Skip to content

feature(devops): add AWS KMS provisioning terraform script #issue 412 #461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
David-282 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feature(devops): add AWS KMS provisioning terraform script #issue 412 #461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions .github/workflows/terraform-kms.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# ==============================================================================
# .github/workflows/terraform-kms.yml
# CI pipeline for AnchorPoint KMS Terraform — Issue #412
#
# Runs on every pull request that touches infra/terraform/**
# Stages: fmt → validate → checkov → plan
# ==============================================================================

name: Terraform KMS CI

on:
pull_request:
paths:
- 'infra/terraform/**'

jobs:
terraform-kms:
name: Lint, Validate, Scan, Plan
runs-on: ubuntu-latest

defaults:
run:
working-directory: infra/terraform/kms

steps:
# ── Checkout ─────────────────────────────────────────────────────────────
- name: Checkout
uses: actions/checkout@v4

# ── Terraform setup ───────────────────────────────────────────────────────
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: "1.5.7"

# ── Format check ─────────────────────────────────────────────────────────
- name: Terraform Format Check
run: terraform fmt -check

# ── Init (no backend — dry run only) ─────────────────────────────────────
- name: Terraform Init
run: terraform init -backend=false

# ── Validate ─────────────────────────────────────────────────────────────
- name: Terraform Validate
run: terraform validate

# ── Security scan ─────────────────────────────────────────────────────────
- name: Checkov Security Scan
uses: bridgecrewio/checkov-action@v12
with:
directory: infra/terraform/kms
framework: terraform
soft_fail: false

# ── Plan (dry run against testnet vars) ──────────────────────────────────
- name: Terraform Plan
run: |
terraform plan \
-backend=false \
-var="environment=testnet" \
-var="key_alias=anchorpoint-stellar-keys"
115 changes: 115 additions & 0 deletions infra/terraform/kms/QA_STEPS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
# KMS Manual QA Steps — Issue #412

## Pre-requisites
- AWS CLI configured with sufficient permissions
- Terraform >= 1.0.0 installed
- `checkov` installed (`pip install checkov`)

---

## Step 1 — Initialize and validate

```bash
cd infra/terraform/kms

terraform init
terraform fmt -check
terraform validate
```

---

## Step 2 — Security scan

```bash
checkov -d . --framework terraform
```

Expected passes:
- `CKV_AWS_7` — Key rotation enabled
- `CKV_AWS_109` — Key policy does not use wildcard principal
- `CKV_AWS_149` — No plaintext secrets in config

---

## Step 3 — Plan

```bash
cp terraform.tfvars.example terraform.tfvars
# Fill in real ARNs in terraform.tfvars

terraform plan -var-file=terraform.tfvars
```

Expected output:
```
Plan: 3 to add, 0 to change, 0 to destroy.
+ aws_kms_key.anchorpoint_stellar_keys
+ aws_kms_alias.anchorpoint_stellar_keys
+ aws_ssm_parameter.kms_key_arn
```

---

## Step 4 — Apply

```bash
terraform apply -var-file=terraform.tfvars
```

---

## Step 5 — Verify key rotation is enabled

```bash
KEY_ID=$(terraform output -raw key_id)

aws kms get-key-rotation-status --key-id "$KEY_ID"
```

Expected:
```json
{ "KeyRotationEnabled": true }
```

---

## Step 6 — Encrypt/decrypt round-trip

```bash
ALIAS=$(terraform output -raw alias_name)

# Encrypt a test string
CIPHER=$(aws kms encrypt \
--key-id "$ALIAS" \
--plaintext "anchorpoint-test" \
--query CiphertextBlob \
--output text)

# Decrypt it back — should return "anchorpoint-test"
aws kms decrypt \
--ciphertext-blob fileb://<(echo "$CIPHER" | base64 -d) \
--query Plaintext \
--output text | base64 -d
```

---

## Step 7 — Verify SSM parameter was written

```bash
SSM_PATH=$(terraform output -raw ssm_parameter_name)

aws ssm get-parameter --name "$SSM_PATH" --query Parameter.Value --output text
```

Expected: the full KMS key ARN.

---

## Step 8 — Teardown (testnet only)

```bash
terraform destroy -var-file=terraform.tfvars
# Key enters 10-day pending-deletion window.
```
Loading