Disable key rotation for KMS key used by S3

serverless-ca · Aug 23, 2024 · 0d66d02 · 0d66d02
1 parent 687ff9e
commit 0d66d02
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 10 deletions.
diff --git a/main.tf b/main.tf
@@ -170,7 +170,7 @@ module "tls_keygen_iam" {
   policy                 = "tls_cert"
   external_s3_bucket_arn = module.external_s3.s3_bucket_arn
   internal_s3_bucket_arn = module.internal_s3.s3_bucket_arn
-  sns_topic_arn          = module.sns-ca-notifications.sns_topic_arn
+  sns_topic_arn          = module.sns_ca_notifications.sns_topic_arn
 }
 
 module "create_rsa_root_ca_lambda" {
@@ -191,7 +191,7 @@ module "create_rsa_root_ca_lambda" {
   domain                          = var.hosted_zone_domain
   runtime                         = var.runtime
   public_crl                      = var.public_crl
-  sns_topic_arn                   = module.sns-ca-notifications.sns_topic_arn
+  sns_topic_arn                   = module.sns_ca_notifications.sns_topic_arn
 }
 
 module "create_rsa_issuing_ca_lambda" {
@@ -212,7 +212,7 @@ module "create_rsa_issuing_ca_lambda" {
   domain                          = var.hosted_zone_domain
   runtime                         = var.runtime
   public_crl                      = var.public_crl
-  sns_topic_arn                   = module.sns-ca-notifications.sns_topic_arn
+  sns_topic_arn                   = module.sns_ca_notifications.sns_topic_arn
 }
 
 module "rsa_root_ca_crl_lambda" {
@@ -235,7 +235,7 @@ module "rsa_root_ca_crl_lambda" {
   domain                          = var.hosted_zone_domain
   runtime                         = var.runtime
   public_crl                      = var.public_crl
-  sns_topic_arn                   = module.sns-ca-notifications.sns_topic_arn
+  sns_topic_arn                   = module.sns_ca_notifications.sns_topic_arn
 }
 
 module "rsa_issuing_ca_crl_lambda" {
@@ -258,7 +258,7 @@ module "rsa_issuing_ca_crl_lambda" {
   domain                          = var.hosted_zone_domain
   runtime                         = var.runtime
   public_crl                      = var.public_crl
-  sns_topic_arn                   = module.sns-ca-notifications.sns_topic_arn
+  sns_topic_arn                   = module.sns_ca_notifications.sns_topic_arn
 }
 
 module "rsa_tls_cert_lambda" {
@@ -281,7 +281,7 @@ module "rsa_tls_cert_lambda" {
   public_crl                      = var.public_crl
   max_cert_lifetime               = var.max_cert_lifetime
   allowed_invocation_principals   = var.aws_principals
-  sns_topic_arn                   = module.sns-ca-notifications.sns_topic_arn
+  sns_topic_arn                   = module.sns_ca_notifications.sns_topic_arn
 }
 
 module "cloudfront_certificate" {
@@ -376,7 +376,7 @@ module "db-reader-role" {
   assume_role_policy = "db_reader"
 }
 
-module "sns-ca-notifications" {
+module "sns_ca_notifications" {
   source = "./modules/terraform-aws-ca-sns"
 
   project                       = var.project

diff --git a/modules/terraform-aws-ca-kms/main.tf b/modules/terraform-aws-ca-kms/main.tf
@@ -1,7 +1,7 @@
 resource "aws_kms_key" "encryption" {
   description             = var.description == "" ? local.key_description : var.description
   deletion_window_in_days = 7
-  enable_key_rotation     = var.customer_master_key_spec == "SYMMETRIC_DEFAULT" ? true : false
+  enable_key_rotation     = var.enable_key_rotation
   policy = templatefile("${path.module}/templates/${var.kms_policy}.json.tpl", {
     account_id = data.aws_caller_identity.current.account_id,
     region     = data.aws_region.current.name

diff --git a/modules/terraform-aws-ca-kms/variables.tf b/modules/terraform-aws-ca-kms/variables.tf
@@ -5,6 +5,11 @@ variable "description" {
   default     = ""
 }
 
+variable "enable_key_rotation" {
+  description = "enable key rotation"
+  default     = false # must be false for asymmetric keys, and symmetric keys used for S3 encryption with long-lived content
+}
+
 variable "env" {
   description = "Environment name, e.g. dev"
 }

diff --git a/outputs.tf b/outputs.tf
@@ -39,6 +39,6 @@ output "root_ca_crl_s3_location" {
 }
 
 output "sns_topic_arn" {
-  value       = module.sns-ca-notifications.sns_topic_arn
+  value       = module.sns_ca_notifications.sns_topic_arn
   description = "SNS topic ARN"
 }
diff --git a/variables.tf b/variables.tf
@@ -96,7 +96,7 @@ variable "issuing_crl_seconds" {
 }
 
 variable "kms_key_alias" {
-  description = "KMS key alias for bucket encryption, if left at default, TLS key gen KMS key will be used"
+  description = "KMS key alias for bucket encryption with key rotation disabled, if left at default, TLS key gen KMS key will be used"
   default     = ""
 }