diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9067e3f..d16f0ff 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -2,9 +2,18 @@ # package ecosystems to update and where the package manifests are located. # Please see the documentation for all configuration options: # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - version: 2 updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 3 + assignees: + - "clouddrove-ci" + reviewers: + - "approvers" + - package-ecosystem: "terraform" # See documentation for possible values directory: "/" # Location of package manifests schedule: @@ -15,8 +24,24 @@ updates: # Add reviewer reviewers: - "approvers" + # Allow up to 3 open pull requests for pip dependencies + open-pull-requests-limit: 3 + + - package-ecosystem: "terraform" # See documentation for possible values + directory: "/_example/complete" # Location of package manifests + schedule: + interval: "weekly" + # Add assignees + assignees: + - "clouddrove-ci" + # Add reviewer + reviewers: + - "approvers" + # Allow up to 3 open pull requests for pip dependencies + open-pull-requests-limit: 3 + - package-ecosystem: "terraform" # See documentation for possible values - directory: "_example/" # Location of package manifests + directory: "/_example/external_key" # Location of package manifests schedule: interval: "weekly" # Add assignees @@ -24,4 +49,32 @@ updates: - "clouddrove-ci" # Add reviewer reviewers: - - "approvers" \ No newline at end of file + - "approvers" + # Allow up to 3 open pull requests for pip dependencies + open-pull-requests-limit: 3 + + - package-ecosystem: "terraform" # See documentation for possible values + directory: "/_example/external_replica_key" # Location of package manifests + schedule: + interval: "weekly" + # Add assignees + assignees: + - "clouddrove-ci" + # Add reviewer + reviewers: + - "approvers" + # Allow up to 3 open pull requests for pip dependencies + open-pull-requests-limit: 3 + + - package-ecosystem: "terraform" # See documentation for possible values + directory: "/_example/replica_key" # Location of package manifests + schedule: + interval: "weekly" + # Add assignees + assignees: + - "clouddrove-ci" + # Add reviewer + reviewers: + - "approvers" + # Allow up to 3 open pull requests for pip dependencies + open-pull-requests-limit: 3 \ No newline at end of file diff --git a/.github/workflows/tf-checks.yml b/.github/workflows/tf-checks.yml index c50c45f..a5cabf8 100644 --- a/.github/workflows/tf-checks.yml +++ b/.github/workflows/tf-checks.yml @@ -12,4 +12,12 @@ jobs: external_key: uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master with: - working_directory: './_example/external_key/' \ No newline at end of file + working_directory: './_example/external_key/' + external_replica_key: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master + with: + working_directory: './_example/external_replica_key/' + replica_key: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master + with: + working_directory: './_example/replica_key/' \ No newline at end of file diff --git a/README.yaml b/README.yaml index b5acaf5..6e16984 100644 --- a/README.yaml +++ b/README.yaml @@ -15,19 +15,19 @@ github_repo: clouddrove/terraform-aws-kms # Badges to display badges: - - name: "Terraform" - image: "https://img.shields.io/badge/Terraform-v1.1.7-green" - url: "https://www.terraform.io" + - name: "Latest Release" + image: "https://img.shields.io/github/release/clouddrove/terraform-aws-subnet.svg" + url: "https://github.com/clouddrove/terraform-aws-subnet/releases/latest" + - name: "tfsec" + image: "https://github.com/clouddrove/terraform-aws-subnet/actions/workflows/tfsec.yml/badge.svg" + url: "https://github.com/clouddrove/terraform-aws-kms/actions/workflows/tfsec.yml" - name: "Licence" image: "https://img.shields.io/badge/License-APACHE-blue.svg" url: "LICENSE.md" - - name: "tfsec" - image: "https://github.com/clouddrove/terraform-aws-kms/actions/workflows/tfsec.yml/badge.svg" - url: "https://github.com/clouddrove/terraform-aws-kms/actions/workflows/tfsec.yml" - - name: "static-checks" - image: "https://github.com/clouddrove/terraform-aws-kms/actions/workflows/terraform.yml/badge.svg" - url: "https://github.com/clouddrove/terraform-aws-kms/actions/workflows/terraform.yml" +prerequesties: + - name: Terraform 1.5.4 + url: https://learn.hashicorp.com/terraform/getting-started/install.html # description of this project description: |- This terraform module creates a KMS Customer Master Key (CMK) and its alias. diff --git a/_example/external_replica_key/example.tf b/_example/external_replica_key/example.tf new file mode 100644 index 0000000..e1ca10d --- /dev/null +++ b/_example/external_replica_key/example.tf @@ -0,0 +1,125 @@ +####---------------------------------------------------------------------------------- +## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS. +####---------------------------------------------------------------------------------- +provider "aws" { + region = "us-east-1" +} + +####---------------------------------------------------------------------------------- +## AWS External KMS Key Replica. +## Should be deployed in different region as of primary key. +####---------------------------------------------------------------------------------- +module "kms_key" { + source = "./../../" + name = "kms" + environment = "test" + deletion_window_in_days = 7 + alias = "alias/replicate_key" + kms_key_enabled = false + create_replica_external_enabled = true + enabled = true + multi_region = false + key_material_base64 = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY=" + primary_key_arn = "arn:aws:kms:xxxxxxxxxxxxxxxxxxxxx" + policy = data.aws_iam_policy_document.default.json +} + +data "aws_caller_identity" "current" {} +data "aws_partition" "current" {} + +##---------------------------------------------------------------------------------- +## Data block called to get Permissions that will be used in creating policy. +##---------------------------------------------------------------------------------- +data "aws_iam_policy_document" "default" { + version = "2012-10-17" + statement { + sid = "Enable IAM User Permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + join("", data.aws_partition.current.*.partition), + data.aws_caller_identity.current.account_id + ) + ] + } + actions = ["kms:*"] + resources = ["*"] + } + statement { + sid = "Allow CloudTrail to encrypt logs" + effect = "Allow" + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + actions = ["kms:GenerateDataKey*"] + resources = ["*"] + condition { + test = "StringLike" + variable = "kms:EncryptionContext:aws:cloudtrail:arn" + values = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"] + } + } + + statement { + sid = "Allow CloudTrail to describe key" + effect = "Allow" + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + actions = ["kms:DescribeKey"] + resources = ["*"] + } + + statement { + sid = "Allow principals in the account to decrypt log files" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + join("", data.aws_partition.current.*.partition), + data.aws_caller_identity.current.account_id + ) + ] + } + actions = [ + "kms:Decrypt", + "kms:ReEncryptFrom" + ] + resources = ["*"] + condition { + test = "StringEquals" + variable = "kms:CallerAccount" + values = [ + "XXXXXXXXXXXX"] + } + condition { + test = "StringLike" + variable = "kms:EncryptionContext:aws:cloudtrail:arn" + values = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"] + } + } + + statement { + sid = "Allow alias creation during setup" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + join("", data.aws_partition.current.*.partition), + data.aws_caller_identity.current.account_id + ) + ] + } + actions = ["kms:CreateAlias"] + resources = ["*"] + } +} \ No newline at end of file diff --git a/_example/external_replica_key/outputs.tf b/_example/external_replica_key/outputs.tf new file mode 100644 index 0000000..6a1f266 --- /dev/null +++ b/_example/external_replica_key/outputs.tf @@ -0,0 +1,19 @@ +output "key_arn" { + value = module.kms_key.key_arn + description = "Key ARN." +} + +output "tags" { + value = module.kms_key.tags + description = "A mapping of tags to assign to the KMS." +} + +output "key_id" { + value = module.kms_key.key_id + description = "The globally unique identifier for the key." +} + +output "target_key_id" { + value = module.kms_key.target_key_id + description = "Identifier for the key for which the alias is for, can be either an ARN or key_id." +} \ No newline at end of file diff --git a/_example/replica_key/example.tf b/_example/replica_key/example.tf new file mode 100644 index 0000000..09cc803 --- /dev/null +++ b/_example/replica_key/example.tf @@ -0,0 +1,124 @@ +####---------------------------------------------------------------------------------- +## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS. +####---------------------------------------------------------------------------------- +provider "aws" { + region = "us-east-1" +} + +####---------------------------------------------------------------------------------- +## AWS KMS Key Replica. +## Should be deployed in different region as of primary key. +####---------------------------------------------------------------------------------- +module "kms_key" { + source = "./../../" + name = "kms" + environment = "test" + deletion_window_in_days = 7 + alias = "alias/replicate_key" + kms_key_enabled = false + create_replica_enabled = true + enabled = true + multi_region = false + primary_key_arn = "arn:aws:kms:xxxxxxxxxxxxxxxxxxxxx" + policy = data.aws_iam_policy_document.default.json +} + +data "aws_caller_identity" "current" {} +data "aws_partition" "current" {} + +##---------------------------------------------------------------------------------- +## Data block called to get Permissions that will be used in creating policy. +##---------------------------------------------------------------------------------- +data "aws_iam_policy_document" "default" { + version = "2012-10-17" + statement { + sid = "Enable IAM User Permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + join("", data.aws_partition.current.*.partition), + data.aws_caller_identity.current.account_id + ) + ] + } + actions = ["kms:*"] + resources = ["*"] + } + statement { + sid = "Allow CloudTrail to encrypt logs" + effect = "Allow" + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + actions = ["kms:GenerateDataKey*"] + resources = ["*"] + condition { + test = "StringLike" + variable = "kms:EncryptionContext:aws:cloudtrail:arn" + values = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"] + } + } + + statement { + sid = "Allow CloudTrail to describe key" + effect = "Allow" + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + actions = ["kms:DescribeKey"] + resources = ["*"] + } + + statement { + sid = "Allow principals in the account to decrypt log files" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + join("", data.aws_partition.current.*.partition), + data.aws_caller_identity.current.account_id + ) + ] + } + actions = [ + "kms:Decrypt", + "kms:ReEncryptFrom" + ] + resources = ["*"] + condition { + test = "StringEquals" + variable = "kms:CallerAccount" + values = [ + "XXXXXXXXXXXX"] + } + condition { + test = "StringLike" + variable = "kms:EncryptionContext:aws:cloudtrail:arn" + values = ["arn:aws:cloudtrail:*:XXXXXXXXXXXX:trail/*"] + } + } + + statement { + sid = "Allow alias creation during setup" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + join("", data.aws_partition.current.*.partition), + data.aws_caller_identity.current.account_id + ) + ] + } + actions = ["kms:CreateAlias"] + resources = ["*"] + } +} \ No newline at end of file diff --git a/_example/replica_key/outputs.tf b/_example/replica_key/outputs.tf new file mode 100644 index 0000000..6a1f266 --- /dev/null +++ b/_example/replica_key/outputs.tf @@ -0,0 +1,19 @@ +output "key_arn" { + value = module.kms_key.key_arn + description = "Key ARN." +} + +output "tags" { + value = module.kms_key.tags + description = "A mapping of tags to assign to the KMS." +} + +output "key_id" { + value = module.kms_key.key_id + description = "The globally unique identifier for the key." +} + +output "target_key_id" { + value = module.kms_key.target_key_id + description = "Identifier for the key for which the alias is for, can be either an ARN or key_id." +} \ No newline at end of file diff --git a/main.tf b/main.tf index b7ae004..d881afc 100644 --- a/main.tf +++ b/main.tf @@ -57,8 +57,7 @@ resource "aws_kms_replica_key" "replica" { primary_key_arn = var.primary_key_arn enabled = var.is_enabled policy = var.policy - - tags = module.labels.tags + tags = module.labels.tags } ####---------------------------------------------------------------------------------- diff --git a/variables.tf b/variables.tf index 6125ee1..b0b94fb 100644 --- a/variables.tf +++ b/variables.tf @@ -102,7 +102,7 @@ variable "multi_region" { variable "bypass_policy_lockout_safety_check" { type = bool - default = null + default = false description = "A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable" }