feat(kms-key): support grants (#48)

Author: posquit0

modules/kms-key/README.md

@@ -32,6 +32,7 @@ This module creates following resources.
 | Name | Type |
 |------|------|
 | [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_grant.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_grant) | resource |
 | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy) | resource |
 | [aws_iam_policy_document.predefined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -48,6 +49,7 @@ This module creates following resources.
 | <a name="input_deletion_window_in_days"></a> [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | (Optional) Duration in days after which the key is deleted after destruction of the resource. Valid value is between `7` and `30` days. Defaults to `30`. | `number` | `30` | no |
 | <a name="input_description"></a> [description](#input\_description) | (Optional) The description of the KMS key. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | (Optional) Indicates whether the key is enabled. Defaults to `true`. | `bool` | `true` | no |
+| <a name="input_grants"></a> [grants](#input\_grants) | (Optional) A list of grants configuration for granting access to the KMS key. Each item of `grants` as defined below.<br/>    (Required) `name` - A friendly name for the grant.<br/>    (Required) `grantee_principal` - The principal that is given permission to perform the operations that the grant permits in ARN format.<br/>    (Required) `operations` - A set of operations that the grant permits. Valid values are `Encrypt`, `Decrypt`, `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext`, `ReEncryptFrom`, `ReEncryptTo`, `CreateGrant`, `RetireGrant`, `DescribeKey`, `GenerateDataKeyPair`, `GenerateDataKeyPairWithoutPlaintext`, `GetPublicKey`, `Sign`, `Verify`, `GenerateMac`, `VerifyMac`, or `DeriveSharedSecret`.<br/>    (Optional) `retiring_principal` - The principal that is given permission to retire the grant by using RetireGrant operation in ARN format.<br/>    (Optional) `retire_on_delete` - Whether to retire the grant upon deletion. Defaults to `false`.<br/>      Retire: Grantee returns permissions voluntarily (normal termination)<br/>      Revoke: Admin forcefully cancels permissions (emergency termination)<br/>    (Optional) `grant_creation_tokens` - A list of grant tokens to be used when creating the grant. Use grant token for immediate access without waiting for grant propagation (up to 5 min). Required for time-sensitive operations.<br/>    (Optional) `constraints` - A configuration for grant constraints. `constraints` block as defined below.<br/>      (Optional) `type` - The type of constraints. Valid values are `ENCRYPTION_CONTEXT_EQUALS` or `ENCRYPTION_CONTEXT_SUBSET`. Defaults to `ENCRYPTION_CONTEXT_SUBSET`.<br/>      (Optional) `value` - A map of key-value pair to be validated against the encryption context during cryptographic operations. | <pre>list(object({<br/>    name              = string<br/>    grantee_principal = string<br/>    operations        = set(string)<br/><br/>    retiring_principal    = optional(string)<br/>    retire_on_delete      = optional(bool, false)<br/>    grant_creation_tokens = optional(list(string))<br/><br/>    constraints = optional(object({<br/>      type  = optional(string, "ENCRYPTION_CONTEXT_SUBSET")<br/>      value = map(string)<br/>    }))<br/>  }))</pre> | `[]` | no |
 | <a name="input_key_rotation"></a> [key\_rotation](#input\_key\_rotation) | (Optional) A configuration for key rotation of the KMS key. This configuration is only applicable for symmetric encryption KMS keys. `key_rotation` block as defined below.<br/>    (Optional) `enabled` - Whether key rotation is enabled. Defaults to `false`.<br/>    (Optional) `period_in_days` - The custom period of t ime between each key rotation. Valid value is between `90` and `2560` days (inclusive). Defaults to `365`. | <pre>object({<br/>    enabled        = optional(bool, false)<br/>    period_in_days = optional(number, 365)<br/>  })</pre> | `{}` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
 | <a name="input_multi_region_enabled"></a> [multi\_region\_enabled](#input\_multi\_region\_enabled) | (Optional) Indicates whether the key is a multi-Region (true) or regional (false) key. Defaults to `false`. | `bool` | `false` | no |
@@ -71,6 +73,7 @@ This module creates following resources.
 | <a name="output_deletion_window_in_days"></a> [deletion\_window\_in\_days](#output\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource. |
 | <a name="output_description"></a> [description](#output\_description) | The description of the KMS key. |
 | <a name="output_enabled"></a> [enabled](#output\_enabled) | Whether the key is enabled. |
+| <a name="output_grants"></a> [grants](#output\_grants) | A collection of grants for the key. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the KMS key. |
 | <a name="output_key_rotation"></a> [key\_rotation](#output\_key\_rotation) | The key rotation configuration of the KMS key. |
 | <a name="output_multi_region_enabled"></a> [multi\_region\_enabled](#output\_multi\_region\_enabled) | Whether the key is a multi-region key. |

modules/kms-key/access-control.tf

@@ -1,3 +1,40 @@
+###################################################
+# Grants for Customer Managed Key
+###################################################
+
+resource "aws_kms_grant" "this" {
+  for_each = {
+    for grant in var.grants :
+    grant.name => grant
+  }
+
+  key_id = aws_kms_key.this.key_id
+
+  name              = each.key
+  grantee_principal = each.value.grantee_principal
+  operations        = each.value.operations
+
+  retiring_principal    = each.value.retiring_principal
+  retire_on_delete      = each.value.retire_on_delete
+  grant_creation_tokens = each.value.grant_creation_tokens
+
+  dynamic "constraints" {
+    for_each = each.value.constraints != null ? [each.value.constraints] : []
+
+    content {
+      encryption_context_equals = (constraints.value.type == "ENCRYPTION_CONTEXT_EQUALS"
+        ? constraints.value.value
+        : null
+      )
+      encryption_context_subset = (constraints.value.type == "ENCRYPTION_CONTEXT_SUBSET"
+        ? constraints.value.value
+        : null
+      )
+    }
+  }
+}
+
+
 ###################################################
 # Key Policy for Customer Managed Key
 ###################################################

modules/kms-key/outputs.tf

@@ -1,3 +1,18 @@
+locals {
+  grants = {
+    for grant in var.grants :
+    grant.name => {
+      id                 = aws_kms_grant.this[grant.name].grant_id
+      name               = aws_kms_grant.this[grant.name].name
+      grantee_principal  = aws_kms_grant.this[grant.name].grantee_principal
+      operations         = aws_kms_grant.this[grant.name].operations
+      retiring_principal = aws_kms_grant.this[grant.name].retiring_principal
+
+      constraints = grant.constraints
+    }
+  }
+}
+
 output "arn" {
   description = "The ARN of the KMS key."
   value       = aws_kms_key.this.arn
@@ -46,6 +61,15 @@ output "key_rotation" {
   }
 }
 
+# NOTE: `grant_token` is intentionally not included in outputs because :
+# - Grant tokens are only returned during grant creation and cannot be retrieved afterwards
+# - Since Terraform-managed grants are created during infrastructure provisioning, they are already propagated by the time applications run, making tokens unnecessary
+# - For immediate access needs, applications should create grants at runtime and use the returned tokens directly rather than relying on pre-provisioned grants
+output "grants" {
+  description = "A collection of grants for the key."
+  value       = local.grants
+}
+
 output "predefined_roles" {
   description = "The predefined roles that have access to the KMS key."
   value       = var.predefined_roles
@@ -89,5 +113,13 @@ output "aliases" {
 #       k => v
 #       if !contains(["key_id", "arn", "description", "is_enabled", "deletion_window_in_days", "key_usage", "customer_master_key_spec", "enable_key_rotation", "rotation_period_in_days", "custom_key_store_id", "xks_key_id", "multi_region", "tags", "tags_all", "id", "timeouts", "policy", "bypass_policy_lockout_safety_check"], k)
 #     }
+#     grants = {
+#       for name, grant in aws_kms_grant.this :
+#       name => {
+#         for k, v in grant :
+#         k => v
+#         if !contains(["grant_id", "name", "id", "key_id", "grantee_principal", "operations", "retiring_principal", "retire_on_delete", "constraints", "grant_creation_tokens", "grant_token"], k)
+#       }
+#     }
 #   }
 # }

modules/kms-key/variables.tf

@@ -103,6 +103,90 @@ variable "key_rotation" {
   }
 }
 
+variable "grants" {
+  description = <<EOF
+  (Optional) A list of grants configuration for granting access to the KMS key. Each item of `grants` as defined below.
+    (Required) `name` - A friendly name for the grant.
+    (Required) `grantee_principal` - The principal that is given permission to perform the operations that the grant permits in ARN format.
+    (Required) `operations` - A set of operations that the grant permits. Valid values are `Encrypt`, `Decrypt`, `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext`, `ReEncryptFrom`, `ReEncryptTo`, `CreateGrant`, `RetireGrant`, `DescribeKey`, `GenerateDataKeyPair`, `GenerateDataKeyPairWithoutPlaintext`, `GetPublicKey`, `Sign`, `Verify`, `GenerateMac`, `VerifyMac`, or `DeriveSharedSecret`.
+    (Optional) `retiring_principal` - The principal that is given permission to retire the grant by using RetireGrant operation in ARN format.
+    (Optional) `retire_on_delete` - Whether to retire the grant upon deletion. Defaults to `false`.
+      Retire: Grantee returns permissions voluntarily (normal termination)
+      Revoke: Admin forcefully cancels permissions (emergency termination)
+    (Optional) `grant_creation_tokens` - A list of grant tokens to be used when creating the grant. Use grant token for immediate access without waiting for grant propagation (up to 5 min). Required for time-sensitive operations.
+    (Optional) `constraints` - A configuration for grant constraints. `constraints` block as defined below.
+      (Optional) `type` - The type of constraints. Valid values are `ENCRYPTION_CONTEXT_EQUALS` or `ENCRYPTION_CONTEXT_SUBSET`. Defaults to `ENCRYPTION_CONTEXT_SUBSET`.
+      (Optional) `value` - A map of key-value pair to be validated against the encryption context during cryptographic operations.
+  EOF
+  type = list(object({
+    name              = string
+    grantee_principal = string
+    operations        = set(string)
+
+    retiring_principal    = optional(string)
+    retire_on_delete      = optional(bool, false)
+    grant_creation_tokens = optional(list(string))
+
+    constraints = optional(object({
+      type  = optional(string, "ENCRYPTION_CONTEXT_SUBSET")
+      value = map(string)
+    }))
+  }))
+  default  = []
+  nullable = false
+
+  validation {
+    condition = alltrue([
+      for grant in var.grants :
+      alltrue([
+        for op in grant.operations :
+        contains([
+          "Encrypt",
+          "Decrypt",
+          "GenerateDataKey",
+          "GenerateDataKeyWithoutPlaintext",
+          "ReEncryptFrom",
+          "ReEncryptTo",
+          "CreateGrant",
+          "RetireGrant",
+          "DescribeKey",
+          "GenerateDataKeyPair",
+          "GenerateDataKeyPairWithoutPlaintext",
+          "GetPublicKey",
+          "Sign",
+          "Verify",
+          "GenerateMac",
+          "VerifyMac",
+          "DeriveSharedSecret",
+        ], op)
+      ])
+    ])
+    error_message = "Valid values for grant operations are `Encrypt`, `Decrypt`, `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext`, `ReEncryptFrom`, `ReEncryptTo`, `CreateGrant`, `RetireGrant`, `DescribeKey`, `GenerateDataKeyPair`, `GenerateDataKeyPairWithoutPlaintext`, `GetPublicKey`, `Sign`, `Verify`, `GenerateMac`, `VerifyMac`, or `DeriveSharedSecret`."
+  }
+
+  validation {
+    condition = alltrue([
+      for grant in var.grants :
+      contains([
+        "ENCRYPTION_CONTEXT_EQUALS",
+        "ENCRYPTION_CONTEXT_SUBSET"
+      ], grant.constraints.type)
+      if grant.constraints != null
+    ])
+    error_message = "Valid values for `constraints.type` are `ENCRYPTION_CONTEXT_EQUALS` or `ENCRYPTION_CONTEXT_SUBSET`."
+  }
+  validation {
+    condition = alltrue([
+      for grant in var.grants :
+      anytrue([
+        grant.constraints == null,
+        grant.constraints != null && length(keys(grant.constraints.value)) > 0,
+      ])
+    ])
+    error_message = "If `constraints` is defined, it must contain at least one key-value pair in `value`."
+  }
+}
+
 variable "predefined_roles" {
   description = <<EOF
   (Optional) A configuration for predefined roles of the KMS key. This configuration will be merged with given `policy` if it is defined. `predefined_roles` block as defined below.