added kms key policy and removed encryption from rds managed password

kms.tf

@@ -1,12 +1,79 @@
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
-resource "aws_kms_key" "encryption_secret" {
+resource "aws_kms_key" "encryption_rds" {
   enable_key_rotation     = true
   description             = "Key to encrypt secret"
   deletion_window_in_days = 7
   #checkov:skip=CKV2_AWS_64: Not including a KMS Key policy
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias
-resource "aws_kms_alias" "encryption_secret" {
-  name          = "alias/${var.name}"
-  target_key_id = aws_kms_key.encryption_secret.key_id
+resource "aws_kms_alias" "encryption_rds" {
+  name          = "alias/${var.name}-kms"
+  target_key_id = aws_kms_key.encryption_rds.key_id
+}
+data "aws_iam_policy_document" "encryption_rds_policy" {
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions = [
+      # "kms:*"
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion",
+      "kms:TagResource",
+      "kms:UntagResource"
+    ]
+    resources = [aws_kms_key.encryption_rds.arn]
+  }
+
+  statement {
+    sid    = "Allow RDS to use the key"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["rds.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+      "kms:CreateGrant"
+    ]
+    resources = [aws_kms_key.encryption_rds.arn]
+  }
+  statement {
+    sid    = "Allow Secrets Manager to use the key"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["secretsmanager.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+      "kms:CreateGrant"
+    ]
+    resources = [aws_kms_key.encryption_rds.arn]
+  }
+}
+resource "aws_kms_key_policy" "encryption_rds" {
+  key_id = aws_kms_key.encryption_rds.id
+  policy = data.aws_iam_policy_document.encryption_rds_policy.json
 }

rds.tf

@@ -33,13 +33,13 @@ resource "aws_db_instance" "postgresql" {
   # CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
   deletion_protection = false
   #CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
-  copy_tags_to_snapshot         = true
-  performance_insights_enabled  = true
-  manage_master_user_password   = true
-  master_user_secret_kms_key_id = aws_kms_key.encryption_secret.arn
-  # master_user_secret_kms_key_id = aws_kms_key.example.arn
-  # kms_key_id = aws_kms_key.example.arn
-  # performance_insights_kms_key_id = aws_kms_key.example.arn
+  copy_tags_to_snapshot       = true
+  manage_master_user_password = true
+  # master_user_secret_kms_key_id = aws_kms_key.encryption_rds.arn
+  kms_key_id = aws_kms_key.encryption_rds.arn
+  # performance_insights_enabled          = true
+  # performance_insights_kms_key_id       = aws_kms_key.encryption_rds.arn
+  # performance_insights_retention_period = 31
   ca_cert_identifier = "rds-ca-rsa2048-g1"
   apply_immediately  = true
 }