Lambda role policy requires `kms:Decrypt`

[bwmetcalf]

Describe the Bug

If the datadog api key is stored in ASM, the lambda role IAM policy requires kms:Decrypt privileges for the CMK used to encrypt the api key.

Expected Behavior

The lamba function should be able to read the datadog api key from ASM.

Steps to Reproduce

Add DD api key to ASM and use this module to create the forwarder lambda function. Without adding

        {
            "Sid": "AllowKMS",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": [
                "<cmk arn>"
            ]
        }

to the lamba role policy, the function throws the following error:

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: Access to KMS is not allowed

[nitrocode]

If you supply it with var.s3_bucket_kms_arns then it should add the permission. Did you try this ?

terraform-aws-datadog-lambda-forwarder/lambda-log.tf

Lines 101 to 111 in df39347

	dynamic "statement" {
	for_each = try(length(var.s3_bucket_kms_arns), 0) > 0 ? [true] : []
	content {
	effect = "Allow"
	actions = [
	"kms:Decrypt"
	]
	resources = var.s3_bucket_kms_arns
	}
	}

[bwmetcalf]

If you supply it with var.s3_bucket_kms_arns then it should add the permission. Did you try this ?

terraform-aws-datadog-lambda-forwarder/lambda-log.tf

Lines 101 to 111 in df39347

	dynamic "statement" {
	for_each = try(length(var.s3_bucket_kms_arns), 0) > 0 ? [true] : []
	content {
	effect = "Allow"
	actions = [
	"kms:Decrypt"
	]
	resources = var.s3_bucket_kms_arns
	}
	}

A couple of issues. One, my original bug report is against lambda-vpc-logs.tf which doesn't seem to support this. Two, I'm pulling from cloudwatch logs. This policy is specific to s3 and the kms that issued for the s3 bucket.

[nitrocode]

How about the following input

  dd_api_key_source = {
    identifier = "arn:..."
    resource   = "kms"
  }

The identifier and resource are used to get the appropriate permission

terraform-aws-datadog-lambda-forwarder/main.tf

Lines 14 to 18 in 48353d5

	dd_api_key_resource = var.dd_api_key_source.resource
	dd_api_key_identifier = var.dd_api_key_source.identifier
	dd_api_key_arn = local.dd_api_key_resource == "ssm" ? join("", data.aws_ssm_parameter.api_key.*.arn) : local.dd_api_key_identifier
	dd_api_key_iam_actions = [lookup({ kms = "kms:Decrypt", asm = "secretsmanager:GetSecretValue", ssm = "ssm:GetParameter" }, local.dd_api_key_resource, "")]

Then they are fed into the lambda policy and attached to the iam role

terraform-aws-datadog-lambda-forwarder/main.tf

Lines 91 to 98 in 48353d5

	statement {
	sid = "AllowGetOrDecryptApiKey"
	effect = "Allow"
	actions = local.dd_api_key_iam_actions
	resources = [local.dd_api_key_arn]

[bwmetcalf]

How about the following input

  dd_api_key_source = {
    identifier = "arn:..."
    resource   = "kms"
  }

The identifier and resource are used to get the appropriate permission

terraform-aws-datadog-lambda-forwarder/main.tf

Lines 14 to 18 in 48353d5

	dd_api_key_resource = var.dd_api_key_source.resource
	dd_api_key_identifier = var.dd_api_key_source.identifier
	dd_api_key_arn = local.dd_api_key_resource == "ssm" ? join("", data.aws_ssm_parameter.api_key.*.arn) : local.dd_api_key_identifier
	dd_api_key_iam_actions = [lookup({ kms = "kms:Decrypt", asm = "secretsmanager:GetSecretValue", ssm = "ssm:GetParameter" }, local.dd_api_key_resource, "")]

Then they are fed into the lambda policy and attached to the iam role

terraform-aws-datadog-lambda-forwarder/main.tf

Lines 91 to 98 in 48353d5

	statement {
	sid = "AllowGetOrDecryptApiKey"
	effect = "Allow"
	actions = local.dd_api_key_iam_actions
	resources = [local.dd_api_key_arn]

That gets you this part of the policy

        {
            "Sid": "AllowGetOrDecryptApiKey",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws-us-gov:secretsmanager:........"
        },

but you still need

        {
            "Sid": "AllowKMS",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": [
                "arn:aws-us-gov:kms:....."
            ]
        }

You still need permissions to use the kms key that was used to encrypt the secret.

[bwmetcalf]

The reason this is needed is the same as cloudposse/terraform-aws-vpc-flow-logs-s3-bucket#33. While encryption works for writing the vpc flow logs to cloudwatch, without kms:Decrypt an outside service cannot consume the logs. The default kms policy enables IAM permissions to control access so whatever actions are needed must be attached to the lambda role/policy.

I propose adding an input variable dd_api_key_kms_key_arn and, if not empty, adding the above AllowKMS statement to the policy.

[nitrocode]

@bwmetcalf interesting. Perhaps we need to add a similar PR and add a lambda_policy_source_json input var ?

[bwmetcalf]

@bwmetcalf interesting. Perhaps we need to add a similar PR and add a lambda_policy_source_json input var ?

In the case of using a secrets manager key where the secret is encrypted with a kms, the module will setup lambda policies that do not work useless without kms:Decrypt is added to the policy. Since the module is responsible for creating the lambda functions, it seems the module should also be responsible for defining and adding the kms policy. But I'm open to the best approach.