Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add kms_master_key_id to alarm baseline and config-baseline module #216

Merged
merged 5 commits into from
Sep 12, 2021

Conversation

willfarrell
Copy link
Contributor

@willfarrell willfarrell commented Sep 11, 2021

Building onto of the great work by @mknapcok in PR #182. As mentioned in the other PR, I think this is as far as we can go till multi-region kms is supported.

Not sure where you'd like the example on how to use this addition

resource "aws_kms_key" "integrations" {
  description = "Operations: Default KMS key for SNS, SQS"
  deletion_window_in_days = 30
  enable_key_rotation = "true"

  policy = data.aws_iam_policy_document.kms-integrations.json
}

data "aws_iam_policy_document" "kms-integrations" {
  policy_id = "Operations: Default KMS key for SNS, SQS"

  statement {
    sid = "ChangePolicyAccess"

    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
      ]
    }
    actions = [
      "kms:*"]
    resources = [
      "*"]
  }

  statement {
    # https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse
    sid = "AllowAWSServices"

    principals {
      type = "Service"
      identifiers = [
        "cloudwatch.amazonaws.com",
        "config.amazonaws.com",
      ]
    }
    actions = [
      "kms:GenerateDataKey*",
      "kms:Decrypt"
    ]
    resources = [
      "*"]
  }
}

Closes #163

@lorengordon
Copy link

fwiw, kms encryption support for config was just merged yesterday. should be available in the release this coming thursday!

@nozaq nozaq added the enhancement New feature or request label Sep 12, 2021
@nozaq
Copy link
Owner

nozaq commented Sep 12, 2021

@willfarrell Thank you, this looks a good intermediary approach until the multi-region key is supported in the upstream.
Let's merge this for now and come back here later when the upstream issue gets resolved!

@willfarrell
Copy link
Contributor Author

Sounds good

@pperzyna
Copy link

@nozaq Could you create the next version 0.29.0 with those changes?

@nozaq
Copy link
Owner

nozaq commented Sep 17, 2021

@pperzyna Just published v0.29.0 👍🏼

@KnupMan
Copy link

KnupMan commented Sep 17, 2021

@nozaq This was a breaking change, right? Just want to ensure that it's expected now always set sns_topic_kms_master_key_id variable.

@nozaq
Copy link
Owner

nozaq commented Sep 17, 2021

@KnupMan Thanks for the heads up. It didn't break anything in my environment during my test, but let me check again.

@nozaq
Copy link
Owner

nozaq commented Sep 17, 2021

@KnupMan Ah, you're right. sns_topic_kms_master_key_id should have a default value of null to be kept as optional. I'm gonna create a PR to fix it.

@nozaq
Copy link
Owner

nozaq commented Sep 17, 2021

The fix has been merged and published as v0.29.1.
Thanks @KnupMan for finding it out!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SNS topics should be encrypted at-rest using AWS KMS [SNS.1]
5 participants