-
Notifications
You must be signed in to change notification settings - Fork 0
/
kms-cmek.tf
118 lines (115 loc) · 3.54 KB
/
kms-cmek.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# uncomment to use encryption for S3 buckets and have it work properly for Cloud Watch Logs
# this file sets up necessary stuff for S3 custom encryption (as opposed to AWS default) with a
# architecture style that is more 'proper' Terraform - eg, composition of resources.
#resource "aws_kms_key" "example_key" {
# description = "key for encrypting S3 buckets"
#}
#
#
#
#locals {
# key_arn = aws_kms_key.example_key.arn # alternatively, use ar.project_aws_kms_key_arn
#
# # TODO: can eliminate this if test tool doesn't assume role when uploading to bucket
# testing_policy_statements = var.provision_testing_infra ? [
# {
# "Sid": "Allow Test Users to Use Key",
# "Effect": "Allow",
# "Principal": { # tests
# "AWS": "arn:aws:iam::${var.aws_account_id}:role/${module.psoxy.caller_role_name}"
# },
# "Action": "kms:*",
# "Resource": local.key_arn
# }
# ] : []
#
# # S3 bucket policy statements for bulk writer instances
# # explicitly allow each instance's exec role to use the key to encrypt, as it needs to write to
# # the output buckets
# bulk_writer_policy_statements = [
# for instance in module.psoxy.bulk_connector_instances : {
# "Effect" : "Allow",
# "Principal" : {
# "AWS" : instance.instance_role_arn
# },
# "Action" : [
# "kms:Encrypt",
# "kms:GenerateDataKey",
# ],
# "Resource" : local.key_arn
# }
# ]
# # for bulk case, proxy caller role must be able to READ from the sanitized buckets, requiring
# # decrypt permission for the key
# proxy_caller_policy_statements = [
# for instance in module.psoxy.bulk_connector_instances : {
# "Effect" : "Allow",
# "Principal" : {
# "AWS" : module.psoxy.caller_role_arn
# },
# "Action" : [
# "kms:Decrypt",
# ],
# "Resource" : aws_kms_key.example_key.arn
# }
# ]
#}
#
#resource "aws_kms_key_policy" "proxy" {
# key_id = local.key_arn
# policy = jsonencode(
# {
# "Version" : "2012-10-17",
# "Id" : "proxy-key-policy",
# "Statement" : concat(
# [
# # to allow Terraform to manage the key
# {
# "Sid": "Allow IAM Users to Manage Key",
# "Effect": "Allow",
# "Principal": {
# "AWS": "arn:aws:iam::${var.aws_account_id}:root"
# },
# "Action": "kms:*",
# "Resource": local.key_arn
# },
# # to use for Cloud Watch Logs
# {
# "Effect" : "Allow",
# "Principal" : {
# "Service" : "logs.${var.aws_region}.amazonaws.com"
# },
# "Action" : [
# "kms:Encrypt",
# "kms:Decrypt",
# "kms:ReEncrypt",
# "kms:GenerateDataKey",
# "kms:Describe"
# ],
# "Resource" : local.key_arn
# }
# ],
# local.bulk_writer_policy_statements,
# local.testing_policy_statements,
# local.proxy_caller_policy_statements
# )
# })
#}
#
## concisely set S3 encryption for all buckets
#resource "aws_s3_bucket_server_side_encryption_configuration" "bulk_buckets" {
# for_each = merge(
# { for k, v in module.psoxy.bulk_connector_instances: "${k}_input" => v.input_bucket } ,
# { for k, v in module.psoxy.bulk_connector_instances: "${k}_sanitized" => v.sanitized_bucket } ,
# module.psoxy.lookup_output_buckets,
# )
#
# bucket = each.value
#
# rule {
# apply_server_side_encryption_by_default {
# kms_master_key_id = aws_kms_key.example_key.id
# sse_algorithm = "aws:kms"
# }
# }
#}