Merge pull request #72 from zama-ai/piizama/kms-connector-awskms-signing-key

piizama · web-flow · commit 8a73c46d863b · 2025-11-03T23:45:40.000+01:00
feat(mpc-party): add kms-connector awskms key and service account
diff --git a/examples/mpc-party/main.tf b/examples/mpc-party/main.tf
@@ -4,7 +4,7 @@
 
 # Deploy MPC Party infrastructure using the enhanced mpc-party module
 module "mpc_party" {
-  source = "git::https://github.com/zama-ai/terraform-mpc-modules.git//modules/mpc-party?ref=v0.1.10"
+  source = "git::https://github.com/zama-ai/terraform-mpc-modules.git//modules/mpc-party?ref=v0.1.13"
 
   # Network environment configuration
   network_environment = var.network_environment
@@ -98,6 +98,9 @@ module "mpc_party" {
   rds_vpc_id                  = var.rds_vpc_id
   rds_deletion_protection     = var.rds_deletion_protection
 
+  # KMS-Connector Configuration
+  kms_connector_enable_txsender_key = true
+
   # Tagging
   common_tags = merge(var.additional_tags, {
     "Environment" = var.environment
diff --git a/examples/terragrunt-infra/kms-dev-v1/mpc-party/terraform.tfvars b/examples/terragrunt-infra/kms-dev-v1/mpc-party/terraform.tfvars
@@ -62,3 +62,5 @@ kms_enabled_nitro_enclaves = true
 # This image attestation SHA must be updated for each KMS enclave release image.
 kms_image_attestation_sha   = "5292569b5945693afcde78e5a0045f4bf8c0a594d174baf1e6bccdf0e6338ebe46e89207054e0c48d0ec6deef80284ac"
 kms_deletion_window_in_days = 7
+
+kms_connector_enable_txsender_key = true
diff --git a/examples/terragrunt-infra/kms-dev-v1/mpc-party/terragrunt.hcl b/examples/terragrunt-infra/kms-dev-v1/mpc-party/terragrunt.hcl
@@ -13,7 +13,7 @@ include "common" {
 
 # Reference the mpc-network-provider example module
 terraform {
-  source = "git::https://github.com/zama-ai/terraform-mpc-modules.git//modules/mpc-party?ref=v0.1.10"
+  source = "git::https://github.com/zama-ai/terraform-mpc-modules.git//modules/mpc-party?ref=v0.1.13"
 
   extra_arguments "tfvars" {
     commands = get_terraform_commands_that_need_vars()
diff --git a/examples/terragrunt-infra/zws-dev/mpc-party/terraform.tfvars b/examples/terragrunt-infra/zws-dev/mpc-party/terraform.tfvars
@@ -66,3 +66,5 @@ kms_enabled_nitro_enclaves = true
 # This image attestation SHA must be updated for each KMS enclave release image.
 kms_image_attestation_sha   = "5292569b5945693afcde78e5a0045f4bf8c0a594d174baf1e6bccdf0e6338ebe46e89207054e0c48d0ec6deef80284ac"
 kms_deletion_window_in_days = 7
+
+kms_connector_enable_txsender_key = true
diff --git a/examples/terragrunt-infra/zws-dev/mpc-party/terragrunt.hcl b/examples/terragrunt-infra/zws-dev/mpc-party/terragrunt.hcl
@@ -13,7 +13,7 @@ include "common" {
 
 # Reference the mpc-network-provider example module
 terraform {
-  source = "git::https://github.com/zama-ai/terraform-mpc-modules.git//modules/mpc-party?ref=v0.1.10"
+  source = "git::https://github.com/zama-ai/terraform-mpc-modules.git//modules/mpc-party?ref=v0.1.13"
 
   extra_arguments "tfvars" {
     commands = get_terraform_commands_that_need_vars()
diff --git a/modules/mpc-party/README.md b/modules/mpc-party/README.md
@@ -132,6 +132,11 @@ module "mpc_party" {
   rds_storage_encrypted           = true
   rds_manage_master_user_password = true
 
+  # KMS-Connector Configuration
+  kms_connector_enable_txsender_key = true
+  kms_connector_txsender_key_usage  = "SIGN_VERIFY"
+  kms_connector_txsender_key_spec   = "ECC_SECP256K1"
+
   # RDS Network Configuration
   rds_allowed_cidr_blocks = ["10.0.0.0/16"]
 
@@ -307,6 +312,7 @@ The module can optionally create:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_eks_managed_node_group"></a> [eks\_managed\_node\_group](#module\_eks\_managed\_node\_group) | terraform-aws-modules/eks/aws//modules/eks-managed-node-group | 21.0.6 |
+| <a name="module_iam_assumable_role_kms_connector"></a> [iam\_assumable\_role\_kms\_connector](#module\_iam\_assumable\_role\_kms\_connector) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.48.0 |
 | <a name="module_iam_assumable_role_mpc_party"></a> [iam\_assumable\_role\_mpc\_party](#module\_iam\_assumable\_role\_mpc\_party) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.48.0 |
 | <a name="module_rds_instance"></a> [rds\_instance](#module\_rds\_instance) | terraform-aws-modules/rds/aws | ~> 6.10 |
 | <a name="module_rds_security_group"></a> [rds\_security\_group](#module\_rds\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
@@ -316,8 +322,10 @@ The module can optionally create:
 | Name | Type |
 |------|------|
 | [aws_iam_policy.mpc_aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_kms_alias.mpc_connector_tx_sender](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_alias.mpc_party](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_alias.mpc_party_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_external_key.mpc_connector_tx_sender](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_external_key) | resource |
 | [aws_kms_key.mpc_party](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.mpc_party_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_s3_bucket.vault_private_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
@@ -334,6 +342,7 @@ The module can optionally create:
 | [kubernetes_daemon_set_v1.aws_nitro_enclaves_device_plugin](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/daemon_set_v1) | resource |
 | [kubernetes_namespace.mpc_party_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_service.externalname](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service) | resource |
+| [kubernetes_service_account.mpc_kms_connector_service_account](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
 | [kubernetes_service_account.mpc_party_service_account](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
 | [null_resource.validate_auto_resolved_node_sg](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_id.mpc_party_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
@@ -365,6 +374,9 @@ The module can optionally create:
 | <a name="input_kms_backup_external_role_arn"></a> [kms\_backup\_external\_role\_arn](#input\_kms\_backup\_external\_role\_arn) | ARN of the backup vault for the KMS key | `string` | `null` | no |
 | <a name="input_kms_backup_vault_customer_master_key_spec"></a> [kms\_backup\_vault\_customer\_master\_key\_spec](#input\_kms\_backup\_vault\_customer\_master\_key\_spec) | Key spec for the backup vault | `string` | `"ASYMMETRIC_DEFAULT"` | no |
 | <a name="input_kms_backup_vault_key_usage"></a> [kms\_backup\_vault\_key\_usage](#input\_kms\_backup\_vault\_key\_usage) | Key usage for the backup vault | `string` | `"ENCRYPT_DECRYPT"` | no |
+| <a name="input_kms_connector_enable_txsender_key"></a> [kms\_connector\_enable\_txsender\_key](#input\_kms\_connector\_enable\_txsender\_key) | Whether to enable the KMS key for the kms-connector txsender | `bool` | `false` | no |
+| <a name="input_kms_connector_txsender_key_spec"></a> [kms\_connector\_txsender\_key\_spec](#input\_kms\_connector\_txsender\_key\_spec) | Specification for the KMS-Connector txsender (e.g., ECC\_SECG\_P256K1 for Ethereum key signing) | `string` | `"ECC_SECG_P256K1"` | no |
+| <a name="input_kms_connector_txsender_key_usage"></a> [kms\_connector\_txsender\_key\_usage](#input\_kms\_connector\_txsender\_key\_usage) | Key usage for KMS-Connector txsender | `string` | `"SIGN_VERIFY"` | no |
 | <a name="input_kms_cross_account_kms_key_id"></a> [kms\_cross\_account\_kms\_key\_id](#input\_kms\_cross\_account\_kms\_key\_id) | KMS key ID of KMS key created in a different AWS account | `string` | `""` | no |
 | <a name="input_kms_customer_master_key_spec"></a> [kms\_customer\_master\_key\_spec](#input\_kms\_customer\_master\_key\_spec) | Specification for the KMS customer master key (e.g., SYMMETRIC\_DEFAULT, RSA\_2048) | `string` | `"SYMMETRIC_DEFAULT"` | no |
 | <a name="input_kms_deletion_window_in_days"></a> [kms\_deletion\_window\_in\_days](#input\_kms\_deletion\_window\_in\_days) | Deletion window in days for KMS key | `number` | `30` | no |
@@ -445,6 +457,7 @@ The module can optionally create:
 | <a name="output_irsa_summary"></a> [irsa\_summary](#output\_irsa\_summary) | Summary of the IRSA role for MPC party |
 | <a name="output_k8s_configmap_summary"></a> [k8s\_configmap\_summary](#output\_k8s\_configmap\_summary) | Summary of the Kubernetes ConfigMap for MPC party |
 | <a name="output_k8s_service_account_summary"></a> [k8s\_service\_account\_summary](#output\_k8s\_service\_account\_summary) | Summary of the Kubernetes service account for MPC party |
+| <a name="output_kms_connector_tx_sender"></a> [kms\_connector\_tx\_sender](#output\_kms\_connector\_tx\_sender) | KMS Connector Transaction Sender KMS Key |
 | <a name="output_nitro_enclaves_summary"></a> [nitro\_enclaves\_summary](#output\_nitro\_enclaves\_summary) | Summary of the Nitro Enclaves for MPC party |
 | <a name="output_node_group_tolerations"></a> [node\_group\_tolerations](#output\_node\_group\_tolerations) | Kubernetes tolerations derived from EKS node group taints |
 | <a name="output_nodegroup_auto_assign_security_group_summary"></a> [nodegroup\_auto\_assign\_security\_group\_summary](#output\_nodegroup\_auto\_assign\_security\_group\_summary) | Summary of the auto resolved security group |
diff --git a/modules/mpc-party/main.tf b/modules/mpc-party/main.tf
@@ -247,12 +247,49 @@ resource "kubernetes_service_account" "mpc_party_service_account" {
   depends_on = [kubernetes_namespace.mpc_party_namespace, module.iam_assumable_role_mpc_party]
 }
 
+module "iam_assumable_role_kms_connector" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "5.48.0"
+  provider_url                  = data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer
+  create_role                   = true
+  role_name                     = "mpc-${var.cluster_name}-${var.party_name}-connector"
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_namespace}:${var.k8s_service_account_name}-connector"]
+  role_policy_arns              = []
+  depends_on                    = [kubernetes_namespace.mpc_party_namespace]
+}
+
+resource "kubernetes_service_account" "mpc_kms_connector_service_account" {
+  count = var.create_service_account ? 1 : 0
+
+  metadata {
+    name      = "${var.k8s_service_account_name}-connector"
+    namespace = var.k8s_namespace
+
+    labels = merge({
+      "app.kubernetes.io/name"       = "mpc-connector"
+      "app.kubernetes.io/component"  = "service-account"
+      "app.kubernetes.io/part-of"    = "mpc-cluster"
+      "app.kubernetes.io/managed-by" = "terraform"
+      "mpc.io/party-name"            = var.party_name
+    }, var.service_account_labels)
+
+    annotations = merge({
+      "terraform.io/module"        = "mpc-party"
+      "mpc.io/party-name"          = var.party_name
+      "eks.amazonaws.com/role-arn" = module.iam_assumable_role_kms_connector.iam_role_arn
+    }, var.service_account_annotations)
+  }
+  depends_on = [kubernetes_namespace.mpc_party_namespace, module.iam_assumable_role_kms_connector]
+}
+
+
 # ***************************************
 #  AWS KMS Key for MPC Party
 # ***************************************
 locals {
-  create_mpc_party_key        = var.kms_enabled_nitro_enclaves && !var.kms_use_cross_account_kms_key
-  create_mpc_party_key_backup = var.kms_enabled_nitro_enclaves && var.kms_enable_backup_vault && !var.kms_use_cross_account_kms_key
+  create_mpc_party_key              = var.kms_enabled_nitro_enclaves && !var.kms_use_cross_account_kms_key
+  create_mpc_party_key_backup       = var.kms_enabled_nitro_enclaves && var.kms_enable_backup_vault && !var.kms_use_cross_account_kms_key
+  create_mpc_connector_txsender_key = var.kms_connector_enable_txsender_key && !var.kms_use_cross_account_kms_key
 }
 
 resource "aws_kms_key" "mpc_party" {
@@ -407,6 +444,73 @@ resource "aws_kms_alias" "mpc_party_backup" {
   target_key_id = aws_kms_key.mpc_party_backup[0].key_id
 }
 
+# ***************************************
+#  KMS-Connector Ethereum TxSender Key
+# ***************************************
+resource "aws_kms_external_key" "mpc_connector_tx_sender" {
+  count = local.create_mpc_connector_txsender_key ? 1 : 0
+
+  description             = "KMS Connector tx sender key for MPC Party"
+  key_usage               = var.kms_connector_txsender_key_usage
+  key_spec                = var.kms_connector_txsender_key_spec
+  deletion_window_in_days = var.kms_deletion_window_in_days
+  tags                    = var.tags
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${module.iam_assumable_role_kms_connector.iam_role_name}"
+        },
+        Action = [
+          "kms:DescribeKey",
+          "kms:GetPublicKey",
+          "kms:Sign",
+          "kms:Verify"
+        ],
+        Resource = "*",
+      },
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        Action = [
+          "kms:Create*",
+          "kms:Describe*",
+          "kms:Enable*",
+          "kms:List*",
+          "kms:Put*",
+          "kms:Update*",
+          "kms:Revoke*",
+          "kms:Disable*",
+          "kms:Get*",
+          "kms:Delete*",
+          "kms:TagResource",
+          "kms:UntagResource",
+          "kms:ScheduleKeyDeletion",
+          "kms:CancelKeyDeletion",
+          "kms:ImportKeyMaterial",
+          "kms:DeleteImportedKeyMaterial"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+# ***************************************
+#  KMS Key Alias for KMS-Connector Ethereum TxSender Key
+# ***************************************
+resource "aws_kms_alias" "mpc_connector_tx_sender" {
+  count = local.create_mpc_connector_txsender_key ? 1 : 0
+
+  name          = "alias/mpc-${var.party_name}-connector-txsender"
+  target_key_id = aws_kms_external_key.mpc_connector_tx_sender[0].id
+}
+
 # ***************************************
 #  ConfigMap for MPC Party
 # ***************************************
@@ -446,6 +550,7 @@ resource "kubernetes_config_map" "mpc_party_config" {
     "KMS_CORE__PUBLIC_VAULT__STORAGE__S3__PREFIX"               = ""
     "KMS_CORE__PRIVATE_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_ID"   = local.kms_key_id
     "KMS_CORE__PRIVATE_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_SPEC" = var.kms_enabled_nitro_enclaves ? "symm" : null
+    "KMS_CONNECTOR__TX_SENDER_AWS_KMS_KEY_ID"                   = var.kms_connector_enable_txsender_key ? aws_kms_external_key.mpc_connector_tx_sender[0].id : null
   }
 
   depends_on = [kubernetes_namespace.mpc_party_namespace, aws_s3_bucket.vault_private_bucket, aws_s3_bucket.vault_public_bucket]
diff --git a/modules/mpc-party/outputs.tf b/modules/mpc-party/outputs.tf
@@ -89,6 +89,16 @@ output "rds_summary" {
   } : null
 }
 
+# KMS Connector KMS Key
+output "kms_connector_tx_sender" {
+  description = "KMS Connector Transaction Sender KMS Key"
+  value = var.kms_connector_enable_txsender_key ? {
+    key_id    = aws_kms_external_key.mpc_connector_tx_sender[0].id
+    key_spec  = aws_kms_external_key.mpc_connector_tx_sender[0].key_spec
+    key_usage = aws_kms_external_key.mpc_connector_tx_sender[0].key_usage
+  } : null
+}
+
 # Node Group Tolerations
 output "node_group_tolerations" {
   description = "Kubernetes tolerations derived from EKS node group taints"
diff --git a/modules/mpc-party/variables.tf b/modules/mpc-party/variables.tf
@@ -363,6 +363,25 @@ variable "kms_deletion_window_in_days" {
   default     = 30
 }
 
+variable "kms_connector_enable_txsender_key" {
+  type        = bool
+  description = "Whether to enable the KMS key for the kms-connector txsender"
+  default     = false
+}
+
+
+variable "kms_connector_txsender_key_usage" {
+  type        = string
+  description = "Key usage for KMS-Connector txsender"
+  default     = "SIGN_VERIFY"
+}
+
+variable "kms_connector_txsender_key_spec" {
+  description = "Specification for the KMS-Connector txsender (e.g., ECC_SECG_P256K1 for Ethereum key signing)"
+  type        = string
+  default     = "ECC_SECG_P256K1"
+}
+
 variable "kms_enable_backup_vault" {
   type        = bool
   description = "Whether to enable the backup vault for the KMS key"
