From 17bc30dcbb3d6db016102ff614386ae862e0a3c9 Mon Sep 17 00:00:00 2001
From: ashle001 <roy.d.ashley.jr@census.gov>
Date: Tue, 22 Sep 2020 13:43:15 -0400
Subject: [PATCH] add create kms key

---
 main.tf | 52 +++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 37 insertions(+), 15 deletions(-)

diff --git a/main.tf b/main.tf
index 1bfd1f6..82cb4cf 100644
--- a/main.tf
+++ b/main.tf
@@ -12,6 +12,19 @@ locals {
   enforced_tags = {
     "boc:safeguard" = "title26"
   }
+  account_id = data.aws_caller_identity.current.account_id
+  aws_region = data.aws_region.current.name
+  partition  = data.aws_arn.current.partition
+  name       = (var.name != "" && var.name != null) ? var.name : format("inf-objectlogging-%v-%v", local.account_id, local.aws_region)
+
+  # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null
+  kms_key_arn  = aws_kms_key.key.arn
+  kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
+
+  base_tags = {
+    "boc:tf_module_version" = var._module_version
+    "boc:created_by"        = "terraform"
+  }
 }
 
 #---
@@ -21,8 +34,6 @@ resource "aws_s3_bucket" "this" {
   bucket = var.bucket_name
   acl    = "private"
 
-  force_destroy = true
-
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
@@ -34,13 +45,12 @@ resource "aws_s3_bucket" "this" {
 
   versioning {
     enabled = true
-    #enabled = false
   }
 
   logging {
     target_bucket = var.access_log_bucket
-    target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.bucket_name)
-  } 
+    target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket)
+  }
 
   lifecycle {
     prevent_destroy = true
@@ -86,21 +96,13 @@ data "aws_iam_policy_document" "this" {
   }
 }
 
-##########
-#   attach bucket policy
-##########
-resource "aws_s3_bucket_policy" "this" {
-  bucket = aws_s3_bucket.this.bucket
-  policy = data.aws_iam_policy_document.this.json
-}
-
 resource "null_resource" "s3_create_wait" {
   triggers = {
     bucket = aws_s3_bucket.this.id
   }
   provisioner "local-exec" {
     when    = create
-    command = "sleep 180"
+    command = "sleep 120"
   }
 }
 
@@ -116,9 +118,24 @@ resource "aws_s3_bucket_object" "this_objects" {
 #-------------------------------------------------------------------------
 # EFS KMS KEY AND ALIAS
 #-------------------------------------------------------------------------
+#resource "aws_kms_key" "key" {
+#  description         = "KMS CMK for title26_s3 ${local.name}"
+#  enable_key_rotation = true
+
+#  tags = merge(
+#    local.base_tags,
+#    { "Name" = local.kms_key_name },
+#    var.tags
+#  )
+#}
+
+#---
+# create a key and alias if not specified
+#---
 resource "aws_kms_key" "key" {
-  description         = "KMS CMK for title26_s3 ${local.name}"
+  description         = "KMS CMK for Cloudtrail and S3 bucket ${local.name}"
   enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.key.json
 
   tags = merge(
     local.base_tags,
@@ -131,3 +148,8 @@ resource "aws_kms_alias" "key" {
   name          = "alias/${local.kms_key_name}"
   target_key_id = aws_kms_key.key.key_id
 }
+
+resource "aws_kms_alias" "key" {
+  name          = "alias/${local.kms_key_name}"
+  target_key_id = aws_kms_key.key.key_id
+}