NixOS · PsyanticY · Jun 28, 2019 · Jul 1, 2019 · Jul 3, 2019
diff --git a/examples/aws-cmk.nix b/examples/aws-cmk.nix
@@ -0,0 +1,36 @@
+{
+    resources.cmk.cmk =
+    {lib, ...}:
+    {
+      alias = "nixops-kms";
+      description = "nixops is the best";
+      policy = builtins.toJSON
+      {
+        Statement= [
+          {
+              Effect= "Allow";
+              Principal = "*";
+              Action = "*";
+              Resource= "*";
+          }
+        ];
+      };
+      origin = "AWS_KMS";
+      deletionWaitPeriod = 7;
+      region = "us-east-1";
+      accessKeyId = "testing";
+      tags = { name = "nixops-managed-cmk";};
+    };
+    resources.ebsVolumes.ebs =
+    {resources, ...}:
+    {
+      region = "us-east-1";
+      accessKeyId = "testing";
+      size = 50;
+      volumeType = "gp2";
+      kmsKeyId = resources.cmk.cmk;
+      zone = "us-east-1a";
+      tags = { name = "nixops"; env = "test";};
+  };
+
+}
diff --git a/nix/cmk.nix b/nix/cmk.nix
@@ -0,0 +1,110 @@
+
+{ config, lib, uuid, name, ... }:
+
+with lib;
+
+{
+  imports = [ ./common-ec2-auth-options.nix ];
+
+  options = {
+
+    alias = mkOption {
+      default = "nixops-${uuid}-${name}";
+      type = types.str;
+      description = "Alias of the CMK.";
+    };
+
+    keyId = mkOption {
+      default = "";
+      type = types.str;
+      description = "The globally unique identifier for the CMK. This is set by NixOps";
+    };
+
+    policy = mkOption {
+      default = null;
+      type = types.nullOr types.str;
+      description = ''
+        The key policy to attach to the CMK.
+      '';
+    };
+
+    description = mkOption {
+      default = "CMK created by nixops";
+      type = types.str;
+      description = "A description of the CMK.";
+    };
+
+    origin = mkOption {
+      default = "AWS_KMS";
+      type = types.enum [ "AWS_KMS" "EXTERNAL" "AWS_CLOUDHSM" ];
+      description = ''
+        The source of the key material for the CMK. You cannot change the origin after you create the CMK.
+      ''; 
+    };
+
+    customKeyStoreId = mkOption {
+      default = null;
+      type = types.nullOr types.str;
+      description = ''
+        Creates the CMK in the specified custom key store and the key
+        material in its associated AWS CloudHSM cluster. To create a CMK
+        in a custom key store, you must also specify the Origin parameter
+        with a value of "AWS_CLOUDHSM" . 
+      '';
+    };
+
+    deletionWaitPeriod = mkOption {
+      default = 0;
+      type = types.int;
+      description = ''
+        The waiting period, specified in number of days. After
+        the waiting period ends, AWS KMS deletes the customer master key (CMK).
+        Valid values are between 7 and 30
+        Use 0 to indicate that you do not want to delete the key
+      '';
+    };
+
+    externalKey = mkOption {
+      description = "Options related to CMK when the origin is set to external.";
+      default = null;
+      type = with types; nullOr (submodule {
+        options = {
+          wrappingAlgorithm = mkOption {
+            default = "RSAES_OAEP_SHA_256";
+            type = types.enum [ "RSAES_PKCS1_V1_5" "RSAES_OAEP_SHA_1" "RSAES_OAEP_SHA_256" ];
+            description = ''
+              The algorithm you will use to encrypt the key material before
+              importing it with ImportKeyMaterial.
+            '';
+          };
+          wrappingKeySpec = mkOption {
+            default = "RSA_2048";
+            type = types.enum [ "RSA_2048" ];
+            description = ''
+              The type of wrapping key (public key) to return in the response.
+              Only 2048-bit RSA public keys are supported for the moment.
+            '';
+          };
+
+          keyMaterialExpire = mkOption {
+            default = false;
+            type = types.bool;
+            description = "Specifies whether the key material expires.";
+          };
+
+          keyMaterial = mkOption {
+            default = null;
+            type = types.nullOr types.str;
+            description = ''
+              Key material that will be wrapped and uploaded to KMS.
+              This is set by nixops
+            '';
+          };
+        };
+      });
+    };
+
+  } // import ./common-ec2-options.nix { inherit lib; };
+
+  config._type = "cmk";
+}
diff --git a/nix/ebs-volume.nix b/nix/ebs-volume.nix
@@ -1,6 +1,7 @@
 { config, lib, uuid, name, ... }:
 
 with lib;
+with import ./lib.nix lib;
 
 {
 
@@ -49,6 +50,17 @@ with lib;
       '';
     };
 
+    kmsKeyId = mkOption {
+      default = null;
+      type = with types; nullOr (either types.str (resource "cmk"));
+      apply = x: if builtins.isString x then x else "res-" + x._name;
+      description = ''
+        The identifier of the AWS Key Management Service (AWS KMS)
+        customer master key (CMK) to use for Amazon EBS encryption.
+        If this parameter is not specified, your AWS managed CMK for EBS is used. 
+      '';
+    };
+
   } // import ./common-ec2-options.nix { inherit lib; };
 
   config = {

diff --git a/nix/eval-machine-info.nix b/nix/eval-machine-info.nix
@@ -93,6 +93,7 @@ rec {
   resources.ec2SecurityGroups = evalResources ./ec2-security-group.nix (zipAttrs resourcesByType.ec2SecurityGroups or []);
   resources.ec2PlacementGroups = evalResources ./ec2-placement-group.nix (zipAttrs resourcesByType.ec2PlacementGroups or []);
   resources.ebsVolumes = evalResources ./ebs-volume.nix (zipAttrs resourcesByType.ebsVolumes or []);
+  resources.cmk = evalResources ./cmk.nix (zipAttrs resourcesByType.cmk or []);
   resources.elasticIPs = evalResources ./elastic-ip.nix (zipAttrs resourcesByType.elasticIPs or []);
   resources.rdsDbInstances = evalResources ./ec2-rds-dbinstance.nix (zipAttrs resourcesByType.rdsDbInstances or []);
   resources.rdsDbSecurityGroups = evalResources ./ec2-rds-dbsecurity-group.nix (zipAttrs resourcesByType.rdsDbSecurityGroups or []);