DDLS-398 add s3 kms encryption (#1732)

ministryofjustice · Nov 14, 2024 · 733981e · 733981e
1 parent c21788e
commit 733981e
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 0 deletions.
diff --git a/terraform/account/region/kms_service_s3.tf b/terraform/account/region/kms_service_s3.tf
@@ -0,0 +1,56 @@
+##### Shared KMS key for S3 #####
+
+# Account logs encryption
+module "s3_kms" {
+  source                  = "./modules/kms_key"
+  encrypted_resource      = "S3"
+  kms_key_alias_name      = "digideps_s3_encryption_key"
+  enable_key_rotation     = true
+  enable_multi_region     = false
+  deletion_window_in_days = 10
+  kms_key_policy          = var.account.name == "development" ? data.aws_iam_policy_document.kms_s3_merged_for_development.json : data.aws_iam_policy_document.kms_s3_merged.json
+  providers = {
+    aws.eu_west_1 = aws.eu_west_1
+    aws.eu_west_2 = aws.eu_west_2
+  }
+}
+
+# Policies
+data "aws_iam_policy_document" "kms_s3_merged_for_development" {
+  provider = aws.global
+  source_policy_documents = [
+    data.aws_iam_policy_document.kms_s3.json,
+    data.aws_iam_policy_document.kms_base_permissions.json,
+    data.aws_iam_policy_document.kms_development_account_operator_admin.json
+  ]
+}
+
+data "aws_iam_policy_document" "kms_s3_merged" {
+  provider = aws.global
+  source_policy_documents = [
+    data.aws_iam_policy_document.kms_s3.json,
+    data.aws_iam_policy_document.kms_base_permissions.json
+  ]
+}
+
+data "aws_iam_policy_document" "kms_s3" {
+  statement {
+    sid       = "Allow Key to be used for Encryption by S3"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "s3.amazonaws.com"
+      ]
+    }
+  }
+}
diff --git a/terraform/account/region/secrets.tf b/terraform/account/region/secrets.tf
@@ -36,6 +36,7 @@ module "development_environment_secrets" {
 }
 
 # Account wide secrets
+#trivy:ignore:avd-aws-0098 - Complications with updating this secret and not a particularly sensitive secret
 resource "aws_secretsmanager_secret" "cloud9_users" {
   name        = "cloud9-users"
   description = "Digideps team Cloud9 users"