From 733981ea6878c70ba24037a41e5e7a325e5c5ee2 Mon Sep 17 00:00:00 2001 From: Jim <58939809+jamesrwarren@users.noreply.github.com> Date: Thu, 14 Nov 2024 13:31:27 +0000 Subject: [PATCH] DDLS-398 add s3 kms encryption (#1732) --- terraform/account/region/kms_service_s3.tf | 56 ++++++++++++++++++++++ terraform/account/region/secrets.tf | 1 + 2 files changed, 57 insertions(+) create mode 100644 terraform/account/region/kms_service_s3.tf diff --git a/terraform/account/region/kms_service_s3.tf b/terraform/account/region/kms_service_s3.tf new file mode 100644 index 0000000000..4bf2fde86a --- /dev/null +++ b/terraform/account/region/kms_service_s3.tf @@ -0,0 +1,56 @@ +##### Shared KMS key for S3 ##### + +# Account logs encryption +module "s3_kms" { + source = "./modules/kms_key" + encrypted_resource = "S3" + kms_key_alias_name = "digideps_s3_encryption_key" + enable_key_rotation = true + enable_multi_region = false + deletion_window_in_days = 10 + kms_key_policy = var.account.name == "development" ? data.aws_iam_policy_document.kms_s3_merged_for_development.json : data.aws_iam_policy_document.kms_s3_merged.json + providers = { + aws.eu_west_1 = aws.eu_west_1 + aws.eu_west_2 = aws.eu_west_2 + } +} + +# Policies +data "aws_iam_policy_document" "kms_s3_merged_for_development" { + provider = aws.global + source_policy_documents = [ + data.aws_iam_policy_document.kms_s3.json, + data.aws_iam_policy_document.kms_base_permissions.json, + data.aws_iam_policy_document.kms_development_account_operator_admin.json + ] +} + +data "aws_iam_policy_document" "kms_s3_merged" { + provider = aws.global + source_policy_documents = [ + data.aws_iam_policy_document.kms_s3.json, + data.aws_iam_policy_document.kms_base_permissions.json + ] +} + +data "aws_iam_policy_document" "kms_s3" { + statement { + sid = "Allow Key to be used for Encryption by S3" + effect = "Allow" + resources = ["*"] + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + + principals { + type = "Service" + identifiers = [ + "s3.amazonaws.com" + ] + } + } +} diff --git a/terraform/account/region/secrets.tf b/terraform/account/region/secrets.tf index 229a2bbec2..6ef996ae92 100644 --- a/terraform/account/region/secrets.tf +++ b/terraform/account/region/secrets.tf @@ -36,6 +36,7 @@ module "development_environment_secrets" { } # Account wide secrets +#trivy:ignore:avd-aws-0098 - Complications with updating this secret and not a particularly sensitive secret resource "aws_secretsmanager_secret" "cloud9_users" { name = "cloud9-users" description = "Digideps team Cloud9 users"