From d51267b77c377009f2c06f973cd0b0e095369887 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 23 Nov 2021 13:32:06 -0500 Subject: [PATCH] replace key policy with that from s3 objct logging --- cloudtrail-key/README.md | 1 + cloudtrail-key/main.tf | 58 ++++++++++++++++++++++++++++++++++++---- 2 files changed, 54 insertions(+), 5 deletions(-) diff --git a/cloudtrail-key/README.md b/cloudtrail-key/README.md index ad1aabe..176d26d 100644 --- a/cloudtrail-key/README.md +++ b/cloudtrail-key/README.md @@ -70,6 +70,7 @@ No modules. | [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_orig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | diff --git a/cloudtrail-key/main.tf b/cloudtrail-key/main.tf index 6b780e4..dc888d7 100644 --- a/cloudtrail-key/main.tf +++ b/cloudtrail-key/main.tf @@ -54,10 +54,11 @@ locals { account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" partition = data.aws_arn.current.partition - name = var.name == null ? format("%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.region) : var.name - kms_key_name = format("%v%v", local._prefixes["kms"], local.name) - kms_admin_root = format("arn:%v:iam::%v:root", local.partition, local.account_id) - kms_admin_roles = compact(concat([local.kms_admin_root], var.kms_admin_roles)) + name = var.name == null ? format("%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.region) : var.name + kms_key_name = format("%v%v", local._prefixes["kms"], local.name) + kms_admin_root = format("arn:%v:iam::%v:root", local.partition, local.account_id) + # kms_admin_roles = compact(concat([local.kms_admin_root], var.kms_admin_roles)) + kms_admin_roles = var.kms_admin_roles kms_policy_document = var.kms_policy_document != null ? var.kms_policy_document : data.aws_iam_policy_document.empty.json } @@ -88,7 +89,7 @@ data "aws_iam_policy_document" "key_policy_combined" { ] } -data "aws_iam_policy_document" "key" { +data "aws_iam_policy_document" "key_orig" { policy_id = "Cloudtrail KMS Access" statement { sid = "EnableIAMUserPermissions" @@ -216,3 +217,50 @@ data "aws_iam_policy_document" "key_admin" { } data "aws_iam_policy_document" "empty" {} + + +#--- +# key policy for clodutrail +# https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html +# can't use aws_cloudtrail.this.arn as it makes for a circular reference +# +# from aws-setup-s3-object-logging +#--- +data "aws_iam_policy_document" "key" { + policy_id = "object-logging-cloud-trail" + statement { + sid = "IAMPermissionsAccessKMSManagement" + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + principals { + type = "AWS" + identifiers = [local.kms_admin_root] + } + } + statement { + sid = "CloudTrailKMSAccess" + effect = "Allow" + actions = ["kms:DescribeKey"] + resources = ["*"] + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + } + statement { + sid = "CloudTrailKMSEncryptAccess" + effect = "Allow" + actions = ["kms:GenerateDataKey"] + resources = ["*"] + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + condition { + test = "StringLike" + variable = "kms:EncryptionContext:aws:cloudtrail:arn" + values = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)] + } + } +}