Updated KMS

CSVD · Jul 30, 2024 · f178cb0 · f178cb0
1 parent a91ae35
commit f178cb0
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 64 deletions.
diff --git a/README.md b/README.md
@@ -26,7 +26,3 @@ rebecaa linn : She does x86 (get context for ARM)
 
 cd ~/.aws/
 
-
-Update KMS.tf with key policy code (Teams)
-Set AMI everywhere
-Update 
diff --git a/kms.tf b/kms.tf
@@ -1,77 +1,109 @@
 locals {
-  kms_key_name        = "rhel-pipeline-kms-key"
-  kms_admin_root      = ["arn:aws-us-gov:iam::229685449397:root"]
-  kms_admin_roles     = [
-    "arn:aws-us-gov:iam::229685449397:role/rhel-arm-image-pipeline-demo-codepipeline-role",
-    "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-ec2-role",
-    "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role"
-  ]
-  multi_region        = false
+  kms_key_name        = "rhel-x86-codepipeline-key" # Name for the KMS key alias
+  account_id          = "229685449397"              # Replace with your AWS account ID
+  partition           = "aws-us-gov"         
 }
 
-# Create a KMS key with key rotation enabled
-resource "aws_kms_key" "key" {
-  description         = "KMS CMK for RHEL Pipeline"
+# Define the KMS Key resource
+resource "aws_kms_key" "rhel_x86_codepipeline_key" {
+  description         = "KMS key for RHEL x86 CodePipeline"
   enable_key_rotation = true
-  policy              = data.aws_iam_policy_document.key_policy_combined.json
-  multi_region        = local.multi_region
 
-  tags = {
-    Name = local.kms_key_name
-  }
+  policy = data.aws_iam_policy_document.key_policy_combined.json
 }
 
-# Create a KMS alias
-resource "aws_kms_alias" "key" {
+# Define the KMS Key Alias
+resource "aws_kms_alias" "rhel_x86_codepipeline_alias" {
   name          = "alias/${local.kms_key_name}"
-  target_key_id = aws_kms_key.key.id
+  target_key_id = aws_kms_key.rhel_x86_codepipeline_key.key_id
 }
 
-# KMS Policy for allowing usage of the key
-data "aws_iam_policy_document" "kms_outbound-main_policy" {
+# Define the key policy document
+data "aws_iam_policy_document" "key_policy_combined" {
   statement {
-    sid    = "S3AccessEncryptionKey"
-    effect = "Allow"
-    actions = [
-      "kms:ReEncrypt*",
+    sid       = "Enable IAM User Permissions"
+    effect    = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:${local.partition}:iam::${local.account_id}:root"]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid       = "Allow access for Key Administrators"
+    effect    = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [
+        "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role",
+        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role",
+        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role"
+      ]
+    }
+    actions   = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:TagResource",
+      "kms:UntagResource",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion",
+      "kms:RotateKeyOnDemand"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid       = "Allow use of the key"
+    effect    = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [
+        "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role",
+        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role",
+        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role"
+      ]
+    }
+    actions   = [
       "kms:Encrypt",
       "kms:Decrypt",
+      "kms:ReEncrypt*",
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
     ]
     resources = ["*"]
+  }
+
+  statement {
+    sid       = "Allow attachment of persistent resources"
+    effect    = "Allow"
     principals {
       type        = "AWS"
-      identifiers = local.kms_admin_roles
+      identifiers = [
+        "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role",
+        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role",
+        "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role"
+      ]
     }
+    actions   = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
     condition {
       test     = "Bool"
       variable = "kms:GrantIsForAWSResource"
       values   = ["true"]
     }
   }
-}
-
-# Admin permissions for the KMS key
-data "aws_iam_policy_document" "key_admin" {
-  statement {
-    sid       = "BuiltinKMSAdminRoles"
-    effect    = "Allow"
-    actions   = ["kms:*"]
-    resources = ["*"]
-    principals {
-      type        = "AWS"
-      identifiers = local.kms_admin_roles
-    }
-  }
-}
-
-# Combine all policies into one for the KMS key
-data "aws_iam_policy_document" "key_policy_combined" {
-  source_policy_documents = [
-    data.aws_iam_policy_document.kms_outbound-main_policy.json,
-    data.aws_iam_policy_document.key_admin.json
-  ]
-}
-
-data "aws_iam_policy_document" "empty" {}
+}
diff --git a/s3.tf b/s3.tf
@@ -1,7 +1,7 @@
 resource "aws_s3_bucket" "rhel_x86_codepipeline_bucket" {
-  bucket = "rhel-x86-codepipeline-bucket-${random_string.suffix.result}"
-  force_destroy = true
-
+  bucket = "rhel-x86-codepipeline-bucket"
+  acl    = "private"
+ 
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
@@ -10,10 +10,8 @@ resource "aws_s3_bucket" "rhel_x86_codepipeline_bucket" {
       }
     }
   }
-}
-
-resource "random_string" "suffix" {
-  length  = 8
-  special = false
-  upper   = false
+
+  tags = {
+    Name = "RHEL x86 CodePipeline Bucket"
+  }
 }