Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: updates kms comp with embedded policy creation #523

Closed
wants to merge 5 commits into from

Conversation

Gowiem
Copy link
Member

@Gowiem Gowiem commented Nov 10, 2022

what

  • Updates the KMS module to support embedded policy creation

why

  • This allows for easy wiring in of aws-team-role roles into the KMS policy, so we do something like "Admins in the dev account have access to use this Key"

references

  • N/A

@Gowiem Gowiem requested a review from a team as a code owner November 10, 2022 21:21
@Gowiem Gowiem self-assigned this Nov 10, 2022
@Gowiem Gowiem requested review from a team as code owners November 10, 2022 21:21
@Gowiem Gowiem requested review from dotCipher and woz5999 November 10, 2022 21:21
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found errors in this PR ⬇️

modules/kms/main.tf Show resolved Hide resolved
modules/kms/main.tf Show resolved Hide resolved
@@ -1,15 +1,80 @@
locals {
account_id = data.aws_caller_identity.current.account_id
account_principal = "arn:aws:iam::${local.account_id}:root"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's use the data source here for govcloud

Suggested change
account_principal = "arn:aws:iam::${local.account_id}:root"
account_principal = "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:root"

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition


principals {
type = "AWS"
identifiers = local.administration_principals
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
identifiers = local.administration_principals
identifiers = [local.account_principal]

Comment on lines +5 to +8
administration_principals = [
local.account_principal
]

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This local doesn't seem very useful

Suggested change
administration_principals = [
local.account_principal
]

)))
}

data "aws_caller_identity" "current" {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
data "aws_caller_identity" "current" {}
data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}

variable "description" {
type = string
description = "The description for the KMS Key."
default = null
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the description isn't set to the original value of Parameter Store KMS master key, won't that cause people's kms keys to be recreated?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure honestly as it has been a long time, but updated regardless 😅

default = "Parameter Store KMS master key"
description = "The description of the key as viewed in AWS console"
default = "ENCRYPT_DECRYPT"
description = "Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add a validation rule here or is this already done by the upstream module?

type = string
default = ""
description = "The display name of the alias. The name must start with the word `alias` followed by a forward slash. If not specified, the alias name will be auto-generated."
default = "SYMMETRIC_DEFAULT"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a breaking change or is this the normal default and we're just being explicit?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the downstream child module default. I believe all is good on this one, not a breaking change. I've added validation.

"kms:*",
]

resources = ["*"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to allow overriding the resources here so users of this component can give granular permissions to kms. These would also allay warnings by bridgecrew shown above.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

resources in this case is just the key that is being attached to, so I don't believe it is ever needed to be overwritten. If it is not supposed, AWS states that the policy will not work. In AWS docs, this is always * in their examples. See docs here.

CleanShot 2024-10-02 at 19 52 39

identifiers = local.principals
}
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of hard coding this policy here, can we utilize this module and expose the inputs as variables so we can be as flexible as possible from the YAML?

https://github.com/cloudposse/terraform-aws-iam-policy

e.g.

components:
  terraform:
    kms:
      vars:
        policy:
          iam_policy_statements:
            KeyAdministration:
              effect: "Allow"
              actions:
              - "kms:*"
              resources:
              - "*"
              principals:
                type: "AWS"
                # This may be something we can contribute to the upstream module to dynamically fill these %s in
                # or it can be added by the HCL for this component
                identifiers:
                - "arn:%s:iam::%s:root"
            KeyUsage:
              effect: "Allow"
              actions:
              - "kms:Encrypt"
              - "kms:Decrypt"
              - "kms:ReEncrypt*"
              - "kms:GenerateDataKey*"
              - "kms:DescribeKey"
              resources:
              - "*"
              principals:
                type: "AWS"
                # Same here, these can be provided by the HCL unless this `identifiers` key is provided
                identifiers:
                - "..."

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this is totally valid, it's non-trivial and others haven't done this work / needed this yet, so to move this PR along I'm going to consider this out of scope. If we decide we need this to merge, I can make the changes necessary 👍

@Gowiem
Copy link
Member Author

Gowiem commented Oct 3, 2024

@nitrocode thanks for the review! Sorry it took me so long to circle back to it 😄

I couldn't complete this PR since I can't push to the branch I started here due to lack of permissions to push to origin. I've opened #1136 as a result. Closing this and we'll continue in the newer PR.

cc @goruha

@Gowiem Gowiem closed this Oct 3, 2024
@goruha goruha deleted the masterpoint/kms-key-upgrades branch October 3, 2024 06:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants