Skip to content

Commit

Permalink
feat: 🎸 remove KMS assumption
Browse files Browse the repository at this point in the history 
pass in KMS key ARN instead of looking it up
  • Loading branch information
@lyonsden
lyonsden committed Mar 14, 2024
1 parent 7da8b6c commit dc33363
Show file tree
Hide file tree
Showing 6 changed files with 17 additions and 60 deletions.
60 changes: 7 additions & 53 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,59 +7,8 @@ An exception is made for ENIs attached to DataSync tasks since DataSync only est
This includes a 24 hour cloudwatch alarm to trigger the lambda regularly in an effort to keep the account clean and make the resources available for another consumer.

<!-- BEGIN_TF_DOCS -->
## Requirements

| Name | Version |
| ------------------------------------------------------------------------- | -------- |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
| <a name="requirement_archive"></a> [archive](#requirement\_archive) | ~> 2.2 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | > 4.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1.0 |

## Providers

| Name | Version |
| ------------------------------------------------------------- | ------- |
| <a name="provider_archive"></a> [archive](#provider\_archive) | ~> 2.2 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | > 4.0 |

## Modules

| Name | Source | Version |
| --------------------------------------------- | ------ | ------- |
| <a name="module_iam"></a> [iam](#module\_iam) | ./iam | n/a |

## Resources

| Name | Type |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| [aws_cloudwatch_event_rule.ip_address_release_lambda_interval](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_target.ip_address_release_lambda_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_lambda_function.ip_address_release_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
| [aws_lambda_permission.event_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [archive_file.lambda_source](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
| [aws_security_group.https-internet-egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
| [aws_vpc.internal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |

## Inputs

| Name | Description | Type | Default | Required |
| ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | -------------- | ------- | :------: |
| <a name="input_account_name"></a> [account\_name](#input\_account\_name) | The account name for use in alarm description. | `string` | n/a | yes |
| <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Pass in `false` if you are supplying an IAM role. | `bool` | `true` | no |
| <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | The ARN of the IAM Role to use (creates a new one if set to `null`) | `string` | `null` | no |
| <a name="input_internet_egress_security_group"></a> [internet\_egress\_security\_group](#input\_internet\_egress\_security\_group) | Name of a security group that allows internet outbound calls to port 443 | `string` | n/a | yes |
| <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The ARN of the policy that is used to set the permissions boundary for the IAM roles. | `string` | `null` | no |
| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | Subnets that Lambda will be created with in the VPC | `list(string)` | `[]` | no |
| <a name="input_timeout"></a> [timeout](#input\_timeout) | Timeout value for the lambda | `number` | `300` | no |
| <a name="input_prefix"></a> [prefix](#input\_prefix) | prefix name, can be a team or product name. E.g., 'SRE' | `string` | n/a | yes |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to attach the IP Address Release lambda to. Only necessary if there are multiple VPCs in an account. | `string` | `null` | no |

## Outputs

| Name | Description |
| ---------------------------------------------------------------------------- | ------------------------------------------- |
| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The IAM Role created, or the one passed in. |
<!-- END_TF_DOCS -->

# Multi-region deployment
Expand All @@ -76,8 +25,11 @@ module "ip-address-release-primary" {
prefix = "SRE"
account_name = var.account_name
permissions_boundary_arn = local.permissions_boundary
internet_egress_security_group_id = data.aws_security_group.https-internet-egress.id
vpc_id = data.aws_vpc.internal.id
internet_egress_security_group_id = data.aws_security_group.https-internet-egress_primary.id
vpc_id = data.aws_vpc.internal_primary.id
subnet_ids = data.aws_subnets.private_subnets_primary.ids
kms_key_arn = data.aws_kms_key.master_primary.arn
}
* assumes an aliased (secondary) provider is setup elsewhere
Expand All @@ -94,6 +46,8 @@ module "ip-address-release-secondary" {
internet_egress_security_group_id = data.aws_security_group.https-internet-egress_secondary.id
iam_role_arn = module.ip-address-release-primary.iam_role_arn # reference the IAM Role created earlier
vpc_id = data.aws_vpc.internal_secondary.id
subnet_ids = data.aws_subnets.private_subnets_secondary.ids
kms_key_arn = data.aws_kms_key.master_secondary.arn
}
```

Expand Down
6 changes: 1 addition & 5 deletions iam/data.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
data "aws_caller_identity" "current" {}
data "aws_iam_account_alias" "current" {}
data "aws_region" "current" {}

data "aws_kms_key" "master" {
key_id = "alias/${data.aws_iam_account_alias.current.account_alias}-${data.aws_region.current.name}-master-kmskey"
}
data "aws_region" "current" {}
2 changes: 1 addition & 1 deletion iam/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ data "aws_iam_policy_document" "lambda_policy_document" {
"kms:Decrypt"
]
resources = [
data.aws_kms_key.master.arn
var.kms_key_arn
]
}
statement {
Expand Down
2 changes: 2 additions & 0 deletions iam/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,5 @@ variable "permissions_boundary_arn" {
type = string
default = null
}

variable "kms_key_arn" {}
1 change: 1 addition & 0 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,5 @@ module "iam" {
prefix = var.prefix
account_name = var.account_name
permissions_boundary_arn = var.permissions_boundary_arn
kms_key_arn = var.kms_key_arn
}
6 changes: 5 additions & 1 deletion variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,5 +45,9 @@ variable "vpc_id" {
variable "subnet_ids" {
type = list(string)
description = "Subnets that Lambda will be created with in the VPC"
default = []
}

variable "kms_key_arn" {
type = string
description = "ARN of the key to give to Lambda for access"
}

0 comments on commit dc33363

Please sign in to comment.