allow supplying Customer Managed Keys that this role can use (#3)

franzramadhan · Jun 3, 2021 · e04cf40 · e04cf40
1 parent 51c71ea
commit e04cf40
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 26 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,17 +1,22 @@
-## v1.0.0 (May 31, 2021)
+## v1.1.0 (June 2, 2021)
 
 NOTES:
+* Definitely not compatible with terraform 11
+
+FEATURES:
+* Allow usage of Customer Managed Keys for SecureString encryption & decryption
+
+## v1.0.0 (May 31, 2021)
 
+NOTES:
 * Might not be compatible with Terraform 11
 
 FEATURES:
-
 * Terraform 12 syntax
 
 ## v0.3.0 (May 12, 2021)
 
 ENHANCEMENTS:
-
 * Output Codebuild role name since some terraform module requires the name instead of ARN
 
 ## v0.1.0 (Oct 8, 2020)

diff --git a/README.md b/README.md
@@ -42,13 +42,13 @@ Go to the `example` directory for example terraform code that uses this module.
 
 We use [SemVer](https://semver.org/) for our versioning
 
-**Latest stable version** `v1.0.0`, 31st May 2021
+**Latest stable version** `v1.1.0`, 2nd June 2021
 
-**Latest version** `v0.1.2`, 31st May 2021
+**Latest version** `v1.1.0`, 2nd June 2021
 
 **Latest release** :
 
-- Terraform 12 Syntax
+- Allow usage of Customer Managed Keys for SecureString encryption & decryption
 
 Please also see our `CHANGELOG` document in this repository and see more detail
 

diff --git a/data.tf b/data.tf
@@ -78,3 +78,15 @@ data "aws_iam_policy_document" "this" {
     }
   }
 }
+
+data "aws_iam_policy_document" "allow_cmk" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt"
+    ]
+
+    resources = "${var.key_arns}"
+  }
+}
diff --git a/main.tf b/main.tf
@@ -15,15 +15,23 @@ module "codebuild_role" {
 # Codebuild role IAM policy
 resource "aws_iam_role_policy" "main" {
   name   = "${module.codebuild_role.role_name}-main"
-  role   = "${module.codebuild_role.role_name}"
-  policy = "${data.aws_iam_policy_document.this.json}"
+  role   = module.codebuild_role.role_name
+  policy = data.aws_iam_policy_document.this.json
 }
 
 resource "aws_iam_role_policy_attachment" "codebuild_ecr" {
-  role       = "${module.codebuild_role.role_name}"
+  role       = module.codebuild_role.role_name
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 }
 
+resource "aws_iam_role_policy" "allow_use_cmk" {
+  count = (length(var.key_arns) > 0) ? 1 : 0
+
+  name   = "${module.codebuild_role.role_name}-allow-use-cmk"
+  role   = module.codebuild_role.role_name
+  policy = data.aws_iam_policy_document.allow_cmk.json
+}
+
 # Security Group Name
 module "postgres_sg_name" {
   source        = "github.com/traveloka/terraform-aws-resource-naming.git?ref=v0.19.1"
@@ -39,27 +47,27 @@ module "codebuild_sg_name" {
 
 # Security Group
 resource "aws_security_group" "codebuild_sqitch" {
-  name        = "${module.codebuild_sg_name.name}"
-  vpc_id      = "${var.vpc_id}"
+  name        = module.codebuild_sg_name.name
+  vpc_id      = var.vpc_id
   description = "${var.product_domain}-codebuild-sqitch security group"
 
   tags = {
-    Name          = "${module.codebuild_sg_name.name}"
+    Name          = module.codebuild_sg_name.name
     Service       = "${var.product_domain}-codebuild-sqitch"
-    ProductDomain = "${var.product_domain}"
-    Environment   = "${var.environment}"
+    ProductDomain = var.product_domain
+    Environment   = var.environment
     Description   = "Security group for ${var.product_domain}-codebuild-sqitch pipeline"
     ManagedBy     = "terraform"
   }
 }
 
 resource "aws_security_group" "postgres_sqitch" {
-  name        = "${module.postgres_sg_name.name}"
-  vpc_id      = "${var.vpc_id}"
+  name        = module.postgres_sg_name.name
+  vpc_id      = var.vpc_id
   description = "${var.product_domain}-postgres-sqitch security group to be attached to RDS instances"
 
   tags = {
-    Name          = "${module.postgres_sg_name.name}"
+    Name          = module.postgres_sg_name.name
     Service       = "${var.product_domain}-postgres-sqitch"
     ProductDomain = "${var.product_domain}"
     Environment   = "${var.environment}"
@@ -74,7 +82,7 @@ resource "aws_security_group_rule" "codebuild_sqitch_https_all" {
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
-  security_group_id = "${aws_security_group.codebuild_sqitch.id}"
+  security_group_id = aws_security_group.codebuild_sqitch.id
   cidr_blocks       = ["0.0.0.0/0"]
   description       = "Egress from ${var.product_domain}-codebuild-sqitch to all in 443"
 }
@@ -84,8 +92,8 @@ resource "aws_security_group_rule" "egress_from_codebuild_sqitch_to_postgres_543
   from_port                = "5432"
   to_port                  = "5432"
   protocol                 = "tcp"
-  security_group_id        = "${aws_security_group.codebuild_sqitch.id}"
-  source_security_group_id = "${aws_security_group.postgres_sqitch.id}"
+  security_group_id        = aws_security_group.codebuild_sqitch.id
+  source_security_group_id = aws_security_group.postgres_sqitch.id
   description              = "Egress from ${var.product_domain}-codebuild-sqitch to ${var.product_domain}-postgres-sqitch in 5432"
 }
 
@@ -94,8 +102,8 @@ resource "aws_security_group_rule" "ingress_for_postgres_from_codebuild_sqitch_5
   from_port                = "5432"
   to_port                  = "5432"
   protocol                 = "tcp"
-  security_group_id        = "${aws_security_group.postgres_sqitch.id}"
-  source_security_group_id = "${aws_security_group.codebuild_sqitch.id}"
+  security_group_id        = aws_security_group.postgres_sqitch.id
+  source_security_group_id = aws_security_group.codebuild_sqitch.id
   description              = "ingress for ${var.product_domain}-postgres-sqitch from ${var.product_domain}-codebuild-sqitch in 5432"
 }
 
diff --git a/variables.tf b/variables.tf
@@ -1,21 +1,26 @@
 variable "product_domain" {
-  type        = "string"
+  type        = string
   description = "product domain of the role owner"
 }
 
 variable "vpc_id" {
-  type        = "string"
+  type        = string
   description = "the VPC ID where the security groups will be put. Use vpc_id output from the vpc terraform module"
 }
 
 variable "environment" {
-  type        = "string"
+  type        = string
   description = "the environment where the role and security groups are put"
 }
 
 variable "additional_tags" {
-  type        = "map"
+  type        = map
   description = "additional tags for the shared resources"
   default     = {}
 }
 
+variable "key_arns" {
+  type        = list
+  description = "List of all AWS KMS Customer Managed Key ARNs that this role can use"
+  default     = []
+}