https://github.com/ahmadalibagheri/cdktf-python-aws-kms

AWS KMS configuration with python and cdktf
https://github.com/ahmadalibagheri/cdktf-python-aws-kms

aws aws-kms cdktf cdktf-template python terraform

Last synced: about 2 months ago
JSON representation

AWS KMS configuration with python and cdktf

• Host: GitHub
• URL: https://github.com/ahmadalibagheri/cdktf-python-aws-kms
• Owner: ahmadalibagheri
• Created: 2022-03-08T08:37:45.000Z (almost 3 years ago)
• Default Branch: master
• Last Pushed: 2022-04-23T10:24:09.000Z (almost 3 years ago)
• Last Synced: 2023-03-04T05:09:22.708Z (almost 2 years ago)
• Topics: aws, aws-kms, cdktf, cdktf-template, python, terraform
• Language: Python
• Homepage:
• Size: 3.91 KB
• Stars: 17
• Watchers: 1
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# cdktf-python-aws-kms

The Cloud Development Kit for Terraform (CDKTF) allows you to define your infrastructure in a familiar programming language such as TypeScript, Python, Go, C#, or Java.

In this tutorial, you will provision an EC2 instance on AWS using your preferred programming language.

## Prerequisites

* [Terraform](https://www.terraform.io/downloads) >= v1.0

* [CDK for Terraform](https://learn.hashicorp.com/tutorials/terraform/cdktf-install) >= v0.8

* A [Terraform Cloud](https://app.terraform.io/) account, with [CLI authentication](https://learn.hashicorp.com/tutorials/terraform/cloud-login) configured

* [an AWS account](https://portal.aws.amazon.com/billing/signup?nc2=h_ct&src=default&redirect_url=https%3A%2F%2Faws.amazon.com%2Fregistration-confirmation#/start)

* AWS Credentials [configured for use with Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication)

Credentials can be provided by using the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optionally AWS_SESSION_TOKEN environment variables. The region can be set using the AWS_REGION or AWS_DEFAULT_REGION environment variables.

```shell

$ export AWS_ACCESS_KEY_ID="anaccesskey"

$ export AWS_SECRET_ACCESS_KEY="asecretkey"

$ export AWS_REGION="us-west-2"

```

## Install project dependencies

```shell

mkdir learn-cdktf

cd learn-cdktf

cdktf init --template="python"

```

## Install AWS provider

```shell

pipenv install cdktf-cdktf-provider-aws

```

## Define your CDK for Terraform Application

Replace the contents of main.py with the following code for a new Python application

```python

#!/usr/bin/env python

from constructs import Construct

from cdktf import App, TerraformStack

from cdktf_cdktf_provider_aws import AwsProvider, kms, datasources

class MyStack(TerraformStack):

    def __init__(self, scope: Construct, ns: str):

        super().__init__(scope, ns)

        # define resources here

        myregion = "us-east-1"

        AwsProvider(self, "aws", region=myregion)

        datasources.DataAwsCallerIdentity(self, "aws_id")

        policy = """{

        "Version": "2012-10-17",

        "Statement": [

          {

            "Sid": "Enable IAM User Permissions",

            "Effect": "Allow",

            "Principal": {

              "AWS": "arn:aws:iam::${awsAccountid.id}:root"

          },

            "Action": [

              "kms:*"

            ],

            "Resource": [

              "*"

            ]

          },    {

            "Sid": "Allow autoscalling to use the key",

            "Effect": "Allow",

            "Principal": {

              "AWS": [

                "arn:aws:iam::${awsAccountid.id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"

              ]

            },

            "Action": [

                "kms:Create*",

                "kms:Describe*",

                "kms:Enable*",

                "kms:List*",

                "kms:Put*",

                "kms:Update*",

                "kms:Revoke*",

                "kms:Disable*",

                "kms:Get*",

                "kms:Delete*",

                "kms:TagResource",

                "kms:UntagResource",

                "kms:ScheduleKeyDeletion",

                "kms:CancelKeyDeletion"

            ],

            "Resource": "*"

          },{

            "Sid": "Allow use of the key",

            "Effect": "Allow",

            "Principal": {

                "AWS": [

                "arn:aws:iam::${awsAccountid.id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"

                ]

            },

            "Action": [

                "kms:Encrypt",

                "kms:Decrypt",

                "kms:ReEncrypt*",

                "kms:GenerateDataKey*",

                "kms:DescribeKey"

            ],

            "Resource": "*"

            },        {

              "Sid": "Allow attachment of persistent resources",

              "Effect": "Allow",

              "Principal": {

                  "AWS": [

              "arn:aws:iam::${awsAccountid.id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"

              ]

              },

              "Action": [

                  "kms:CreateGrant",

                  "kms:ListGrants",

                  "kms:RevokeGrant"

              ],

              "Resource": "*",

              "Condition": {

                  "Bool": {

                      "kms:GrantIsForAWSResource": "true"

                  }

              }

          }

        ]

      }"""

        mykmskey=kms.KmsKey(self, "aws_kms",enable_key_rotation=True, policy=policy,tags={"Name": "CDKtf-python-Demo-KMS-key"})

        kms.KmsAlias(self, "kms_alias", target_key_id=mykmskey.id)

app = App()

MyStack(app, "cdktf-python-aws-kms")

app.synth()

```

## Provision infrastructure

```shell

cdktf deploy

```

After the instance is created, visit the AWS EC2 Dashboard.

## Clean up your infrastructure

```shell

cdktf destroy

```