Skip to content

Commit

Permalink
feat: Improve syncer s3 kms encryption
Browse files Browse the repository at this point in the history 
manual merge of #1915

Co-authored-by: Julius Adamek <julius.adamek@adesso.de>
  • Loading branch information
@npalm
npalm and Julius Adamek committed May 5, 2022
1 parent cfb6da2 commit 38ed5be
Show file tree
Hide file tree
Showing 5 changed files with 65 additions and 1 deletion.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
*id_rsa*

# other
node_modules/
.idea
.DS_Store
*.out
Expand Down
2 changes: 2 additions & 0 deletions modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/src/syncer/syncer.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@ async function uploadToS3(s3: S3, cacheObject: CacheObject, actionRunnerReleaseA
Key: cacheObject.key,
Tagging: versionKey + '=' + actionRunnerReleaseAsset.name,
Body: writeStream,
ServerSideEncryption: process.env.S3_SSE_ALGORITHM,
SSEKMSKeyId: process.env.S3_SSE_KMS_KEY_ID,
})
.promise();

Expand Down
40 changes: 39 additions & 1 deletion modules/runner-binaries-syncer/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {

resource "aws_s3_bucket_server_side_encryption_configuration" "action_dist" {
bucket = aws_s3_bucket.action_dist.id
count = length(keys(lookup(var.server_side_encryption_configuration, "rule", {}))) == 0 ? 0 : 1
count = try(var.server_side_encryption_configuration, null) != null ? 1 : 0

dynamic "rule" {
for_each = [lookup(var.server_side_encryption_configuration, "rule", {})]
Expand Down Expand Up @@ -63,3 +63,41 @@ resource "aws_s3_bucket_public_access_block" "action_dist" {
ignore_public_acls = true
restrict_public_buckets = true
}



data "aws_iam_policy_document" "action_dist_sse_policy" {
count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0

statement {
effect = "Deny"

principals {
type = "AWS"

identifiers = [
"*",
]
}

actions = [
"s3:PutObject",
]

resources = [
"${aws_s3_bucket.action_dist.arn}/*",
]

condition {
test = "StringNotEquals"
variable = "s3:x-amz-server-side-encryption"

This comment has been minimized.

Sign in to view

Copy link
@marekaf

marekaf Jul 7, 2022

Contributor

I'm not sure this works. I upgraded today the module to a version that has this and upload the s3 object trigger with terraform fails with an error. I had to manually delete the bucket policy to upload it successfully.

This comment has been minimized.

Sign in to view

Copy link
@marekaf

marekaf Jul 7, 2022

Contributor

I have no idea what's the issue though, according to docs this seems fine.
values = [var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm]
}
}
}

resource "aws_s3_bucket_policy" "action_dist_sse_policy" {
count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
bucket = aws_s3_bucket.action_dist.id
policy = data.aws_iam_policy_document.action_dist_sse_policy[0].json
}
10 changes: 10 additions & 0 deletions modules/runner-binaries-syncer/policies/lambda-kms.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["kms:GenerateDataKey", "kms:Decrypt"],
"Resource": "${kms_key_arn}"
}
]
}
13 changes: 13 additions & 0 deletions modules/runner-binaries-syncer/runner-binaries-syncer.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,11 @@ resource "aws_lambda_function" "syncer" {
LOG_TYPE = var.log_type
S3_BUCKET_NAME = aws_s3_bucket.action_dist.id
S3_OBJECT_KEY = local.action_runner_distribution_object_key
S3_SSE_ALGORITHM = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm, null)
S3_SSE_KMS_KEY_ID = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null)
}
}

dynamic "vpc_config" {
for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
content {
Expand All @@ -42,6 +45,16 @@ resource "aws_lambda_function" "syncer" {
tags = var.tags
}

resource "aws_iam_role_policy" "lambda_kms" {
count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null) != null ? 1 : 0
name = "${var.environment}-lambda-kms-policy-syncer"
role = aws_iam_role.syncer_lambda.id

policy = templatefile("${path.module}/policies/lambda-kms.json", {
kms_key_arn = var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id
})
}

resource "aws_cloudwatch_log_group" "syncer" {
name = "/aws/lambda/${aws_lambda_function.syncer.function_name}"
retention_in_days = var.logging_retention_in_days
Expand Down

0 comments on commit 38ed5be

Please sign in to comment.