From a91ae35a1cfa9a8baf37f00c5f2f94e5b93fa73d Mon Sep 17 00:00:00 2001
From: lolli001 <braxton.r.lollis@census.gov>
Date: Tue, 30 Jul 2024 11:24:48 -0400
Subject: [PATCH] Updated KMS, apply and get ID later.

---
 README.md     |   3 ++
 build.pkr.hcl |   2 +-
 kms.tf        | 111 +++++++++++++++++++++++++++++++++-----------------
 main.tf       |   2 +-
 4 files changed, 78 insertions(+), 40 deletions(-)

diff --git a/README.md b/README.md
index e9b46e3..3197b43 100644
--- a/README.md
+++ b/README.md
@@ -27,3 +27,6 @@ rebecaa linn : She does x86 (get context for ARM)
 cd ~/.aws/
 
 
+Update KMS.tf with key policy code (Teams)
+Set AMI everywhere
+Update 
\ No newline at end of file
diff --git a/build.pkr.hcl b/build.pkr.hcl
index e3791bd..f55a864 100644
--- a/build.pkr.hcl
+++ b/build.pkr.hcl
@@ -13,7 +13,7 @@ source "amazon-ebs" "rhel" {
   region        = "us-gov-west-1"
   source_ami    = "ami-01c116d3e0152a132"  # Updated AMI ID for Amazon-Linux
   ssh_username  = "ec2-user"
-  kms_key_id    = "3b7f8ca7-6212-4b47-859d-bde50b75f501"  # Static KMS Key ID
+#  kms_key_id    = "3b7f8ca7-6212-4b47-859d-bde50b75f501"  # Static KMS Key ID
 }
 
 build {
diff --git a/kms.tf b/kms.tf
index 6df8ceb..a287c22 100644
--- a/kms.tf
+++ b/kms.tf
@@ -1,42 +1,77 @@
-resource "aws_kms_key" "rhel_x86_codepipeline_key" {
-  description = "KMS key for RHEL x86 CodePipeline"
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "Allow use of the key for EC2 and CodePipeline",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": [
-          "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role",
-          "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-ec2-role"
-        ]
-      },
-      "Action": [
-        "kms:Encrypt",
-        "kms:Decrypt",
-        "kms:ReEncrypt*",
-        "kms:GenerateDataKey*",
-        "kms:DescribeKey"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow admin actions",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws-us-gov:iam::229685449397:root"
-      },
-      "Action": "kms:*",
-      "Resource": "*"
-    }
+locals {
+  kms_key_name        = "rhel-pipeline-kms-key"
+  kms_admin_root      = ["arn:aws-us-gov:iam::229685449397:root"]
+  kms_admin_roles     = [
+    "arn:aws-us-gov:iam::229685449397:role/rhel-arm-image-pipeline-demo-codepipeline-role",
+    "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-ec2-role",
+    "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role"
   ]
+  multi_region        = false
+}
+
+# Create a KMS key with key rotation enabled
+resource "aws_kms_key" "key" {
+  description         = "KMS CMK for RHEL Pipeline"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.key_policy_combined.json
+  multi_region        = local.multi_region
+
+  tags = {
+    Name = local.kms_key_name
+  }
 }
-EOF
+
+# Create a KMS alias
+resource "aws_kms_alias" "key" {
+  name          = "alias/${local.kms_key_name}"
+  target_key_id = aws_kms_key.key.id
+}
+
+# KMS Policy for allowing usage of the key
+data "aws_iam_policy_document" "kms_outbound-main_policy" {
+  statement {
+    sid    = "S3AccessEncryptionKey"
+    effect = "Allow"
+    actions = [
+      "kms:ReEncrypt*",
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = local.kms_admin_roles
+    }
+    condition {
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+      values   = ["true"]
+    }
+  }
+}
+
+# Admin permissions for the KMS key
+data "aws_iam_policy_document" "key_admin" {
+  statement {
+    sid       = "BuiltinKMSAdminRoles"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = local.kms_admin_roles
+    }
+  }
+}
+
+# Combine all policies into one for the KMS key
+data "aws_iam_policy_document" "key_policy_combined" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.kms_outbound-main_policy.json,
+    data.aws_iam_policy_document.key_admin.json
+  ]
 }
 
-resource "aws_kms_alias" "rhel_x86_codepipeline_alias" {
-  name          = "alias/rhel-x86-codepipeline-key"
-  target_key_id = aws_kms_key.rhel_x86_codepipeline_key.id
-}
\ No newline at end of file
+data "aws_iam_policy_document" "empty" {}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index 2010187..fe37153 100644
--- a/main.tf
+++ b/main.tf
@@ -142,7 +142,7 @@ module "rhel-arm" {
   goss_profile                = "rhel-arm-base-test"
   state                       = local.state_config
   vpc_config                  = local.vpc_config
-  source_ami                  = "ami-03f5c6b8195c66b04"
+  source_ami                  = "ami-01c116d3e0152a132"
   instance_type               = "t3.micro"
 }