Allow keys to access all resources in service as per AWS docs (#787)

ryanbratten · b-dalton · web-flow · commit 5335397bcc5e · 2022-07-06T15:38:25.000+01:00
* Allow keys to access all resources in service as per AWS docs

* Re-add kms decrypt permissions on lambdas

Co-authored-by: b-dalton &lt;ben.dalton@madetech.com&gt;
diff --git a/terraform/core/05-departments.tf b/terraform/core/05-departments.tf
diff --git a/terraform/core/28-glue-error-notifications.tf b/terraform/core/28-glue-error-notifications.tf
@@ -101,6 +101,15 @@ data "aws_iam_policy_document" "glue_failure_notification_lambda" {
       "arn:aws:sns:*:*:glue-failure-notification-*"
     ]
   }
+
+  statement {
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
 }
 
 resource "aws_iam_policy" "glue_failure_notification_lambda" {
@@ -193,9 +202,7 @@ data "aws_iam_policy_document" "admin_failure_notifications_kms_key_policy" {
       type        = "Service"
     }
 
-    resources = [
-      aws_lambda_function.glue_failure_notification_lambda.arn
-    ]
+    resources = ["*"]
   }
 }
 
diff --git a/terraform/modules/db-snapshot-to-s3/20-rds-to-s3-lambda.tf b/terraform/modules/db-snapshot-to-s3/20-rds-to-s3-lambda.tf
@@ -107,6 +107,7 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_lambda" {
     effect = "Allow"
     resources = [
       aws_kms_key.s3_to_s3_copier_kms_key.arn,
+      aws_kms_key.rds_snapshot_to_s3_kms_key.arn
     ]
   }
 }
diff --git a/terraform/modules/db-snapshot-to-s3/25-rds-to-s3-queue.tf b/terraform/modules/db-snapshot-to-s3/25-rds-to-s3-queue.tf
@@ -57,9 +57,7 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_kms_key_policy" {
       type        = "Service"
     }
 
-    resources = [
-      data.aws_sns_topic.rds_snapshot_to_s3.arn
-    ]
+    resources = ["*"]
   }
 
   statement {
@@ -73,7 +71,7 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_kms_key_policy" {
       type        = "Service"
     }
 
-    resources = [for item in var.rds_instance_ids : "arn:aws:rds:eu-west-2:${data.aws_caller_identity.current.account_id}:db:${item}"]
+    resources = ["*"]
   }
 
   statement {
@@ -87,9 +85,7 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_kms_key_policy" {
       type        = "Service"
     }
 
-    resources = [
-      aws_lambda_function.rds_snapshot_to_s3_lambda.arn
-    ]
+    resources = ["*"]
   }
 }
 
diff --git a/terraform/modules/db-snapshot-to-s3/45-s3-to-s3-copier-queue.tf b/terraform/modules/db-snapshot-to-s3/45-s3-to-s3-copier-queue.tf
@@ -52,9 +52,7 @@ data "aws_iam_policy_document" "s3_to_s3_copier_kms_key_policy" {
       type        = "Service"
     }
 
-    resources = [
-      aws_lambda_function.s3_to_s3_copier_lambda.arn
-    ]
+    resources = ["*"]
   }
 }
 
@@ -74,6 +72,17 @@ data "aws_iam_policy_document" "s3_to_s3_copier" {
       aws_sqs_queue.s3_to_s3_copier.arn
     ]
   }
+
+  statement {
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt"
+    ]
+    effect = "Allow"
+    resources = [
+      aws_kms_key.s3_to_s3_copier_kms_key.arn,
+    ]
+  }
 }
 
 resource "aws_sqs_queue_policy" "s3_copier_to_s3" {
diff --git a/terraform/modules/department/01-inputs-required.tf b/terraform/modules/department/01-inputs-required.tf
@@ -131,9 +131,4 @@ variable "redshift_ip_addresses" {
 variable "redshift_port" {
   description = "Port that the redshift cluster is running on"
   type        = number
-}
-
-variable "glue_failure_notification_lambda_arn" {
-  description = "Arn of the lambda that will publish to the glue failure notification sns topic"
-  type        = string
 }
diff --git a/terraform/modules/department/70-aws-sns.tf b/terraform/modules/department/70-aws-sns.tf
@@ -41,7 +41,7 @@ data "aws_iam_policy_document" "glue_jobs_kms_key_policy" {
       type        = "Service"
     }
 
-    resources = [var.glue_failure_notification_lambda_arn]
+    resources = ["*"]
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -101,6 +101,15 @@ data "aws_iam_policy_document" "glue_failure_notification_lambda" {`
`101`	`101`	`"arn:aws:sns:::glue-failure-notification-*"`
`102`	`102`	`]`
`103`	`103`	`}`
	`104`	`+`
	`105`	`+ statement {`
	`106`	`+ actions = [`
	`107`	`+ "kms:GenerateDataKey*",`
	`108`	`+ "kms:Decrypt"`
	`109`	`+ ]`
	`110`	`+ effect = "Allow"`
	`111`	`+ resources = ["*"]`
	`112`	`+ }`
`104`	`113`	`}`
`105`	`114`
`106`	`115`	`resource "aws_iam_policy" "glue_failure_notification_lambda" {`
`@@ -193,9 +202,7 @@ data "aws_iam_policy_document" "admin_failure_notifications_kms_key_policy" {`
`193`	`202`	`type = "Service"`
`194`	`203`	`}`
`195`	`204`
`196`		`- resources = [`
`197`		`- aws_lambda_function.glue_failure_notification_lambda.arn`
`198`		`- ]`
	`205`	`+ resources = ["*"]`
`199`	`206`	`}`
`200`	`207`	`}`
`201`	`208`
Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,7 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_lambda" {`
`107`	`107`	`effect = "Allow"`
`108`	`108`	`resources = [`
`109`	`109`	`aws_kms_key.s3_to_s3_copier_kms_key.arn,`
	`110`	`+ aws_kms_key.rds_snapshot_to_s3_kms_key.arn`
`110`	`111`	`]`
`111`	`112`	`}`
`112`	`113`	`}`
Original file line number	Diff line number	Diff line change
`@@ -57,9 +57,7 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_kms_key_policy" {`
`57`	`57`	`type = "Service"`
`58`	`58`	`}`
`59`	`59`
`60`		`- resources = [`
`61`		`- data.aws_sns_topic.rds_snapshot_to_s3.arn`
`62`		`- ]`
	`60`	`+ resources = ["*"]`
`63`	`61`	`}`
`64`	`62`
`65`	`63`	`statement {`
`@@ -73,7 +71,7 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_kms_key_policy" {`
`73`	`71`	`type = "Service"`
`74`	`72`	`}`
`75`	`73`
`76`		`- resources = [for item in var.rds_instance_ids : "arn:aws:rds:eu-west-2:${data.aws_caller_identity.current.account_id}:db:${item}"]`
	`74`	`+ resources = ["*"]`
`77`	`75`	`}`
`78`	`76`
`79`	`77`	`statement {`
`@@ -87,9 +85,7 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_kms_key_policy" {`
`87`	`85`	`type = "Service"`
`88`	`86`	`}`
`89`	`87`
`90`		`- resources = [`
`91`		`- aws_lambda_function.rds_snapshot_to_s3_lambda.arn`
`92`		`- ]`
	`88`	`+ resources = ["*"]`
`93`	`89`	`}`
`94`	`90`	`}`
`95`	`91`
Original file line number	Diff line number	Diff line change
`@@ -52,9 +52,7 @@ data "aws_iam_policy_document" "s3_to_s3_copier_kms_key_policy" {`
`52`	`52`	`type = "Service"`
`53`	`53`	`}`
`54`	`54`
`55`		`- resources = [`
`56`		`- aws_lambda_function.s3_to_s3_copier_lambda.arn`
`57`		`- ]`
	`55`	`+ resources = ["*"]`
`58`	`56`	`}`
`59`	`57`	`}`
`60`	`58`
`@@ -74,6 +72,17 @@ data "aws_iam_policy_document" "s3_to_s3_copier" {`
`74`	`72`	`aws_sqs_queue.s3_to_s3_copier.arn`
`75`	`73`	`]`
`76`	`74`	`}`
	`75`	`+`
	`76`	`+ statement {`
	`77`	`+ actions = [`
	`78`	`+ "kms:GenerateDataKey*",`
	`79`	`+ "kms:Decrypt"`
	`80`	`+ ]`
	`81`	`+ effect = "Allow"`
	`82`	`+ resources = [`
	`83`	`+ aws_kms_key.s3_to_s3_copier_kms_key.arn,`
	`84`	`+ ]`
	`85`	`+ }`
`77`	`86`	`}`
`78`	`87`
`79`	`88`	`resource "aws_sqs_queue_policy" "s3_copier_to_s3" {`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ data "aws_iam_policy_document" "glue_jobs_kms_key_policy" {`
`41`	`41`	`type = "Service"`
`42`	`42`	`}`
`43`	`43`
`44`		`- resources = [var.glue_failure_notification_lambda_arn]`
	`44`	`+ resources = ["*"]`
`45`	`45`	`}`
`46`	`46`	`}`
`47`	`47`