dtan4/terraforming

View on GitHub
lib/terraforming/resource/kms_key.rb

Summary

Maintainability
A
0 mins
Test Coverage
module Terraforming
  module Resource
    class KMSKey
      include Terraforming::Util

      def self.tf(client: Aws::KMS::Client.new)
        self.new(client).tf
      end

      def self.tfstate(client: Aws::KMS::Client.new)
        self.new(client).tfstate
      end

      def initialize(client)
        @client = client
      end

      def tf
        apply_template(@client, "tf/kms_key")
      end

      def tfstate
        keys.inject({}) do |resources, key|
          resources["aws_kms_key.#{module_name_of(key)}"] = {
            "type" => "aws_kms_key",
            "primary" => {
              "id" => key.key_id,
              "attributes" => {
                "arn" => key.arn,
                "description" => key.description,
                "enable_key_rotation" => key_rotation_status_of(key).key_rotation_enabled.to_s,
                "id" => key.key_id,
                "is_enabled" => key.enabled.to_s,
                "key_id" => key.key_id,
                "key_usage" => key.key_usage,
                "policy" => key_policy_of(key),
              },
            },
          }
          resources
        end
      end

      private

      def aliases
        @aliases ||= @client.list_aliases.aliases
      end

      def keys
        @client
          .list_keys
          .keys
          .reject { |key| managed_master_key?(key) }
          .map { |key| @client.describe_key(key_id: key.key_id) }
          .map(&:key_metadata)
          .reject { |metadata| metadata.origin == "EXTERNAL" } # external origin key is not supoprted by Terraform
      end

      def key_policy_of(key)
        policies = @client.list_key_policies(key_id: key.key_id).policy_names

        return "" if policies.empty?

        @client.get_key_policy(key_id: key.key_id, policy_name: policies[0]).policy
      end

      def key_rotation_status_of(key)
        @client.get_key_rotation_status(key_id: key.key_id)
      end

      def managed_master_key?(key)
        !aliases.select { |a| a.target_key_id == key.key_id && a.alias_name =~ %r{\Aalias/aws/} }.empty?
      end

      def module_name_of(key)
        normalize_module_name(key.key_id)
      end
    end
  end
end