Skip to content

Commit

Permalink
feat: Add specific policy for Autoscaling service linked roles (#15)
Browse files Browse the repository at this point in the history
  • Loading branch information
bryantbiggs committed Feb 9, 2023
1 parent f6d3c99 commit 217ac76
Show file tree
Hide file tree
Showing 5 changed files with 57 additions and 5 deletions.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.77.0
rev: v1.77.1
hooks:
- id: terraform_fmt
- id: terraform_validate
Expand Down
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Terraform module which creates AWS KMS resources.

See [`examples`](https://github.com/terraform-aws-modules/terraform-aws-kms/tree/master/examples) directory for working examples to reference:

### Service
### Autoscaling Service Linked Role

Reference usage for EC2 AutoScaling service linked role to launch encrypted EBS volumes:

Expand All @@ -20,9 +20,8 @@ module "kms" {
key_usage = "ENCRYPT_DECRYPT"
# Policy
key_administrators = ["arn:aws:iam::012345678901:role/admin"]
key_users = ["arn:aws:iam::012345678901:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"]
key_service_users = ["arn:aws:iam::012345678901:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"]
key_administrators = ["arn:aws:iam::012345678901:role/admin"]
key_service_roles_for_autoscaling = ["arn:aws:iam::012345678901:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"]
# Aliases
aliases = ["mycompany/ebs"]
Expand Down Expand Up @@ -200,6 +199,7 @@ No modules.
| <a name="input_key_hmac_users"></a> [key\_hmac\_users](#input\_key\_hmac\_users) | A list of IAM ARNs for [key HMAC users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
| <a name="input_key_material_base64"></a> [key\_material\_base64](#input\_key\_material\_base64) | Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only | `string` | `null` | no |
| <a name="input_key_owners"></a> [key\_owners](#input\_key\_owners) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
| <a name="input_key_service_roles_for_autoscaling"></a> [key\_service\_roles\_for\_autoscaling](#input\_key\_service\_roles\_for\_autoscaling) | A list of IAM ARNs for [AWSServiceRoleForAutoScaling roles](https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access) | `list(string)` | `[]` | no |
| <a name="input_key_service_users"></a> [key\_service\_users](#input\_key\_service\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |
| <a name="input_key_statements"></a> [key\_statements](#input\_key\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
| <a name="input_key_symmetric_encryption_users"></a> [key\_symmetric\_encryption\_users](#input\_key\_symmetric\_encryption\_users) | A list of IAM ARNs for [key symmetric encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
Expand Down
1 change: 1 addition & 0 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ module "kms_complete" {
key_administrators = [local.current_identity]
key_users = [local.current_identity]
key_service_users = [local.current_identity]
key_service_roles_for_autoscaling = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"]
key_symmetric_encryption_users = [local.current_identity]
key_hmac_users = [local.current_identity]
key_asymmetric_public_encryption_users = [local.current_identity]
Expand Down
45 changes: 45 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,51 @@ data "aws_iam_policy_document" "this" {
}
}

# Key service roles for autoscaling - https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access
dynamic "statement" {
for_each = length(var.key_service_roles_for_autoscaling) > 0 ? [1] : []

content {
sid = "KeyServiceRolesASG"
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
]
resources = ["*"]

principals {
type = "AWS"
identifiers = var.key_service_roles_for_autoscaling
}
}
}

dynamic "statement" {
for_each = length(var.key_service_roles_for_autoscaling) > 0 ? [1] : []

content {
sid = "KeyServiceRolesASGPersistentVol"
actions = [
"kms:CreateGrant"
]
resources = ["*"]

principals {
type = "AWS"
identifiers = var.key_service_roles_for_autoscaling
}

condition {
test = "Bool"
variable = "kms:GrantIsForAWSResource"
values = [true]
}
}
}

# Key cryptographic operations - https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto
dynamic "statement" {
for_each = length(var.key_symmetric_encryption_users) > 0 ? [1] : []
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,12 @@ variable "key_service_users" {
default = []
}

variable "key_service_roles_for_autoscaling" {
description = "A list of IAM ARNs for [AWSServiceRoleForAutoScaling roles](https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access)"
type = list(string)
default = []
}

variable "key_symmetric_encryption_users" {
description = "A list of IAM ARNs for [key symmetric encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto)"
type = list(string)
Expand Down

0 comments on commit 217ac76

Please sign in to comment.