Merge pull request #31 from terraform-modules/feature-kms-key

v2.3.0: add kms_key submodule; allow kms_key_arn in S3 module call
terraform-modules · Nov 17, 2021 · 291683e · 291683e
2 parents 9197b09 + 1ce2092
commit 291683e
Show file tree

Hide file tree

Showing 57 changed files with 572 additions and 223 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -6,9 +6,7 @@ repos:
     - id: terraform_fmt
     - id: terraform_docs_replace
       args: ['table']
-      exclude: common/*.tf
-      exclude: version.tf
-
+      exclude: common
 - repo: https://github.com/pre-commit/pre-commit-hooks
   rev: v3.1.0
   hooks:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -42,3 +42,7 @@ Provides standard and t26 S3 bucket construction.
 
 * v2.2.2 -- 20211104
   - update documenation to include sample policy and policy document
+
+* v2.3.0 -- 20211117
+  - add submodule kms_key to be able to create a key, and then use it for later bucket
+  - allow kms_key_arn to passed in for standard and title26 buckets
diff --git a/common/README.md b/common/README.md
diff --git a/common/base_settings.tf b/common/base_settings.tf
@@ -0,0 +1,23 @@
+locals {
+  account_id       = data.aws_caller_identity.current.account_id
+  current_user_arn = data.aws_caller_identity.current.arn
+  partition        = data.aws_arn.current.partition
+  region           = data.aws_region.current.name
+}
+
+# enforced tags
+locals {
+  # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults
+  add_safeguard_tags      = local.enable_title26 ? ["title26"] : []
+  _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d }
+  safeguard_tags          = sort(distinct(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags))))
+  add_tags = {
+    safeguard = {
+      "exists"     = { "boc:safeguard" = join(",", local.safeguard_tags) }
+      "not_exists" = {}
+    }
+  }
+  enforced_tags = merge(
+    local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"]
+  )
+}
diff --git a/common/base_tags.tf b/common/base_tags.tf
@@ -0,0 +1,6 @@
+locals {
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
diff --git a/common/kms.tf b/common/kms.tf
@@ -0,0 +1,64 @@
+# data "aws_kms_key" "incoming_key" {
+#   count = var.kms_key_arn != null ? 1 : 0
+#   key_id = var.kms_key_arn
+# }
+# 
+locals {
+  kms_key_arn  = var.kms_key_arn == null ? aws_kms_key.key[0].arn : var.kms_key_arn
+  kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
+
+  kms_admin_root      = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
+  kms_admin_roles     = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+  kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+}
+
+#---
+# create a key and alias if not specified
+#---
+resource "aws_kms_key" "key" {
+  count               = var.kms_key_arn == null ? 1 : 0
+  description         = "KMS CMK for S3 bucket ${local.name}"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.key_policy_combined.json
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    local.enforced_tags,
+    map("Name", local.kms_key_name)
+  )
+}
+
+resource "aws_kms_alias" "key" {
+  count         = var.kms_key_arn == null ? 1 : 0
+  name          = "alias/${local.kms_key_name}"
+  target_key_id = var.kms_key_arn == null ? aws_kms_key.key[0].key_id : null
+}
+
+# auto includes root
+data "aws_iam_policy_document" "key_admin" {
+  statement {
+    sid       = "BuiltinKMSAdminRoles"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = local.kms_admin_roles
+    }
+  }
+}
+
+data "aws_iam_policy_document" "key_policy_combined" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.key_admin.json,
+    local.kms_policy_document
+  ]
+}
+
+data "aws_iam_policy_document" "empty" {}
+
+data "aws_kms_key" "incoming_key" {
+  count  = var.kms_key_arn == null ? 0 : 1
+  key_id = var.kms_key_arn
+}
diff --git a/common/outputs.kms.tf b/common/outputs.kms.tf
@@ -0,0 +1,18 @@
+#---
+# key
+#---
+output "kms_key_id" {
+  description = "KMS Key ID. This is the created key id or the key id of kms_key_arn"
+  value       = var.kms_key_arn == null ? aws_kms_key.key[0].id : data.aws_kms_key.incoming_key[0].id
+}
+
+output "kms_key_arn" {
+  description = "KMS Key ARN. This is the created key ARN or the key ARN of kms_key_arn"
+  value       = var.kms_key_arn == null ? aws_kms_key.key[0].arn : data.aws_kms_key.incoming_key[0].arn
+}
+
+output "kms_key_alias" {
+  description = "KMS Key Alias name.  If a kms_key_arn passed in, this will be null."
+  value       = var.kms_key_arn == null ? aws_kms_alias.key[0].name : null
+}
+
diff --git a/common/outputs.s3.tf b/common/outputs.s3.tf
@@ -0,0 +1,12 @@
+#---
+# bucket
+#---
+output "s3_bucket_arn" {
+  description = "Created S3 Bucket ARN"
+  value       = aws_s3_bucket.this.arn
+}
+
+output "s3_bucket_id" {
+  description = "Created S3 Bucket ID"
+  value       = aws_s3_bucket.this.id
+}
diff --git a/common/outputs.tf b/common/outputs.tf
diff --git a/common/resources.tf b/common/resources.tf
@@ -1,24 +1,15 @@
-locals {
-
-  account_id       = data.aws_caller_identity.current.account_id
-  current_user_arn = data.aws_caller_identity.current.arn
-  partition        = data.aws_arn.current.partition
-  region           = data.aws_region.current.name
-}
-
 locals {
   base_name              = var.bucket_name
   name                   = replace(var.bucket_name, local._prefixes["s3"], "")
   bucket_name            = format("%s%s", local._prefixes["s3"], local.name)
   bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json
 
-  # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null
-  kms_key_arn  = aws_kms_key.key.arn
-  kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
+  #  kms_key_arn  = aws_kms_key.key.arn
+  #  kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
 
-  kms_admin_root      = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
-  kms_admin_roles     = compact(concat(local.kms_admin_root, var.kms_admin_roles))
-  kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+  #  kms_admin_root      = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
+  #  kms_admin_roles     = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+  #  kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
 
   condition_allowed_cidr = {
     "test" : "NotIpAddress"
@@ -33,26 +24,6 @@ locals {
   s3_bucket_conditions_list = list(local.condition_allowed_cidr, local.condition_allowed_endpoints)
   s3_bucket_conditions      = [for x in local.s3_bucket_conditions_list : x if length(x.values) > 0]
 
-  #  enforced_tags = {
-  #    "boc:safeguard" = "title26"
-  #  }
-  base_tags = {
-    "boc:tf_module_version" = local._module_version
-    "boc:created_by"        = "terraform"
-  }
-  # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults
-  add_safeguard_tags      = local.enable_title26 ? ["title26"] : []
-  _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d }
-  safeguard_tags          = sort(distinct(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags))))
-  add_tags = {
-    safeguard = {
-      "exists"     = { "boc:safeguard" = join(",", local.safeguard_tags) }
-      "not_exists" = {}
-    }
-  }
-  enforced_tags = merge(
-    local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"]
-  )
   metadata_tags = merge(
     var.metadata_tags,
     { for k, v in local.enforced_tags : format("x-amzn-meta-%v", replace(k, "/\\W/", "_")) => v }
@@ -70,7 +41,8 @@ resource "aws_s3_bucket" "this" {
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.key.arn
+        #        kms_master_key_id = aws_kms_key.key.arn
+        kms_master_key_id = local.kms_key_arn
         sse_algorithm     = "aws:kms"
       }
     }
@@ -218,54 +190,10 @@ resource "aws_s3_bucket_object" "this_objects" {
   depends_on = [null_resource.policy_delay]
 }
 
-#---
-# create a key and alias if not specified
-# right now, this can't use an external key, it has to create one per bucket
-#---
-resource "aws_kms_key" "key" {
-  description         = "KMS CMK for S3 bucket ${local.name}"
-  enable_key_rotation = true
-  policy              = data.aws_iam_policy_document.key_policy_combined.json
-
-  tags = merge(
-    local.base_tags,
-    var.tags,
-    local.enforced_tags,
-    map("Name", local.kms_key_name)
-  )
-}
-
-resource "aws_kms_alias" "key" {
-  name          = "alias/${local.kms_key_name}"
-  target_key_id = aws_kms_key.key.key_id
-}
-
-# auto includes root
-data "aws_iam_policy_document" "key_admin" {
-  statement {
-    sid       = "BuiltinKMSAdminRoles"
-    effect    = "Allow"
-    actions   = ["kms:*"]
-    resources = ["*"]
-    principals {
-      type        = "AWS"
-      identifiers = local.kms_admin_roles
-    }
-  }
-}
-
-data "aws_iam_policy_document" "key_policy_combined" {
-  source_policy_documents = [
-    data.aws_iam_policy_document.key_admin.json,
-    local.kms_policy_document
-  ]
-}
-
 data "aws_iam_policy_document" "bucket_policy_combined" {
   source_policy_documents = [
     data.aws_iam_policy_document.this.json,
     local.bucket_policy_document
   ]
 }
 
-data "aws_iam_policy_document" "empty" {}
diff --git a/common/variables.common.tf b/common/variables.common.tf
@@ -0,0 +1,6 @@
+variable "tags" {
+  description = "AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data_safeguard field for such things."
+  type        = map(string)
+  default     = {}
+}
+
diff --git a/common/variables.kms.tf b/common/variables.kms.tf
@@ -0,0 +1,23 @@
+variable "kms_key_id" {
+  description = "AWS KMS Key ID (one per bucket).  This is currently ignored (and deprecated)."
+  type        = string
+  default     = null
+}
+
+variable "kms_key_arn" {
+  description = "AWS KMS Key ARN, a key created external to this module call."
+  type        = string
+  default     = null
+}
+
+variable "kms_policy_document" {
+  description = "AWS KMS Key Policy Document JSON, merged with admin policy document"
+  type        = string
+  default     = ""
+}
+
+variable "kms_admin_roles" {
+  description = "AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default."
+  type        = list(string)
+  default     = []
+}