add cloudtrail-key

CHANGELOG.md

@@ -122,3 +122,7 @@
 * v1.13.2 -- 20210713
   - general
     - change ip_restriction to be a dynamic condition block to also include VpcSourceIp
+
+* v1.14.0 -- 20211115
+  - cloudtrail-key
+    - create module to setup a KMS ke per region for cloudtrail

cloudtrail-key/README.md

@@ -0,0 +1,95 @@
+# aws-inf-setup :: cloudtrail-keys
+
+This set up the KMS key used by Cloudtrail for the ts S3 bucket, CloudTrail, and SQS (if possible).
+
+* Cloudtrail
+* S3 bucket
+* SQS
+
+## Usage, Simple Example
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "cloudtrail_key_simple" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+  tags = {
+    Environment = "csvd:infrastructure"
+  }
+}
+```
+
+## Usage, Longer Example
+This one can be used if you need to customize stuff, though really, the defaults are all built
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+variable file generation.
+
+```hcl
+module "cloudtrail_key_full" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+  name                = "mycloudtrail"
+  kms_admin_roles     = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"]
+  kms_policy_document = data.aws_iam_policy_document.myct_policy.json
+
+  tags = {
+    Environment = "csvd:infrastructure"
+  }
+
+  component_tags = {
+    "kms" = {
+      "SpecialTag1" = "something"
+      "SpecialTag2" = "somethingElse"
+    }
+  }
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
+| <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to apply to Cloudtrail KMS Key (default: k-inf-cloudtrail) | `string` | `null` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_kms_aliase_nam"></a> [kms\_aliase\_nam](#output\_kms\_aliase\_nam) | Cloudtrail Key Alias name |
+| <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | Cloudtrail Key ARN |
+| <a name="output_kms_key_id"></a> [kms\_key\_id](#output\_kms\_key\_id) | Cloudtrail Key ID |

cloudtrail-key/base_tags.tf

@@ -0,0 +1,6 @@
+locals {
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}

cloudtrail-key/data.tf

@@ -0,0 +1 @@
+../common/data.tf

cloudtrail-key/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

cloudtrail-key/main.tf

@@ -0,0 +1,218 @@
+/*
+* # aws-inf-setup :: cloudtrail-keys
+* 
+* This set up the KMS key used by Cloudtrail for the ts S3 bucket, CloudTrail, and SQS (if possible).
+* 
+* * Cloudtrail
+* * S3 bucket
+* * SQS
+* 
+* ## Usage, Simple Example
+* Here is a simple example, the one most commonly expected to be used.
+*
+* ```hcl
+* module "cloudtrail_key_simple" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+* 
+*   tags = {
+*     Environment = "csvd:infrastructure"
+*   }
+* }
+* ```
+*
+* ## Usage, Longer Example
+* This one can be used if you need to customize stuff, though really, the defaults are all built 
+* for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+* variable file generation.
+*
+* ```hcl
+* module "cloudtrail_key_full" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+* 
+*   name                = "mycloudtrail"
+*   kms_admin_roles     = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"]
+*   kms_policy_document = data.aws_iam_policy_document.myct_policy.json
+* 
+*   tags = {
+*     Environment = "csvd:infrastructure"
+*   }
+* 
+*   component_tags = {
+*     "kms" = {
+*       "SpecialTag1" = "something"
+*       "SpecialTag2" = "somethingElse"
+*     }
+*   }
+* }
+* ```
+*/
+
+locals {
+  # basic details about the env
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  region              = data.aws_region.current.name
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  partition           = data.aws_arn.current.partition
+
+  name                = var.name == null ? format("%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.region) : var.name
+  kms_key_name        = format("k-%v", local.name)
+  kms_admin_root      = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
+  kms_admin_roles     = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+  kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+
+}
+
+resource "aws_kms_key" "key" {
+  description         = "KMS CMK for cloudtrail"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.key_policy_combined.json
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    map("boc:aws:region", local.region),
+    map("Name", local.kms_key_name),
+  )
+}
+
+resource "aws_kms_alias" "key" {
+  name          = "alias/${local.kms_key_name}"
+  target_key_id = aws_kms_key.key.key_id
+}
+
+data "aws_iam_policy_document" "key_policy_combined" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.key.json,
+    data.aws_iam_policy_document.key_admin.json,
+    local.kms_policy_document
+  ]
+}
+
+data "aws_iam_policy_document" "key" {
+  policy_id = "Cloudtrail KMS Access"
+  statement {
+    sid       = "EnableIAMUserPermissions"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = [local.kms_admin_root]
+    }
+  }
+  statement {
+    sid       = "AllowCloudTrailEncryptLogs"
+    effect    = "Allow"
+    actions   = ["kms:GenerateDataKey*"]
+    resources = ["*"]
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com", "logs.amazonaws.com", "logs.${local.region}.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      #      values   = [format("arn:%v:cloudtrail:%v:%v:trail/*",local.partition,local.region,local.account_id]
+      values = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
+    }
+  }
+  statement {
+    sid    = "AllowCloudTrailKeyActivities"
+    effect = "Allow"
+    actions = [
+      "kms:Describe*",
+      "log:AssociateKmsKey",
+      "log:DisassociateKmsKey"
+    ]
+    resources = ["*"]
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com", "logs.amazonaws.com", "logs.${local.region}.amazonaws.com"]
+    }
+  }
+  statement {
+    sid    = "AllowPrincipalsDecryptLogFiles"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = [var.account_id]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      #      values   = [format("arn:%v:cloudtrail:%v:%v:trail/*",local.partition,local.region,local.account_id]
+      values = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
+    }
+  }
+  statement {
+    sid    = "EnableCrossAccountDecryptLogFiles"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = [var.account_id]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      #      values   = [format("arn:%v:cloudtrail:%v:%v:trail/*",local.partition,local.region,local.account_id]
+      values = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
+    }
+  }
+  statement {
+    sid       = "AllowAliasCreationDuringSetup"
+    effect    = "Allow"
+    actions   = ["kms:CreateAlias"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = [var.account_id]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "kms:ViaService"
+      values   = [format("ec2.%v.amazonaws.com", local.region)]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "key_admin" {
+  statement {
+    sid       = "BuiltinKMSAdminRoles"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = local.kms_admin_roles
+    }
+  }
+}
+
+data "aws_iam_policy_document" "empty" {}

cloudtrail-key/outputs.tf

@@ -0,0 +1,14 @@
+output "kms_key_id" {
+  description = "Cloudtrail Key ID"
+  value       = aws_kms_key.key.id
+}
+
+output "kms_key_arn" {
+  description = "Cloudtrail Key ARN"
+  value       = aws_kms_key.key.arn
+}
+
+output "kms_aliase_nam" {
+  description = "Cloudtrail Key Alias name"
+  value       = aws_kms_alias.key.arn
+}

cloudtrail-key/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

cloudtrail-key/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

cloudtrail-key/variables.tf

@@ -0,0 +1,23 @@
+variable "name" {
+  description = "Name to apply to Cloudtrail KMS Key (default: k-inf-cloudtrail)"
+  type        = string
+  default     = null
+}
+
+variable "kms_policy_document" {
+  description = "AWS KMS Key Policy Document JSON, merged with admin policy document"
+  type        = string
+  default     = null
+}
+
+variable "kms_admin_roles" {
+  description = "AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default."
+  type        = list(string)
+  default     = []
+}
+
+variable "component_tags" {
+  description = "Additional tags for Components (s3, kms, ddb)"
+  type        = map(map(string))
+  default     = { "s3" = {}, "kms" = {}, "ddb" = {} }
+}

cloudtrail-key/version.tf

@@ -0,0 +1 @@
+../common/version.tf

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.13.2"
+  _module_version = "1.14.0"
 }