* 2.5.0 -- 2024-01-02

  - s3-config-org
    - create for org-based s3 bucket and kms key for centralized config locations (within aws organization)

CHANGELOG.md

@@ -325,3 +325,7 @@
 * 2.4.14 -- 2023-11-09
   - iam-general-policies
     - add kms:ListGrants to KMS keys
+
+* 2.5.0 -- 2024-01-02
+  - s3-config-org
+    - create for org-based s3 bucket and kms key for centralized config locations (within aws organization)

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.14"
+  _module_version = "2.5.0"
 }

s3-config-org/README.md

@@ -0,0 +1,144 @@
+# aws-inf-setup :: s3-config
+
+This set up the needed components for S3 config bucket.   This needs to be in just one region.
+
+* S3 bucket
+
+# Usage
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "config" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-config"
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Logging S3 bucket name | `string` | `""` | no |
+| <a name="input_bucket_name_prefix"></a> [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | Logging S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name. | `string` | `"inf-config"` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | <pre>{<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_arn"></a> [bucket\_arn](#output\_bucket\_arn) | Config S3 bucket ARN |
+| <a name="output_bucket_id"></a> [bucket\_id](#output\_bucket\_id) | Config S3 bucket ID |
+
+<!-- BEGIN_TF_DOCS -->
+# aws-inf-setup :: s3-config-org
+
+This set up the needed components for an organization-use S3 config bucket.  THis will exist in each available
+region.
+
+* S3 bucket
+
+# Usage
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "config" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-config-org"
+}
+```
+
+# Links
+* https://cloudyadvice.com/2022/04/14/automated-enterprise-deployment-of-aws-config/
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_time"></a> [time](#provider\_time) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_logging.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_ownership_controls.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [time_sleep.policy_delay](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Organization Config S3 bucket name | `string` | `null` | no |
+| <a name="input_bucket_name_prefix"></a> [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | Organization Config S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name. | `string` | `"inf-org-config"` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | <pre>{<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_key_name"></a> [key\_name](#input\_key\_name) | Name to apply to Org Logging KMS Key (default: k-inf-org-logging) | `string` | `null` | no |
+| <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
+| <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `null` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_arn"></a> [bucket\_arn](#output\_bucket\_arn) | Organization Config S3 bucket ARN |
+| <a name="output_bucket_id"></a> [bucket\_id](#output\_bucket\_id) | Organization Config S3 bucket ID |
+| <a name="output_kms_alias_name"></a> [kms\_alias\_name](#output\_kms\_alias\_name) | Organization Config S3 Key Alias name |
+| <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | Organization Config S3 Key ARN |
+| <a name="output_kms_key_id"></a> [kms\_key\_id](#output\_kms\_key\_id) | Organization Config S3 Key ID |
+<!-- END_TF_DOCS -->

s3-config-org/data.org.tf

@@ -0,0 +1 @@
+data "aws_organizations_organization" "org" {}

s3-config-org/data.tf

@@ -0,0 +1 @@
+../common/data.tf

s3-config-org/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

s3-config-org/kms.tf

@@ -0,0 +1,139 @@
+locals {
+  kms_key_name        = format("%v%v", local._prefixes["kms"], local.key_name)
+  kms_admin_root      = format("arn:%v:iam::%v:root", local.partition, local.account_id)
+  kms_admin_roles     = var.kms_admin_roles
+  kms_policy_document = var.kms_policy_document != null ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+}
+
+resource "aws_kms_key" "key" {
+  description         = "KMS CMK for Organization Config S3"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.key_policy_combined.json
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    {
+      "boc:aws:region" = local.region
+      Name             = local.kms_key_name
+    },
+  )
+}
+
+resource "aws_kms_alias" "key" {
+  name          = "alias/${local.kms_key_name}"
+  target_key_id = aws_kms_key.key.key_id
+}
+
+data "aws_iam_policy_document" "key_policy_combined" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.key.json,
+    data.aws_iam_policy_document.key_admin.json,
+    local.kms_policy_document
+  ]
+}
+
+data "aws_iam_policy_document" "key_admin" {
+  dynamic "statement" {
+    for_each = length(local.kms_admin_roles) > 0 ? [1] : []
+    content {
+      sid       = "BuiltinKMSAdminRoles"
+      effect    = "Allow"
+      actions   = ["kms:*"]
+      resources = ["*"]
+      principals {
+        type        = "AWS"
+        identifiers = local.kms_admin_roles
+      }
+    }
+  }
+}
+
+data "aws_iam_policy_document" "empty" {}
+
+data "aws_iam_policy_document" "key" {}
+
+## data "aws_iam_policy_document" "key" {
+##   policy_id = "object-logging-cloud-trail"
+##   # manage key by root and other principals
+##   statement {
+##     sid       = "IAMPermissionsAccessKMSManagement"
+##     effect    = "Allow"
+##     actions   = ["kms:*"]
+##     resources = ["*"]
+##     principals {
+##       type        = "AWS"
+##       identifiers = [local.kms_admin_root]
+##     }
+##   }
+##   # let cloudtrial, logs, sns, and sqs find key
+##   statement {
+##     sid       = "KMSDescribeKeyFromServices"
+##     effect    = "Allow"
+##     actions   = ["kms:DescribeKey"]
+##     resources = ["*"]
+##     principals {
+##       type        = "Service"
+##       identifiers = ["cloudtrail.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"]
+##     }
+##   }
+##   statement {
+##     sid    = "OrgLoggingKMSEncryptAccess"
+##     effect = "Allow"
+##     actions = [
+##       "kms:Decrypt*",
+##       "kms:Encrypt*",
+##       "kms:ReEncrypt*",
+##       "kms:GenerateDataKey",
+##     ]
+##     resources = ["*"]
+##     principals {
+##       type        = "Service"
+##       identifiers = ["cloudtrail.amazonaws.com"]
+##     }
+##     #    condition {
+##     #      test     = "StringLike"
+##     #      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+##     #      values   = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
+##     #    }
+##   }
+##   # https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html
+##   statement {
+##     sid    = "Cloudwatch"
+##     effect = "Allow"
+##     actions = [
+##       "kms:Decrypt*",
+##       "kms:Encrypt*",
+##       "kms:ReEncrypt*",
+##       "kms:GenerateDataKey*",
+##       "kms:Describe*"
+##     ]
+##     resources = ["*"]
+##     principals {
+##       type        = "Service"
+##       identifiers = ["logs.amazonaws.com", "logs.${local.region}.amazonaws.com"]
+##     }
+##     condition {
+##       test     = "StringLike"
+##       variable = "kms:EncryptionContext:aws:logs:arn"
+##       values   = [format("arn:%v:logs:%v:%v:log-group:*", local.partition, local.region, local.account_id)]
+##     }
+##   }
+##   # https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/
+##   # https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse
+##   # https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic-sqs-queue-subscriptions.html
+##   statement {
+##     sid    = "ServiceMSAccess"
+##     effect = "Allow"
+##     actions = [
+##       "kms:Decrypt*",
+##       "kms:GenerateDataKey*",
+##       "kms:Describe*"
+##     ]
+##     resources = ["*"]
+##     principals {
+##       type        = "Service"
+##       identifiers = ["sns.amazonaws.com", "sqs.amazonaws.com"]
+##     }
+##   }
+## }