From f178cb00ddf046ab7a085de009095328fb361e62 Mon Sep 17 00:00:00 2001 From: lolli001 Date: Tue, 30 Jul 2024 11:46:57 -0400 Subject: [PATCH] Updated KMS --- README.md | 4 -- kms.tf | 134 +++++++++++++++++++++++++++++++++--------------------- s3.tf | 16 +++---- 3 files changed, 90 insertions(+), 64 deletions(-) diff --git a/README.md b/README.md index 3197b43..922db07 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,3 @@ rebecaa linn : She does x86 (get context for ARM) cd ~/.aws/ - -Update KMS.tf with key policy code (Teams) -Set AMI everywhere -Update \ No newline at end of file diff --git a/kms.tf b/kms.tf index a287c22..150eba7 100644 --- a/kms.tf +++ b/kms.tf @@ -1,77 +1,109 @@ locals { - kms_key_name = "rhel-pipeline-kms-key" - kms_admin_root = ["arn:aws-us-gov:iam::229685449397:root"] - kms_admin_roles = [ - "arn:aws-us-gov:iam::229685449397:role/rhel-arm-image-pipeline-demo-codepipeline-role", - "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-ec2-role", - "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role" - ] - multi_region = false + kms_key_name = "rhel-x86-codepipeline-key" # Name for the KMS key alias + account_id = "229685449397" # Replace with your AWS account ID + partition = "aws-us-gov" } -# Create a KMS key with key rotation enabled -resource "aws_kms_key" "key" { - description = "KMS CMK for RHEL Pipeline" +# Define the KMS Key resource +resource "aws_kms_key" "rhel_x86_codepipeline_key" { + description = "KMS key for RHEL x86 CodePipeline" enable_key_rotation = true - policy = data.aws_iam_policy_document.key_policy_combined.json - multi_region = local.multi_region - tags = { - Name = local.kms_key_name - } + policy = data.aws_iam_policy_document.key_policy_combined.json } -# Create a KMS alias -resource "aws_kms_alias" "key" { +# Define the KMS Key Alias +resource "aws_kms_alias" "rhel_x86_codepipeline_alias" { name = "alias/${local.kms_key_name}" - target_key_id = aws_kms_key.key.id + target_key_id = aws_kms_key.rhel_x86_codepipeline_key.key_id } -# KMS Policy for allowing usage of the key -data "aws_iam_policy_document" "kms_outbound-main_policy" { +# Define the key policy document +data "aws_iam_policy_document" "key_policy_combined" { statement { - sid = "S3AccessEncryptionKey" - effect = "Allow" - actions = [ - "kms:ReEncrypt*", + sid = "Enable IAM User Permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:${local.partition}:iam::${local.account_id}:root"] + } + actions = ["kms:*"] + resources = ["*"] + } + + statement { + sid = "Allow access for Key Administrators" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role", + "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role", + "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role" + ] + } + actions = [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:TagResource", + "kms:UntagResource", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + "kms:RotateKeyOnDemand" + ] + resources = ["*"] + } + + statement { + sid = "Allow use of the key" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role", + "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role", + "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role" + ] + } + actions = [ "kms:Encrypt", "kms:Decrypt", + "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ] resources = ["*"] + } + + statement { + sid = "Allow attachment of persistent resources" + effect = "Allow" principals { type = "AWS" - identifiers = local.kms_admin_roles + identifiers = [ + "arn:${local.partition}:iam::${local.account_id}:role/rhel-arm-image-pipeline-demo-codepipeline-role", + "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-ec2-role", + "arn:${local.partition}:iam::${local.account_id}:role/rhel-x86-image-pipeline-demo-codepipeline-role" + ] } + actions = [ + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant" + ] + resources = ["*"] condition { test = "Bool" variable = "kms:GrantIsForAWSResource" values = ["true"] } } -} - -# Admin permissions for the KMS key -data "aws_iam_policy_document" "key_admin" { - statement { - sid = "BuiltinKMSAdminRoles" - effect = "Allow" - actions = ["kms:*"] - resources = ["*"] - principals { - type = "AWS" - identifiers = local.kms_admin_roles - } - } -} - -# Combine all policies into one for the KMS key -data "aws_iam_policy_document" "key_policy_combined" { - source_policy_documents = [ - data.aws_iam_policy_document.kms_outbound-main_policy.json, - data.aws_iam_policy_document.key_admin.json - ] -} - -data "aws_iam_policy_document" "empty" {} \ No newline at end of file +} \ No newline at end of file diff --git a/s3.tf b/s3.tf index aa6d04e..bdcef9b 100644 --- a/s3.tf +++ b/s3.tf @@ -1,7 +1,7 @@ resource "aws_s3_bucket" "rhel_x86_codepipeline_bucket" { - bucket = "rhel-x86-codepipeline-bucket-${random_string.suffix.result}" - force_destroy = true - + bucket = "rhel-x86-codepipeline-bucket" + acl = "private" + server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { @@ -10,10 +10,8 @@ resource "aws_s3_bucket" "rhel_x86_codepipeline_bucket" { } } } -} - -resource "random_string" "suffix" { - length = 8 - special = false - upper = false + + tags = { + Name = "RHEL x86 CodePipeline Bucket" + } } \ No newline at end of file