Merge pull request #3 from cloudtruth/feature/kms_support

amason · web-flow · commit 0cd905b2eb5a · 2022-02-16T11:24:40.000-05:00
Added support for custom kms keys
diff --git a/README.md b/README.md
@@ -44,6 +44,9 @@ module "grant_cloudtruth_access" {
 | ssm\_resources | The ssm resources to explicitly grant access to, defaults to all, and listing<br>all is always allowed (for chooser in UI) even if access<br>isn't granted here | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | secretsmanager\_policy | A custom policy to use for secrets manager instead of the one this module would define | `string` | `""` | no |
 | secretsmanager\_resources | The secrets manager resources to explicitly grant access to, defaults to all, and listing<br>all is always allowed (for chooser in UI) even if access<br>isn't granted here | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
+| kms\_decrypt\_enabled | Enable kms decryption using the specified kms keys; required only if ssm parameters or secretsmanager secrets use custom kms keys | `bool` | `false` | no |
+| kms\_encrypt\_enabled | Enable kms decryption/encryption using the specified kms keys; required only if ssm parameters or secretsmanager secrets use custom kms keys | `bool` | `false` | no |
+| kms\_keys | The kms keys to explicitly grant access to | `list(string)` | <pre>[]</pre> | no |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
@@ -163,6 +163,35 @@ data "aws_iam_policy_document" "secretsmanager_write" {
 
 }
 
+//  This policy allows cloudtruth to perform kms decrypt operations using the specified key(s)
+//
+data "aws_iam_policy_document" "kms_decrypt" {
+
+  statement {
+    sid    = "AllowKMSDecrypt"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = var.kms_keys
+  }
+}
+
+//  This policy allows cloudtruth to perform kms encrypt operations using the specified key(s)
+//
+data "aws_iam_policy_document" "kms_encrypt" {
+
+  statement {
+    sid    = "AllowKMSEncrypt"
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:GenerateDataKey"
+    ]
+    resources = var.kms_keys
+  }
+}
+
 locals {
   policy_lookup = {
     s3             = var.s3_policy != "" ? var.s3_policy : data.aws_iam_policy_document.s3.json
@@ -191,3 +220,17 @@ resource "aws_iam_role_policy" "cloudtruth_write_policies" {
   role   = aws_iam_role.cloudtruth_access.id
   policy = local.write_policy_lookup[each.key]
 }
+
+resource "aws_iam_role_policy" "cloudtruth_kms_decrypt" {
+  count  = var.kms_decrypt_enabled || var.kms_encrypt_enabled ? 1 : 0
+  name   = "allow-cloudtruth-kms-decrypt"
+  role   = aws_iam_role.cloudtruth_access.id
+  policy = data.aws_iam_policy_document.kms_decrypt.json
+}
+
+resource "aws_iam_role_policy" "cloudtruth_kms_encrypt" {
+  count  = var.kms_encrypt_enabled ? 1 : 0
+  name   = "allow-cloudtruth-kms-encrypt"
+  role   = aws_iam_role.cloudtruth_access.id
+  policy = data.aws_iam_policy_document.kms_encrypt.json
+}
diff --git a/variables.tf b/variables.tf
@@ -39,7 +39,7 @@ variable "s3_resources" {
 
 variable "s3_policy" {
   description = <<-EOD
-    A custom poilicy to use for s3 instead of the one this module would define
+    A custom policy to use for s3 instead of the one this module would define
   EOD
   default     = ""
 }
@@ -54,7 +54,7 @@ variable "ssm_resources" {
 
 variable "ssm_policy" {
   description = <<-EOD
-    A custom poilicy to use for ssm instead of the one this module would define
+    A custom policy to use for ssm instead of the one this module would define
   EOD
   default     = ""
 }
@@ -70,7 +70,31 @@ variable "secretsmanager_resources" {
 
 variable "secretsmanager_policy" {
   description = <<-EOD
-    A custom poilicy to use for secrets manager instead of the one this module would define
+    A custom policy to use for secrets manager instead of the one this module would define
   EOD
   default     = ""
 }
+
+variable "kms_decrypt_enabled" {
+  description = <<-EOD
+    Enable kms decryption using the specified kms keys; required only if ssm parameters or secretsmanager secrets use custom kms keys
+  EOD
+  type        = bool
+  default     = false
+}
+
+variable "kms_encrypt_enabled" {
+  description = <<-EOD
+    Enable kms decryption/encryption using the specified kms keys; required only if ssm parameters or secretsmanager secrets use custom kms keys
+  EOD
+  type        = bool
+  default     = false
+}
+
+variable "kms_keys" {
+  description = <<-EOD
+    The kms keys to explicitly grant access to, defaults to none
+  EOD
+  type        = list(string)
+  default     = []
+}
