UML-3138 Create new secrets

terraform/account/kms.tf

@@ -2,7 +2,7 @@ module "sessions_viewer_mrk" {
   source = "./modules/multi_region_kms"
 
   key_description         = "Managers keys for sessions in Viewer"
-  key_alias               = "sessions-viewer"
+  key_alias               = "sessions-viewer-mrk"
   deletion_window_in_days = 7
 
   providers = {
@@ -15,11 +15,34 @@ module "sessions_actor_mrk" {
   source = "./modules/multi_region_kms"
 
   key_description         = "Managers keys for sessions in Actor"
-  key_alias               = "sessions-actor"
+  key_alias               = "sessions-actor-mrk"
   deletion_window_in_days = 7
 
   providers = {
     aws.primary   = aws.eu_west_1
     aws.secondary = aws.eu_west_2
   }
 }
+
+# No longer used but kept to keep regional KMS keys
+resource "aws_kms_key" "sessions_viewer" {
+  description             = "Managers keys for sessions in Viewer"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+}
+
+resource "aws_kms_alias" "sessions_viewer" {
+  name          = "alias/sessions-viewer"
+  target_key_id = aws_kms_key.sessions_viewer.key_id
+}
+
+resource "aws_kms_key" "sessions_actor" {
+  description             = "Managers keys for sessions in Actor"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+}
+
+resource "aws_kms_alias" "sessions_actor" {
+  name          = "alias/sessions-actor"
+  target_key_id = aws_kms_key.sessions_actor.key_id
+}

terraform/account/refactor.tf

@@ -393,36 +393,6 @@ moved {
   to   = module.eu_west_1.pagerduty_service_integration.cloudwatch_integration
 }
 
-moved {
-  from = aws_kms_key.sessions_viewer
-  to   = module.sessions_viewer_mrk.aws_kms_key.this
-}
-
-moved {
-  from = aws_kms_key.sessions_actor
-  to   = module.sessions_actor_mrk.aws_kms_key.this
-}
-
-moved {
-  from = aws_kms_alias.sessions_viewer
-  to   = module.sessions_viewer_mrk.aws_kms_alias.primary_alias
-}
-
-moved {
-  from = aws_kms_alias.sessions_actor
-  to   = module.sessions_actor_mrk.aws_kms_alias.primary_alias
-}
-
-moved {
-  from = aws_kms_key.secrets_manager
-  to   = module.secrets_manager_mrk.aws_kms_key.this
-}
-
-moved {
-  from = aws_kms_alias.secrets_manager_alias
-  to   = module.secrets_manager_mrk.aws_kms_alias.primary_alias
-}
-
 moved {
   from = aws_cloudwatch_log_group.workspace_cleanup_log
   to   = module.workspace_cleanup_mrk.aws_cloudwatch_log_group.workspace_cleanup_log

terraform/account/secretsmanager.tf

@@ -54,7 +54,7 @@ module "secrets_manager_mrk" {
 
   key_description         = "Secrets Manager encryption ${local.environment}"
   key_policy              = data.aws_iam_policy_document.secrets_manager_kms.json
-  key_alias               = "secrets_manager_encryption"
+  key_alias               = "secrets_manager_encryption-mrk"
   deletion_window_in_days = 10
 
   providers = {
@@ -63,6 +63,18 @@ module "secrets_manager_mrk" {
   }
 }
 
+resource "aws_kms_key" "secrets_manager" {
+  description             = "Secrets Manager encryption ${local.environment}"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.secrets_manager_kms.json
+}
+
+resource "aws_kms_alias" "secrets_manager_alias" {
+  name          = "alias/secrets_manager_encryption"
+  target_key_id = aws_kms_key.secrets_manager.key_id
+}
+
 data "aws_iam_policy_document" "secrets_manager_kms" {
   statement {
     sid       = "Enable Root account permissions on Key"

terraform/environment/shared_data_sources.tf

@@ -49,15 +49,15 @@ data "aws_acm_certificate" "public_facing_certificate_use" {
 }
 
 data "aws_kms_alias" "sessions_viewer" {
-  name = "alias/sessions-viewer"
+  name = "alias/sessions-viewer-mrk"
 }
 
 data "aws_kms_alias" "sessions_actor" {
-  name = "alias/sessions-actor"
+  name = "alias/sessions-actor-mrk"
 }
 
 data "aws_kms_alias" "secrets_manager" {
-  name = "alias/secrets_manager_encryption"
+  name = "alias/secrets_manager_encryption-mrk"
 }
 
 data "aws_kms_alias" "pagerduty_sns" {