Merge pull request #11 from cookielab/jj/add-kms-optional-deploy-user

Add KMS key for bucket encryption

Author: jindraj

deploy.tf

@@ -1,12 +1,15 @@
 resource "aws_iam_user" "deploy" {
-  name = "zvirt-${local.main_domain_sanitized}-deploy"
+  count = var.enable_deploy_user == true ? 1 : 0
+  name  = "zvirt-${local.main_domain_sanitized}-deploy"
 }
 
 resource "aws_iam_access_key" "deploy" {
-  user = aws_iam_user.deploy.name
+  count = var.enable_deploy_user == true ? 1 : 0
+  user  = aws_iam_user.deploy[0].name
 }
 
 data "aws_iam_policy_document" "deploy" {
+  count = var.enable_deploy_user == true ? 1 : 0
   statement {
     effect = "Allow"
     actions = [
@@ -31,9 +34,11 @@ data "aws_iam_policy_document" "deploy" {
 }
 
 resource "aws_iam_user_policy" "deploy" {
-  user = aws_iam_user.deploy.name
+  count = var.enable_deploy_user == true ? 1 : 0
 
-  policy = data.aws_iam_policy_document.deploy.json
+  user = aws_iam_user.deploy[0].name
+
+  policy = data.aws_iam_policy_document.deploy[0].json
 }
 
 module "gitlab" {
@@ -46,8 +51,8 @@ module "gitlab" {
 
   aws_s3_bucket_name             = module.s3_bucket.s3_bucket_id
   aws_cloudfront_distribution_id = aws_cloudfront_distribution.this.id
-  aws_access_key_id              = aws_iam_access_key.deploy.id
-  aws_secret_access_key          = aws_iam_access_key.deploy.secret
+  aws_access_key_id              = aws_iam_access_key.deploy[0].id
+  aws_secret_access_key          = aws_iam_access_key.deploy[0].secret
   aws_default_region             = data.aws_region.current.name
 }
 
@@ -70,3 +75,18 @@ moved {
   from = gitlab_project_variable.site_aws_secret_access_key[0]
   to   = module.gitlab[0].gitlab_project_variable.site_aws_secret_access_key
 }
+
+moved {
+  from = aws_iam_access_key.deploy
+  to   = aws_iam_access_key.deploy[0]
+}
+
+moved {
+  from = aws_iam_access_key.deploy
+  to   = aws_iam_access_key.deploy[0]
+}
+
+moved {
+  from = aws_iam_user.deploy
+  to   = aws_iam_user.deploy[0]
+}

main.tf

@@ -9,6 +9,8 @@ locals {
 
 data "aws_region" "current" {}
 
+data "aws_caller_identity" "current" {}
+
 module "certificate" {
   providers = {
     aws = aws.us_east_1
@@ -40,7 +42,11 @@ resource "aws_cloudfront_origin_access_identity" "this" {
   comment = "Deprecated: Access from CF to S3 - ${local.main_domain} - Superseeded by OAC"
 }
 
-data "aws_iam_policy_document" "bucket_policy" {
+data "aws_iam_policy_document" "s3_bucket_policy" {
+  override_policy_documents = [
+    var.s3_bucket_policy,
+  ]
+
   statement {
     sid = "AllowCloudFrontServicePrincipalReadOnly"
     actions = [
@@ -64,7 +70,86 @@ data "aws_iam_policy_document" "bucket_policy" {
       variable = "AWS:SourceArn"
       values   = [aws_cloudfront_distribution.this.arn]
     }
+  }
+}
+
+resource "aws_kms_key" "this" {
+  description             = "This key is used to encrypt the S3 bucket ${var.s3_bucket_name}"
+  enable_key_rotation     = true
+  deletion_window_in_days = var.kms_deletion_window_in_days
+  tags                    = local.tags
+}
+
+resource "aws_kms_alias" "this" {
+  name          = "alias/s3/${var.s3_bucket_name}"
+  target_key_id = aws_kms_key.this.key_id
+}
+
+resource "aws_kms_key_policy" "this" {
+  key_id = aws_kms_key.this.arn
+  policy = data.aws_iam_policy_document.kms_key_policy.json
+}
 
+data "aws_iam_policy_document" "kms_key_policy" {
+  override_policy_documents = [
+    var.kms_key_policy,
+  ]
+
+  statement {
+    sid    = "Allow root privs"
+    effect = "Allow"
+    actions = [
+      "kms:*"
+    ]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.id}:root"]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_deploy_user == true ? [1] : []
+    content {
+      sid = "Allow deploy user to use the CMK"
+      actions = [
+        "kms:GenerateDataKey*",
+        "kms:Encrypt",
+        "kms:Decrypt"
+      ]
+      resources = ["*"]
+
+      principals {
+        type        = "AWS"
+        identifiers = [aws_iam_user.deploy[0].arn]
+      }
+      effect = "Allow"
+    }
+  }
+
+  statement {
+    sid    = "Allow CloudFront usage of the key"
+    effect = "Allow"
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Encrypt",
+      "kms:Decrypt",
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceArn"
+
+      values = [
+        aws_cloudfront_distribution.this.arn
+      ]
+    }
   }
 }
 
@@ -75,7 +160,7 @@ module "s3_bucket" {
   bucket = var.s3_bucket_name
 
   attach_policy = true
-  policy        = data.aws_iam_policy_document.bucket_policy.json
+  policy        = data.aws_iam_policy_document.s3_bucket_policy.json
 
   attach_deny_insecure_transport_policy = true
   attach_require_latest_tls_policy      = true
@@ -85,9 +170,14 @@ module "s3_bucket" {
     target_prefix = "s3/access_log/${var.s3_bucket_name}"
   }
 
+  expected_bucket_owner = data.aws_caller_identity.current.account_id
+
   server_side_encryption_configuration = {
     rule = {
-      apply_server_side_encryption_by_default = {
+      apply_server_side_encryption_by_default = var.encrypt_with_kms ? {
+        kms_master_key_id = aws_kms_key.this.arn
+        sse_algorithm     = "aws:kms"
+        } : {
         sse_algorithm = "AES256"
       }
     }

outputs.tf

@@ -7,11 +7,11 @@ output "aws_cloudfront_distribution_id" {
 }
 
 output "aws_access_key_id" {
-  value = aws_iam_access_key.deploy.id
+  value = var.enable_deploy_user ? aws_iam_access_key.deploy[0].id : null
 }
 
 output "aws_secret_access_key" {
-  value     = aws_iam_access_key.deploy.secret
+  value     = var.enable_deploy_user ? aws_iam_access_key.deploy[0].secret : null
   sensitive = true
 }
 
@@ -22,3 +22,6 @@ output "aws_s3_bucket_arn" {
 output "aws_s3_bucket_regional_domain_name" {
   value = module.s3_bucket.s3_bucket_bucket_regional_domain_name
 }
+output "s3_kms_key_arn" {
+  value = aws_kms_key.this.arn
+}

variables.tf

@@ -16,6 +16,12 @@ variable "s3_bucket_name" {
   type = string
 }
 
+variable "s3_bucket_policy" {
+  type        = string
+  default     = null
+  description = "Additional S3 bucket policy"
+}
+
 variable "gitlab_project_id" {
   type    = string
   default = null
@@ -71,3 +77,27 @@ variable "functions" {
   })
   default = {}
 }
+
+variable "enable_deploy_user" {
+  type        = bool
+  default     = true
+  description = "Toggle s3 deploy user creation"
+}
+
+variable "encrypt_with_kms" {
+  type        = bool
+  default     = false
+  description = "Enable server side s3 bucket encryption with KMS key"
+}
+
+variable "kms_deletion_window_in_days" {
+  type        = number
+  default     = 30
+  description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key"
+}
+
+variable "kms_key_policy" {
+  type        = string
+  default     = null
+  description = "Additional KSM key policy"
+}