From 36515614f6d809308f33897428bebcb1faf6da90 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Mon, 10 Jun 2024 16:13:09 -0500
Subject: [PATCH 1/3] pause build

---
 .github/workflows/code-scan.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
index 79d3069..dced46f 100644
--- a/.github/workflows/code-scan.yml
+++ b/.github/workflows/code-scan.yml
@@ -3,14 +3,14 @@ name: checkov-static-analysis-scan
 # Controls when the workflow will run
 on:
   # Triggers the workflow on push or pull request events but only for the "main" branch
-  push:
-    branches: [ '*' ]
-    paths-ignore:
-      - '**/README.md'
-  pull_request:
-    branches: ["main"]
-    paths-ignore:
-      - '**/README.md'
+  # push:
+  #   branches: [ '*' ]
+  #   paths-ignore:
+  #     - '**/README.md'
+  # pull_request:
+  #   branches: ["main"]
+  #   paths-ignore:
+  #     - '**/README.md'
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:

From 5c88955f467ff1da65cf193fc3551f5d459839fb Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Mon, 10 Jun 2024 17:20:19 -0500
Subject: [PATCH 2/3] updated ignore files

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 9b8a46e..634de39 100644
--- a/.gitignore
+++ b/.gitignore
@@ -32,3 +32,4 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+.terraform.lock.hcl
\ No newline at end of file

From dc91a0c69689c1bd9b01fb3e8bad15b732e26936 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Mon, 10 Jun 2024 17:21:04 -0500
Subject: [PATCH 3/3] #3 add cloud resources

---
 cloudwatch.tf    |  5 +++++
 data.tf          |  6 +++++
 iam_role.tf      | 58 ++++++++++++++++++++++++++++++++++++++++++++++++
 kms.tf           | 50 +++++++++++++++++++++++++++++++++++++++++
 ssm_parameter.tf |  7 ++++++
 variables.tf     |  5 +++++
 6 files changed, 131 insertions(+)
 create mode 100644 cloudwatch.tf
 create mode 100644 data.tf
 create mode 100644 iam_role.tf
 create mode 100644 kms.tf
 create mode 100644 ssm_parameter.tf

diff --git a/cloudwatch.tf b/cloudwatch.tf
new file mode 100644
index 0000000..b76ab11
--- /dev/null
+++ b/cloudwatch.tf
@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_log_group" "lambda_log" {
+  name              = var.name
+  retention_in_days = 365
+  kms_key_id        = aws_kms_key.encryption_rest.arn
+}
\ No newline at end of file
diff --git a/data.tf b/data.tf
new file mode 100644
index 0000000..f148cc7
--- /dev/null
+++ b/data.tf
@@ -0,0 +1,6 @@
+data "aws_caller_identity" "current" {}
+locals {
+  principal_root_arn       = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+  principal_logs_arn       = "logs.${var.region}.amazonaws.com"
+  cloudwatch_log_group_arn = "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/${var.name}"
+}
\ No newline at end of file
diff --git a/iam_role.tf b/iam_role.tf
new file mode 100644
index 0000000..8ed0fbd
--- /dev/null
+++ b/iam_role.tf
@@ -0,0 +1,58 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
+resource "aws_iam_role" "lambda_role" {
+  name = "${var.name}_lambda_role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
+resource "aws_iam_policy" "lambda_policy" {
+  name        = "${var.name}_lambda_policy"
+  path        = "/"
+  description = "AWS IAM policy for the lambda role."
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ssm:GetParameters",
+          "ssm:GetParameter"
+        ],
+        Resource = [aws_ssm_parameter.parameter.arn]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        Resource = [aws_cloudwatch_log_group.lambda_log.arn]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Decrypt"
+        ]
+        Resource = [aws_kms_key.encryption_rest.arn]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_policy_attachement" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.lambda_policy.arn
+}
\ No newline at end of file
diff --git a/kms.tf b/kms.tf
new file mode 100644
index 0000000..69003ad
--- /dev/null
+++ b/kms.tf
@@ -0,0 +1,50 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
+resource "aws_kms_key" "encryption_rest" {
+  enable_key_rotation     = true
+  description             = "Key to encrypt Amazon CloudWatch logs at rest."
+  deletion_window_in_days = 7
+  #checkov:skip=CKV2_AWS_64: KMS Key policy in a separate resource
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias
+resource "aws_kms_alias" "encryption_rest" {
+  name          = "alias/lambda-${var.name}-at-rest"
+  target_key_id = aws_kms_key.encryption_rest.key_id
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy
+resource "aws_kms_key_policy" "encryption_rest_policy" {
+  key_id = aws_kms_key.encryption_rest.id
+  policy = jsonencode({
+    Id = "encryption-rest"
+    Statement = [
+      {
+        Action = "kms:*"
+        Effect = "Allow"
+        Principal = {
+          AWS = "${local.principal_root_arn}"
+        }
+        Resource = "*"
+        Sid      = "Enable IAM User Permissions"
+      },
+      {
+        Effect : "Allow",
+        Principal : {
+          Service : "${local.principal_logs_arn}"
+        },
+        Action : [
+          "kms:Encrypt*",
+          "kms:Decrypt*",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:Describe*"
+        ],
+        Resource : "*",
+        Condition : {
+          ArnEquals : {
+            "kms:EncryptionContext:aws:logs:arn" : [local.cloudwatch_log_group_arn]
+          }
+        }
+      }
+    ]
+    Version = "2012-10-17"
+  })
+}
\ No newline at end of file
diff --git a/ssm_parameter.tf b/ssm_parameter.tf
new file mode 100644
index 0000000..2b935d6
--- /dev/null
+++ b/ssm_parameter.tf
@@ -0,0 +1,7 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter
+resource "aws_ssm_parameter" "parameter" {
+  name   = "/${var.name}"
+  type   = "SecureString"
+  key_id = aws_kms_key.encryption_rest.id
+  value  = ""
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 2307f42..37d78a9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -17,4 +17,9 @@ variable "secret_key" {
   type        = string
   sensitive   = true
   default     = ""
+}
+variable "name" {
+  description = "The name of the application."
+  type        = string
+  default     = "app-7"
 }
\ No newline at end of file