| # ============================================================================= | |
| # KMS Module — Customer-Managed Encryption Keys with Rotation | |
| # ============================================================================= | |
| resource "aws_kms_key" "this" { | |
| for_each = var.keys | |
| description = each.value.description | |
| deletion_window_in_days = each.value.deletion_window | |
| enable_key_rotation = true # Auto-rotate annually | |
| key_usage = each.value.key_usage | |
| customer_master_key_spec = each.value.key_spec | |
| policy = each.value.policy | |
| tags = merge(var.tags, { | |
| Name = "${var.name}-${each.key}" | |
| }) | |
| } | |
| resource "aws_kms_alias" "this" { | |
| for_each = var.keys | |
| name = "alias/${var.name}-${each.key}" | |
| target_key_id = aws_kms_key.this[each.key].key_id | |
| } | |