diff --git a/CHANGELOG.md b/CHANGELOG.md
index 38e21b5..4f42716 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,3 +28,6 @@
* v2.0.1 -- 20210325
- make bucket policies denying missing encryption header optional
- add variable: `require_explicit_encryption` default = false
+
+* v2.1.0 -- 20210511
+ - add kms_policy to be used for custom kms key policy and kms_admin_roles
diff --git a/common/README.md b/common/README.md
index 93e771d..392d60f 100644
--- a/common/README.md
+++ b/common/README.md
@@ -24,7 +24,13 @@ No modules.
| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
@@ -37,7 +43,9 @@ No modules.
| [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
| [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no |
+| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
| [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/common/data.tf b/common/data.tf
new file mode 100644
index 0000000..16506e6
--- /dev/null
+++ b/common/data.tf
@@ -0,0 +1,7 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_arn" "current" {
+ arn = data.aws_caller_identity.current.arn
+}
+
+data "aws_region" "current" {}
diff --git a/common/resources.tf b/common/resources.tf
index 6d5394a..55ccf14 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -1,4 +1,13 @@
locals {
+
+ account_id = data.aws_caller_identity.current.account_id
+ current_user_arn = data.aws_caller_identity.current.arn
+ partition = data.aws_arn.current.partition
+ region = data.aws_region.current.name
+}
+
+locals {
+ base_name = var.bucket_name
name = replace(var.bucket_name, local._prefixes["s3"], "")
bucket_name = format("%s%s", local._prefixes["s3"], local.name)
@@ -6,6 +15,10 @@ locals {
kms_key_arn = aws_kms_key.key.arn
kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
+ kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
+ kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+ kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+
condition_allowed_cidr = {
"test" : "NotIpAddress"
"variable" : "aws:sourceIp"
@@ -210,13 +223,13 @@ resource "aws_s3_bucket_object" "this_objects" {
resource "aws_kms_key" "key" {
description = "KMS CMK for S3 bucket ${local.name}"
enable_key_rotation = true
- # policy = data.aws_iam_policy_document.key.json
+ policy = data.aws_iam_policy_document.key_policy_combined.json
tags = merge(
local.base_tags,
var.tags,
local.enforced_tags,
- map("Name", local.bucket_name)
+ map("Name", local.kms_key_name)
)
}
@@ -224,3 +237,26 @@ resource "aws_kms_alias" "key" {
name = "alias/${local.kms_key_name}"
target_key_id = aws_kms_key.key.key_id
}
+
+# auto includes root
+data "aws_iam_policy_document" "key_admin" {
+ statement {
+ sid = "BuiltinKMSAdminRoles"
+ effect = "Allow"
+ actions = ["kms:*"]
+ resources = ["*"]
+ principals {
+ type = "AWS"
+ identifiers = local.kms_admin_roles
+ }
+ }
+}
+
+data "aws_iam_policy_document" "key_policy_combined" {
+ source_policy_documents = [
+ data.aws_iam_policy_document.key_admin.json,
+ local.kms_policy_document
+ ]
+}
+
+data "aws_iam_policy_document" "empty" {}
diff --git a/common/variables.tf b/common/variables.tf
index 1e97786..79f4a84 100644
--- a/common/variables.tf
+++ b/common/variables.tf
@@ -15,6 +15,18 @@ variable "kms_key_id" {
default = ""
}
+variable "kms_policy_document" {
+ description = "AWS KMS Key Policy Document JSON, merged with admin policy document"
+ type = string
+ default = ""
+}
+
+variable "kms_admin_roles" {
+ description = "AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default."
+ type = list(string)
+ default = []
+}
+
variable "tags" {
description = "AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data_safeguard field for such things."
type = map(string)
@@ -62,3 +74,7 @@ variable "require_explicit_encryption" {
type = bool
default = false
}
+
+# TBD
+# variable "kms_policy_read_arns" { }
+# variable "kms_policy_write_arns" { }
diff --git a/common/version.tf b/common/version.tf
index 100daf2..55a44df 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.0.1"
+ _module_version = "2.1.0"
}
diff --git a/standard/README.md b/standard/README.md
index 5536841..580a312 100644
--- a/standard/README.md
+++ b/standard/README.md
@@ -14,11 +14,26 @@ module "mybucket" {
bucket_name = "mynormalbucket"
access_log_bucket = "mylogbucket"
+ kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+
+ ## optional
+ # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+}
+
+data "aws_iam_policy_document" "mypolicy" {
+ statement { }
}
```
This automaticaly creates an AWS KMS key used just for this bucket.
+It will set a key usage/management policy by default with the `root` account, along with any other
+roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.
+
+If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
+such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be
+to provide variables granting read and write access to the key.
+
## Requirements
No requirements.
@@ -45,7 +60,13 @@ No modules.
| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
@@ -60,7 +81,9 @@ No modules.
| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no |
+| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
| [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/standard/data.tf b/standard/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/standard/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/standard/main.tf b/standard/main.tf
index b7ea135..7892b35 100644
--- a/standard/main.tf
+++ b/standard/main.tf
@@ -15,10 +15,25 @@
*
* bucket_name = "mynormalbucket"
* access_log_bucket = "mylogbucket"
+* kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+*
+* ## optional
+* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+* }
+*
+* data "aws_iam_policy_document" "mypolicy" {
+* statement { }
* }
* ```
*
* This automaticaly creates an AWS KMS key used just for this bucket.
+*
+* It will set a key usage/management policy by default with the `root` account, along with any other
+* roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.
+*
+* If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
+* such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be
+* to provide variables granting read and write access to the key.
*/
locals {
diff --git a/title26/README.md b/title26/README.md
index fbc2a0c..8037d57 100644
--- a/title26/README.md
+++ b/title26/README.md
@@ -15,6 +15,14 @@ module "mybucket" {
bucket_name = "myt26bucket"
access_log_bucket = "mylogbucket"
# enable_title26 = true
+ kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+
+ ## optional
+ # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+}
+
+data "aws_iam_policy_document" "mypolicy" {
+ statement { }
}
```
@@ -24,6 +32,13 @@ to make a comma separated list.
This automaticaly creates an AWS KMS key used just for this bucket.
+It will set a key usage/management policy by default with the `root` account, along with any other
+roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.
+
+If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
+such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be
+to provide variables granting read and write access to the key.
+
## Requirements
No requirements.
@@ -50,7 +65,13 @@ No modules.
| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
@@ -65,7 +86,9 @@ No modules.
| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | [
"title26"
]
| no |
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no |
+| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
| [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/title26/data.tf b/title26/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/title26/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/title26/main.tf b/title26/main.tf
index aa2c325..e21add0 100644
--- a/title26/main.tf
+++ b/title26/main.tf
@@ -16,6 +16,14 @@
* bucket_name = "myt26bucket"
* access_log_bucket = "mylogbucket"
* # enable_title26 = true
+* kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+*
+* ## optional
+* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+* }
+*
+* data "aws_iam_policy_document" "mypolicy" {
+* statement { }
* }
* ```
*
@@ -24,6 +32,13 @@
* to make a comma separated list.
*
* This automaticaly creates an AWS KMS key used just for this bucket.
+*
+* It will set a key usage/management policy by default with the `root` account, along with any other
+* roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.
+*
+* If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
+* such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be
+* to provide variables granting read and write access to the key.
*/
locals {