Add EFS (elastic file system) encryption support

magicorntech · Jun 8, 2023 · 1926fc3 · 1926fc3
1 parent 8c44ff2
commit 1926fc3
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@ Magicorn made Terraform Module for AWS Provider
 ```
 module "kms" {
   source      = "magicorntech/kms/aws"
-  version     = "0.0.2"
+  version     = "0.0.3"
   tenant      = var.tenant
   name        = var.name
   environment = var.environment
@@ -16,6 +16,8 @@ module "kms" {
   elasticache_encryption = true
   dynamodb_encryption    = true
   s3_encryption          = true
+  mq_encryption          = false
+  efs_encryption         = false
 
   # Generic Key Configuration
   key_usage           = "ENCRYPT_DECRYPT"

diff --git a/main_efs.tf b/main_efs.tf
@@ -0,0 +1,70 @@
+resource "aws_kms_key" "efs" {
+  count                    = (var.efs_encryption == true) ? 1 : 0
+  description              = "${var.tenant}-${var.name}-efs-kms-${var.environment}"
+  key_usage                = var.key_usage
+  customer_master_key_spec = var.cmk_spec
+  deletion_window_in_days  = var.deletion_window
+  is_enabled               = var.is_enabled
+  enable_key_rotation      = var.enable_key_rotation
+  multi_region             = var.multi_region
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "auto-elasticfilesystem-1",
+  "Statement": [
+    {
+      "Sid": "Allow access to EFS for all principals in the account that are authorized to use EFS",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:CreateGrant",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "kms:ViaService": "elasticfilesystem.${data.aws_region.current.name}.amazonaws.com",
+          "kms:CallerAccount": "${data.aws_caller_identity.current.account_id}"
+        }
+      }
+    },
+    {
+      "Sid": "Allow direct access to key metadata to the account",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+          "${data.aws_caller_identity.current.arn}"
+        ]
+      },
+      "Action": [
+        "kms:*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+
+  tags = {
+    Name        = "${var.tenant}-${var.name}-efs-kms-${var.environment}"
+    Tenant      = var.tenant
+    Project     = var.name
+    Environment = var.environment
+    Maintainer  = "Magicorn"
+    Terraform   = "yes"
+  }
+}
+
+resource "aws_kms_alias" "efs" {
+  count         = (var.efs_encryption == true) ? 1 : 0
+  name          = "alias/${var.tenant}/${var.name}/efs/${var.environment}"
+  target_key_id = aws_kms_key.efs[0].key_id
+}
diff --git a/outputs.tf b/outputs.tf
@@ -16,4 +16,8 @@ output "s3_key_id" {
 
 output "mq_key_id" {
 	value = aws_kms_key.mq[*].arn
+}
+
+output "efs_key_id" {
+	value = aws_kms_key.efs[*].arn
 }
diff --git a/variables.tf b/variables.tf
@@ -6,6 +6,7 @@ variable "elasticache_encryption" {}
 variable "dynamodb_encryption" {}
 variable "s3_encryption" {}
 variable "mq_encryption" {}
+variable "efs_encryption" {}
 variable "key_usage" {}
 variable "cmk_spec" {}
 variable "deletion_window" {}