Merge pull request #26 from terraform-modules/feature-kms

add kms keys, use for sns and sqs
terraform-modules · Mar 29, 2022 · 2af314d · 2af314d
2 parents dbd4d53 + 2cb4dcd
commit 2af314d
Show file tree

Hide file tree

Showing 8 changed files with 116 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -73,3 +73,7 @@
 
 * 0.2.4 -- 2022-03-28
   - add code to enable sqs
+
+* 0.2.5 -- 2022-03-29
+  - add kms.tf
+  - set CMS for sns, sqs, allow lambda to publish to sns
diff --git a/README.md b/README.md
@@ -111,6 +111,8 @@ No modules.
 | [aws_dynamodb_table.table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_lambda_alias.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_alias) | resource |
 | [aws_lambda_function.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_permission.allow_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
@@ -124,6 +126,9 @@ No modules.
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy.lambda_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.queue_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -142,6 +147,7 @@ No modules.
 | <a name="input_dynamodb_table_name"></a> [dynamodb\_table\_name](#input\_dynamodb\_table\_name) | Different DynamoDB table name to override default of var.name | `string` | `null` | no |
 | <a name="input_enable_sns"></a> [enable\_sns](#input\_enable\_sns) | Enable use of SNS for reporting errors | `bool` | `false` | no |
 | <a name="input_enable_sqs"></a> [enable\_sqs](#input\_enable\_sqs) | Enable use of SQS for SNS to send errors. Requires the use of enable\_sns as well | `bool` | `false` | no |
+| <a name="input_kms_key_name"></a> [kms\_key\_name](#input\_kms\_key\_name) | Different KMS Key (for SNS and SQS) to override default of var.name | `string` | `null` | no |
 | <a name="input_lambda_environment_variables"></a> [lambda\_environment\_variables](#input\_lambda\_environment\_variables) | Map of lambda environment variables and values | `map(string)` | <pre>{<br>  "DNS_RR_TimeToLive": 60,<br>  "DynamoDBName": null,<br>  "HeritageIdentifier": "dynr53",<br>  "HeritageTXTRecordPrefix": "_txt",<br>  "MaxApiRetry": 10,<br>  "SleepTime": 60,<br>  "SnsEnable": false,<br>  "SnsTopicArn": "",<br>  "TagKeyCname": "boc:dns:cname",<br>  "TagKeyHostName": "boc:dns:name",<br>  "TagKeyZone": "boc:dns:zone"<br>}</pre> | no |
 | <a name="input_lambda_environment_variables_override"></a> [lambda\_environment\_variables\_override](#input\_lambda\_environment\_variables\_override) | Map of lambda environment variables and values to override from the defaults | `map(string)` | `{}` | no |
 | <a name="input_lambda_name"></a> [lambda\_name](#input\_lambda\_name) | Different Lambda name to override default of var.name | `string` | `null` | no |

diff --git a/kms.tf b/kms.tf
@@ -0,0 +1,71 @@
+locals {
+  kms_name     = var.kms_key_name != null ? var.kms_key_name : local.name
+  kms_key_name = format("%s%s", local._prefixes["kms"], local.kms_name)
+
+  kms_admin_root = format("arn:%v:iam::%v:root", data.aws_arn.current.partition, local.account_id)
+  #  kms_admin_roles     = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+  kms_admin_roles = [local.kms_admin_root]
+  #  kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+  kms_policy_document = data.aws_iam_policy_document.empty.json
+}
+
+# this only is used if we are creating the resources and SNS is enabled
+
+resource "aws_kms_key" "key" {
+  count               = var.create && var.enable_sns ? 1 : 0
+  description         = "KMS CMK for ${local.kms_name}"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.key_policy_combined.json
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "Name" = local.kms_key_name },
+  )
+}
+
+resource "aws_kms_alias" "key" {
+  count         = var.create && var.enable_sns ? 1 : 0
+  name          = "alias/${local.kms_key_name}"
+  target_key_id = var.create && var.enable_sns ? aws_kms_key.key[0].key_id : null
+}
+
+data "aws_iam_policy_document" "key_policy" {
+  statement {
+    sid     = "BuiltinKMSAdminRoles"
+    effect  = "Allow"
+    actions = ["kms:*"]
+    principals {
+      type        = "AWS"
+      identifiers = local.kms_admin_roles
+    }
+    resources = ["*"]
+  }
+  statement {
+    sid    = "AllowSNS"
+    effect = "Allow"
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "key_policy_combined" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.key_policy.json,
+    local.kms_policy_document
+  ]
+}
+
+data "aws_iam_policy_document" "empty" {}
+
+# data "aws_kms_key" "incoming_key" {
+#   count  = var.kms_key_arn == null ? 0 : 1
+#   key_id = var.kms_key_arn
+# }
diff --git a/role.tf b/role.tf
@@ -84,12 +84,28 @@ data "aws_iam_policy_document" "lambda_policy" {
     for_each = var.create && var.enable_sns ? toset(["1"]) : toset([])
     iterator = s
     content {
-      sid       = "SNSLambdaAccess"
-      effect    = "Allow"
-      actions   = ["sns:Get*", "sns:Publish*"]
+      sid    = "SNSLambdaAccess"
+      effect = "Allow"
+      actions = [
+        "sns:Get*",
+        "sns:Publish*",
+      ]
       resources = [var.create && var.enable_sns ? aws_sns_topic.topic[0].arn : ""]
     }
   }
+  dynamic "statement" {
+    for_each = var.create && var.enable_sns ? toset(["1"]) : toset([])
+    iterator = s
+    content {
+      sid    = "AllowKMSforSNS"
+      effect = "Allow"
+      actions = [
+        "kms:GenerateDataKey*",
+        "kms:Decrypt",
+      ]
+      resources = [var.create && var.enable_sns ? aws_kms_key.key[0].arn : ""]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "lambda_assume" {

diff --git a/sns.tf b/sns.tf
@@ -3,9 +3,10 @@ locals {
 }
 
 resource "aws_sns_topic" "topic" {
-  count        = var.create && var.enable_sns ? 1 : 0
-  name         = local.sns_name
-  display_name = "dynr53"
+  count             = var.create && var.enable_sns ? 1 : 0
+  name              = local.sns_name
+  display_name      = "dynr53"
+  kms_master_key_id = aws_kms_key.key[0].key_id
 }
 
 resource "aws_sns_topic_policy" "topic" {

diff --git a/sqs.tf b/sqs.tf
@@ -13,7 +13,7 @@ resource "aws_sqs_queue" "queue_deadletter" {
   receive_wait_time_seconds  = 15
   visibility_timeout_seconds = 3600
 
-  kms_master_key_id                 = "alias/aws/sqs"
+  kms_master_key_id                 = aws_kms_key.key[0].key_id
   kms_data_key_reuse_period_seconds = 300
 
   tags = merge(
@@ -71,7 +71,7 @@ resource "aws_sqs_queue" "queue" {
 }
 EOP
 
-  kms_master_key_id                 = "alias/aws/sqs"
+  kms_master_key_id                 = aws_kms_key.key[0].key_id
   kms_data_key_reuse_period_seconds = 300
 
   tags = merge(
@@ -100,8 +100,9 @@ data "aws_iam_policy_document" "queue_sqs" {
     resources = [aws_sqs_queue.queue[0].arn]
 
     principals {
-      type        = "AWS"
-      identifiers = ["*"]
+      #      type        = "AWS"
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
     }
 
     condition {

diff --git a/variables.tf b/variables.tf
@@ -28,6 +28,12 @@ variable "sqs_queue_name" {
   default     = null
 }
 
+variable "kms_key_name" {
+  description = "Different KMS Key (for SNS and SQS) to override default of var.name"
+  type        = string
+  default     = null
+}
+
 variable "lambda_environment_variables" {
   description = "Map of lambda environment variables and values"
   type        = map(string)

diff --git a/version.tf b/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "0.2.4"
+  _module_version = "0.2.5"
 }