
+  target_key_id = aws_kms_key.pagerduty_multi_region.id
 }