Merge pull request #29 from confusdcodr/kms

Add kms encryption
plus3it · Jan 1, 2020 · 588642f · 588642f
2 parents 0ee2554 + 31acb15
commit 588642f
Show file tree

Hide file tree

Showing 14 changed files with 279 additions and 8 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.1.0
+current_version = 2.2.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 2.2.0
+
+**Released**: 2019.12.17
+
+**Commit Delta**: [Change from 2.1.0 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/2.1.0...2.2.0)
+
+**Summary**:
+
+*   Add kms encryption
+
 ### 2.1.0
 
 **Released**: 2019.12.05

diff --git a/Makefile b/Makefile
@@ -117,7 +117,7 @@ json/format: | guard/program/jq
 	@ echo "[$@]: Successfully formatted JSON files!"
 
 tfdocs-awk/install: $(BIN_DIR)
-tfdocs-awk/install: ARCHIVE := https://github.com/plus3it/tfdocs-awk/archive/0.0.0.tar.gz
+tfdocs-awk/install: ARCHIVE := https://github.com/plus3it/tfdocs-awk/archive/0.0.2.tar.gz
 tfdocs-awk/install:
 	$(CURL) $(ARCHIVE) | tar -C $(BIN_DIR) --strip-components=1 --wildcards '*.sh' --wildcards '*.awk' -xzvf -
 

diff --git a/README.md b/README.md
@@ -6,13 +6,14 @@ Creates an AWS Cloudtrail
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| cloud\_watch\_logs\_group\_name | (Optional) Name of preexisting log group to use; by default the module will create a log group | string | `"null"` | no |
-| cloud\_watch\_logs\_role\_arn | (Optional) Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group. | string | `"null"` | no |
+| cloud\_watch\_logs\_group\_name | \(Optional\) Name of preexisting log group to use; by default the module will create a log group | string | `"null"` | no |
+| cloud\_watch\_logs\_role\_arn | \(Optional\) Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group. | string | `"null"` | no |
 | cloudtrail\_bucket | Name of S3 bucket to send CloudTrail logs; bucket must already exist | string | `"null"` | no |
 | cloudtrail\_name | Name of the trail to create | string | `"null"` | no |
 | create\_cloudtrail | Controls whether to create the CloudTrail | bool | `"true"` | no |
-| event\_selectors | List of maps specifying `read_write_type`, `include_management_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales | list | `<list>` | no |
-| retention\_in\_days | (Optional) Specifies the number of days to retain log events in the log group. Only works if module creates the log group | number | `"7"` | no |
+| event\_selectors | List of maps specifying `read\_write\_type`, `include\_management\_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales | list | `<list>` | no |
+| kms\_key\_id | ARN of the kms key used to encrypt the CloudTrail logs. If providing a KMS key, `create\_kms\_key` should be set to false | string | `"null"` | no |
+| retention\_in\_days | \(Optional\) Specifies the number of days to retain log events in the log group. Only works if module creates the log group | number | `"7"` | no |
 | tags | A map of tags to add to the cloudtrail resource | map(string) | `<map>` | no |
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -8,6 +8,19 @@ locals {
 
   create_log_group_role     = var.cloud_watch_logs_role_arn == null
   cloud_watch_logs_role_arn = local.create_log_group_role ? join("", aws_iam_role.this.*.arn) : var.cloud_watch_logs_role_arn
+
+  kms_key_alias  = "terraform-cloudtrail-kms-key"
+  create_kms_key = var.create_cloudtrail && var.kms_key_id == null
+  kms_key_id     = local.create_kms_key ? module.kms.keys[local.kms_key_alias].arn : var.kms_key_id
+  kms_key_policy = local.create_kms_key ? data.aws_iam_policy_document.kms_key_policy[0].json : ""
+
+  keys = [
+    {
+      alias       = local.kms_key_alias,
+      description = local.kms_key_alias,
+      policy      = local.kms_key_policy
+    }
+  ]
 }
 
 ### RESOURCES ###
@@ -45,6 +58,18 @@ resource "aws_iam_policy_attachment" "this" {
   policy_arn = aws_iam_policy.this[0].arn
 }
 
+module "kms" {
+  source = "git::https://github.com/plus3it/terraform-aws-tardigrade-kms.git?ref=0.0.1"
+
+  providers = {
+    aws = aws
+  }
+
+  create_keys = local.create_kms_key
+  keys        = local.keys
+}
+
+
 resource "aws_cloudtrail" "this" {
   count = var.create_cloudtrail ? 1 : 0
 
@@ -53,6 +78,7 @@ resource "aws_cloudtrail" "this" {
   enable_log_file_validation = true
   is_multi_region_trail      = true
   tags                       = var.tags
+  kms_key_id                 = local.kms_key_id
 
   cloud_watch_logs_group_arn = local.cloud_watch_logs_group_arn
   cloud_watch_logs_role_arn  = local.cloud_watch_logs_role_arn
@@ -124,3 +150,85 @@ data "aws_iam_policy_document" "write_logs" {
     ]
   }
 }
+
+data "aws_iam_policy_document" "kms_key_policy" {
+  count = local.create_kms_key ? 1 : 0
+
+  statement {
+    sid     = "Enable IAM User Permissions"
+    actions = ["kms:*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    resources = ["*"]
+  }
+
+  statement {
+    sid     = "Allow CloudTrail to encrypt logs"
+    actions = ["kms:GenerateDataKey*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+
+      values = [
+        "arn:${data.aws_partition.current[0].partition}:cloudtrail:*:${data.aws_caller_identity.current[0].account_id}:trail/*"
+      ]
+    }
+
+    resources = ["*"]
+  }
+
+  statement {
+    sid     = "Allow CloudTrail to describe key"
+    actions = ["kms:DescribeKey"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "Allow principals in the account to decrypt log files"
+    actions = [
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+
+      values = [
+        "arn:${data.aws_partition.current[0].partition}:cloudtrail:*:${data.aws_caller_identity.current[0].account_id}:trail/*"
+      ]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+
+      values = [
+        "${data.aws_caller_identity.current[0].account_id}"
+      ]
+    }
+
+    resources = ["*"]
+  }
+}
diff --git a/tests/event_selector/main.tf b/tests/event_selector/main.tf
@@ -32,7 +32,7 @@ data "template_file" "this" {
   }
 }
 
-module "baseline" {
+module "event_selector" {
   source = "../../"
 
   providers = {

diff --git a/tests/multiple_event_selectors/main.tf b/tests/multiple_event_selectors/main.tf
@@ -32,7 +32,7 @@ data "template_file" "this" {
   }
 }
 
-module "baseline" {
+module "multiple_event_selectors" {
   source = "../../"
 
   providers = {

diff --git a/tests/premade_kms_key/README.md b/tests/premade_kms_key/README.md
@@ -0,0 +1,3 @@
+# Premade KMS Key Test
+
+
diff --git a/tests/premade_kms_key/_docs/MAIN.md b/tests/premade_kms_key/_docs/MAIN.md
@@ -0,0 +1 @@
+# Premade KMS Key Test
diff --git a/tests/premade_kms_key/main.tf b/tests/premade_kms_key/main.tf
@@ -0,0 +1,23 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+data "terraform_remote_state" "prereq" {
+  backend = "local"
+  config = {
+    path = "prereq/terraform.tfstate"
+  }
+}
+
+module "premade_kms_key" {
+  source = "../../"
+
+  providers = {
+    aws = aws
+  }
+
+  create_cloudtrail = true
+  cloudtrail_name   = data.terraform_remote_state.prereq.outputs.random_name
+  cloudtrail_bucket = data.terraform_remote_state.prereq.outputs.bucket_id
+  kms_key_id        = data.terraform_remote_state.prereq.outputs.kms_key_id
+}
diff --git a/tests/premade_kms_key/prereq/main.tf b/tests/premade_kms_key/prereq/main.tf
@@ -0,0 +1,53 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+locals {
+  partition = "aws"
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "random_id" "name" {
+  byte_length = 6
+  prefix      = "tardigrade-cloudtrail-"
+}
+
+resource "aws_s3_bucket" "this" {
+  bucket        = random_id.name.hex
+  policy        = join("", data.template_file.this.*.rendered)
+  force_destroy = true
+}
+
+resource "aws_kms_key" "this" {
+  policy = join("", data.template_file.kms_policy.*.rendered)
+}
+
+data "template_file" "this" {
+  template = file("${path.module}/../../templates/cloudtrail-bucket-policy.json")
+
+  vars = {
+    bucket    = random_id.name.hex
+    partition = local.partition
+  }
+}
+
+data "template_file" "kms_policy" {
+  template = file("${path.module}/../../templates/cloudtrail-kms-key-policy.json")
+
+  vars = {
+    account_id = data.aws_caller_identity.current.account_id
+  }
+}
+
+output "random_name" {
+  value = random_id.name.hex
+}
+
+output "bucket_id" {
+  value = aws_s3_bucket.this.id
+}
+
+output "kms_key_id" {
+  value = aws_kms_key.this.arn
+}
diff --git a/tests/premade_kms_key/versions.tf b/tests/premade_kms_key/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/tests/templates/cloudtrail-kms-key-policy.json b/tests/templates/cloudtrail-kms-key-policy.json
@@ -0,0 +1,63 @@
+{
+    "Statement": [
+        {
+            "Action": "kms:*",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [
+                    "*"
+                ]
+            },
+            "Resource": "*",
+            "Sid": "Enable IAM User Permissions"
+        },
+        {
+            "Action": "kms:GenerateDataKey*",
+            "Condition": {
+                "StringLike": {
+                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${account_id}:trail/*"
+                }
+            },
+            "Effect": "Allow",
+            "Principal": {
+                "Service": [
+                    "cloudtrail.amazonaws.com"
+                ]
+            },
+            "Resource": "*",
+            "Sid": "Allow CloudTrail to encrypt logs"
+        },
+        {
+            "Action": "kms:DescribeKey",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": [
+                    "cloudtrail.amazonaws.com"
+                ]
+            },
+            "Resource": "*",
+            "Sid": "Allow CloudTrail to describe key"
+        },
+        {
+            "Action": [
+                "kms:Decrypt",
+                "kms:ReEncryptFrom"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "kms:CallerAccount": "${account_id}"
+                },
+                "StringLike": {
+                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${account_id}:trail/*"
+                }
+            },
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Resource": "*",
+            "Sid": "Allow principals in the account to decrypt log files"
+        }
+    ],
+    "Version": "2012-10-17"
+}
diff --git a/variables.tf b/variables.tf
@@ -10,6 +10,12 @@ variable "cloudtrail_name" {
   default     = null
 }
 
+variable "kms_key_id" {
+  description = "ARN of the kms key used to encrypt the CloudTrail logs. If providing a KMS key, `create_kms_key` should be set to false"
+  type        = string
+  default     = null
+}
+
 variable "cloudtrail_bucket" {
   description = "Name of S3 bucket to send CloudTrail logs; bucket must already exist"
   type        = string