Skip to content

Commit

Permalink
Merge branch 'main' of https://github.com/ned1313/terraform-tuesdays
Browse files Browse the repository at this point in the history
  • Loading branch information
@ned1313
ned1313 committed Jun 24, 2024
2 parents f8ea9e9 + c811c39 commit 5c72f57
Show file tree
Hide file tree
Showing 11 changed files with 242 additions and 0 deletions.
55 changes: 55 additions & 0 deletions 2024-06-25-OpenTofuEncryption/aws_kms/generate_kms_s3/.terraform.lock.hcl
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

57 changes: 57 additions & 0 deletions 2024-06-25-OpenTofuEncryption/aws_kms/generate_kms_s3/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
provider "aws" {
region = "us-west-2"
}


data "aws_caller_identity" "current" {}

// Create a KMS key
resource "aws_kms_key" "tofu_key" {
description = "Tofu encryption key"
enable_key_rotation = true
deletion_window_in_days = 10
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"

policy = jsonencode({
Version = "2012-10-17"
Id = "key-default-1"
Statement = [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "${data.aws_caller_identity.current.arn}"
},
Action = "kms:*"
Resource = "*"
}
]
})

}

module "terraform_state_backend" {
source = "cloudposse/tfstate-backend/aws"
version = "1.4.1"

force_destroy = true
bucket_enabled = true
dynamodb_enabled = true
name = "encrypted"
environment = "test"
namespace = "tofu"

}

output "bucket_name" {
value = module.terraform_state_backend.s3_bucket_id
}

output "dynamodb_table_name" {
value = module.terraform_state_backend.dynamodb_table_name
}

output "kms_id" {
value = aws_kms_key.tofu_key.id
}
19 changes: 19 additions & 0 deletions 2024-06-25-OpenTofuEncryption/aws_kms/use_kms_s3/.terraform.lock.hcl
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions 2024-06-25-OpenTofuEncryption/aws_kms/use_kms_s3/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
resource "local_file" "main" {
content = "Encrypt state and plan again!"
filename = "${path.module}/testplan2.txt"
}

output "test" {
value = local_file.main.filename
}
34 changes: 34 additions & 0 deletions 2024-06-25-OpenTofuEncryption/aws_kms/use_kms_s3/set_env.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
$Env:TF_ENCRYPTION = @"
key_provider "aws_kms" "tofu" {
kms_key_id = "90ea3863-9d9a-4032-a3c0-0539a5b4d105"
region = "us-west-2"
key_spec = "AES_256"
}
method "aes_gcm" "tofu" {
# Method options here
keys = key_provider.aws_kms.tofu
}
method "unencrypted" "tofu" {
# Method options here
}
state {
# Encryption/decryption for state data
method = method.aes_gcm.tofu
fallback {
method = method.unencrypted.tofu
}
}
plan {
# Encryption/decryption for plan data
method = method.aes_gcm.tofu
fallback {
method = method.unencrypted.tofu
}
}
"@
10 changes: 10 additions & 0 deletions 2024-06-25-OpenTofuEncryption/aws_kms/use_kms_s3/terraform.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
terraform {
backend "s3" {
region = "us-west-2"
bucket = "tofu-test-encrypted"
key = "terraform.tfstate"
encrypt = "true"

dynamodb_table = "tofu-test-encrypted-lock"
}
}
1 change: 1 addition & 0 deletions 2024-06-25-OpenTofuEncryption/aws_kms/use_kms_s3/testplan2.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Encrypt state and plan again!
19 changes: 19 additions & 0 deletions 2024-06-25-OpenTofuEncryption/basic_example/.terraform.lock.hcl
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions 2024-06-25-OpenTofuEncryption/basic_example/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
resource "local_file" "main" {
content = "Encrypt state and plan!"
filename = "${path.module}/testplan.txt"
}

output "test" {
value = local_file.main.filename
}
30 changes: 30 additions & 0 deletions 2024-06-25-OpenTofuEncryption/basic_example/terraform.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
terraform {
encryption {

key_provider "pbkdf2" "passphrase" {
passphrase = "tacos-are-delicious-and-nutritious"
key_length = 32
iterations = 600000
salt_length = 32
hash_function = "sha512"
}

method "aes_gcm" "passphrase_gcm" {
keys = key_provider.pbkdf2.passphrase
}

method "unencrypted" "main" {}

state {
method = method.unencrypted.main

fallback {
method = method.aes_gcm.passphrase_gcm
}
}

plan {
method = method.aes_gcm.gcm
}
}
}
1 change: 1 addition & 0 deletions 2024-06-25-OpenTofuEncryption/basic_example/testplan.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Encrypt state and plan!

0 comments on commit 5c72f57

Please sign in to comment.