From 02d93592c93fe6c69eef030e86a832080f268400 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 11 May 2021 13:55:55 -0400
Subject: [PATCH] v2.1.0: add kms policy and admin roles

---
 CHANGELOG.md        |  3 +++
 common/README.md    |  7 +++++++
 common/data.tf      |  7 +++++++
 common/resources.tf | 34 +++++++++++++++++++++++++++++++++-
 common/variables.tf | 12 ++++++++++++
 common/version.tf   |  2 +-
 6 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 common/data.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 38e21b5..4f42716 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,3 +28,6 @@
 * v2.0.1 -- 20210325
   - make bucket policies denying missing encryption header optional
   - add variable: `require_explicit_encryption` default = false
+
+* v2.1.0 -- 20210511
+  - add kms_policy to be used for custom kms key policy and kms_admin_roles
diff --git a/common/README.md b/common/README.md
index 93e771d..3f9c08f 100644
--- a/common/README.md
+++ b/common/README.md
@@ -24,7 +24,12 @@ No modules.
 | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
@@ -37,7 +42,9 @@ No modules.
 | <a name="input_bucket_folders"></a> [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | AWS Bucket Name.  Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket).  This is currently ignored. | `string` | `""` | no |
+| <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
 | <a name="input_metadata_tags"></a> [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
 | <a name="input_require_explicit_encryption"></a> [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header.  Should not normally be needed. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/common/data.tf b/common/data.tf
new file mode 100644
index 0000000..16506e6
--- /dev/null
+++ b/common/data.tf
@@ -0,0 +1,7 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_arn" "current" {
+  arn = data.aws_caller_identity.current.arn
+}
+
+data "aws_region" "current" {}
diff --git a/common/resources.tf b/common/resources.tf
index 6d5394a..7a9fc7f 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -1,3 +1,11 @@
+locals {
+
+  account_id       = data.aws_caller_identity.current.account_id
+  current_user_arn = data.aws_caller_identity.current.arn
+  partition        = data.aws_arn.current.partition
+  region           = data.aws_region.current.name
+}
+
 locals {
   name        = replace(var.bucket_name, local._prefixes["s3"], "")
   bucket_name = format("%s%s", local._prefixes["s3"], local.name)
@@ -6,6 +14,9 @@ locals {
   kms_key_arn  = aws_kms_key.key.arn
   kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
 
+  kms_admin_root  = format("arn:%v:iam::%v:root", local.partition, local.account_id)
+  kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+
   condition_allowed_cidr = {
     "test" : "NotIpAddress"
     "variable" : "aws:sourceIp"
@@ -210,7 +221,7 @@ resource "aws_s3_bucket_object" "this_objects" {
 resource "aws_kms_key" "key" {
   description         = "KMS CMK for S3 bucket ${local.name}"
   enable_key_rotation = true
-  # policy              = data.aws_iam_policy_document.key.json
+  policy              = data.aws_iam_policy_document.key_policy_combined.json
 
   tags = merge(
     local.base_tags,
@@ -224,3 +235,24 @@ resource "aws_kms_alias" "key" {
   name          = "alias/${local.kms_key_name}"
   target_key_id = aws_kms_key.key.key_id
 }
+
+# auto includes root
+data "aws_iam_policy_document" "key_admin" {
+  statement {
+    sid       = "KMSAdminRoles"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = local.kms_admin_roles
+    }
+  }
+}
+
+data "aws_iam_policy_document" "key_policy_combined" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.key_admin.json,
+    var.kms_policy_document
+  ]
+}
diff --git a/common/variables.tf b/common/variables.tf
index 1e97786..6b35a7c 100644
--- a/common/variables.tf
+++ b/common/variables.tf
@@ -15,6 +15,18 @@ variable "kms_key_id" {
   default     = ""
 }
 
+variable "kms_policy_document" {
+  description = "AWS KMS Key Policy Document JSON, merged with admin policy document"
+  type        = string
+  default     = ""
+}
+
+variable "kms_admin_roles" {
+  description = "AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default."
+  type        = list(string)
+  default     = []
+}
+
 variable "tags" {
   description = "AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data_safeguard field for such things."
   type        = map(string)
diff --git a/common/version.tf b/common/version.tf
index 100daf2..55a44df 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.0.1"
+  _module_version = "2.1.0"
 }