Merge pull request #66 from confusdcodr/kms_toggle

Add explicit create_kms_key toggle
plus3it · May 18, 2020 · 7f81073 · 7f81073
2 parents b1274cc + e67e713
commit 7f81073
Show file tree

Hide file tree

Showing 12 changed files with 134 additions and 9 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,7 +1,6 @@
 [bumpversion]
-current_version = 2.2.3
+current_version = 3.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False
 tag_name = {new_version}
-
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 3.0.0
+
+**Released**: 2020.05.18
+
+**Commit Delta**: [Change from 2.2.3 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/2.2.3...3.0.0)
+
+**Summary**:
+
+*   Add explicit create_kms_key toggle
+
 ### 2.2.3
 
 **Released**: 2020.01.08

diff --git a/README.md b/README.md
@@ -25,9 +25,10 @@ Creates an AWS Cloudtrail
 | cloudtrail\_bucket | Name of S3 bucket to send CloudTrail logs; bucket must already exist | `string` | `null` | no |
 | cloudtrail\_name | Name of the trail to create | `string` | `null` | no |
 | create\_cloudtrail | Controls whether to create the CloudTrail | `bool` | `true` | no |
+| create\_kms\_key | Controls whether to create a kms key that Cloudtrail will use to encrypt the logs | `bool` | `true` | no |
 | event\_selectors | List of maps specifying `read_write_type`, `include_management_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales | `list` | `[]` | no |
 | kms\_key\_alias | (Optional) The display name of the alias | `string` | `"terraform-cloudtrail-kms-key"` | no |
-| kms\_key\_id | (Optional) ARN of the kms key used to encrypt the CloudTrail logs. If no ARN is provided, the module will create a KMS key to encrypt with | `string` | `null` | no |
+| kms\_key\_id | (Optional) ARN of the kms key used to encrypt the CloudTrail logs. | `string` | `null` | no |
 | retention\_in\_days | (Optional) Specifies the number of days to retain log events in the log group. Only works if module creates the log group | `number` | `7` | no |
 | tags | A map of tags to add to the cloudtrail resource | `map(string)` | `{}` | no |
 

diff --git a/main.tf b/main.tf
@@ -11,9 +11,8 @@ locals {
   cloud_watch_logs_role_arn = local.create_log_group_role ? join("", aws_iam_role.this.*.arn) : var.cloud_watch_logs_role_arn
 
   # kms integration
-  create_kms_key = var.create_cloudtrail && var.kms_key_id == null
-  kms_key_id     = local.create_kms_key ? module.kms.keys[var.kms_key_alias].arn : var.kms_key_id
-  kms_key_policy = local.create_kms_key ? data.aws_iam_policy_document.kms_key_policy[0].json : ""
+  kms_key_id     = var.create_kms_key ? module.kms.keys[var.kms_key_alias].arn : var.kms_key_id
+  kms_key_policy = var.create_kms_key ? data.aws_iam_policy_document.kms_key_policy[0].json : ""
 
   keys = [
     {
@@ -67,7 +66,7 @@ module "kms" {
     aws = aws
   }
 
-  create_keys = local.create_kms_key
+  create_keys = var.create_kms_key
   keys        = local.keys
 }
 
@@ -154,7 +153,7 @@ data "aws_iam_policy_document" "write_logs" {
 }
 
 data "aws_iam_policy_document" "kms_key_policy" {
-  count = local.create_kms_key ? 1 : 0
+  count = var.create_kms_key ? 1 : 0
 
   statement {
     sid     = "Enable IAM User Permissions"

diff --git a/tests/baseline/main.tf b/tests/baseline/main.tf
@@ -37,6 +37,7 @@ module "baseline" {
   }
 
   create_cloudtrail = local.create_cloudtrail
+  create_kms_key    = false
   cloudtrail_name   = random_id.name.hex
   cloudtrail_bucket = aws_s3_bucket.this.id
 }
diff --git a/tests/cocreate_kms_key/README.md b/tests/cocreate_kms_key/README.md
@@ -0,0 +1,27 @@
+# Premade KMS Key Test
+
+
+<!-- BEGIN TFDOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+| template | n/a |
+| terraform | n/a |
+
+## Inputs
+
+No input.
+
+## Outputs
+
+No output.
+
+<!-- END TFDOCS -->
diff --git a/tests/cocreate_kms_key/main.tf b/tests/cocreate_kms_key/main.tf
@@ -0,0 +1,38 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+data "aws_caller_identity" "current" {}
+
+data "terraform_remote_state" "prereq" {
+  backend = "local"
+  config = {
+    path = "prereq/terraform.tfstate"
+  }
+}
+
+resource "aws_kms_key" "this" {
+  policy = join("", data.template_file.kms_policy.*.rendered)
+}
+
+data "template_file" "kms_policy" {
+  template = file("${path.module}/../templates/cloudtrail-kms-key-policy.json")
+
+  vars = {
+    account_id = data.aws_caller_identity.current.account_id
+  }
+}
+
+module "cocreate_kms_key" {
+  source = "../../"
+
+  providers = {
+    aws = aws
+  }
+
+  create_cloudtrail = true
+  create_kms_key    = true
+  cloudtrail_name   = data.terraform_remote_state.prereq.outputs.random_name
+  cloudtrail_bucket = data.terraform_remote_state.prereq.outputs.bucket_id
+  kms_key_id        = aws_kms_key.this.id
+}
diff --git a/tests/cocreate_kms_key/prereq/main.tf b/tests/cocreate_kms_key/prereq/main.tf
@@ -0,0 +1,37 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+locals {
+  partition = "aws"
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "random_id" "name" {
+  byte_length = 6
+  prefix      = "tardigrade-cloudtrail-"
+}
+
+resource "aws_s3_bucket" "this" {
+  bucket        = random_id.name.hex
+  policy        = join("", data.template_file.this.*.rendered)
+  force_destroy = true
+}
+
+data "template_file" "this" {
+  template = file("${path.module}/../../templates/cloudtrail-bucket-policy.json")
+
+  vars = {
+    bucket    = random_id.name.hex
+    partition = local.partition
+  }
+}
+
+output "random_name" {
+  value = random_id.name.hex
+}
+
+output "bucket_id" {
+  value = aws_s3_bucket.this.id
+}
diff --git a/tests/cocreate_kms_key/versions.tf b/tests/cocreate_kms_key/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/tests/go.sum b/tests/go.sum
@@ -375,6 +375,7 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586 h1:7KByu05hhLed2MO29w7p1X
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 h1:nVJ3guKA9qdkEQ3TUdXI9QSINo2CUPM/cySEvw2w8I0=
 golang.org/x/crypto v0.0.0-20200109152110-61a87790db17/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -417,6 +418,7 @@ golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -542,6 +544,7 @@ gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bl
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

diff --git a/tests/no_cloudtrail/main.tf b/tests/no_cloudtrail/main.tf
@@ -10,4 +10,5 @@ module "no_cloudtrail" {
   }
 
   create_cloudtrail = false
+  create_kms_key    = false
 }
diff --git a/variables.tf b/variables.tf
@@ -10,14 +10,20 @@ variable "cloudtrail_name" {
   default     = null
 }
 
+variable "create_kms_key" {
+  description = "Controls whether to create a kms key that Cloudtrail will use to encrypt the logs"
+  type        = bool
+  default     = true
+}
+
 variable "kms_key_alias" {
   description = "(Optional) The display name of the alias"
   type        = string
   default     = "terraform-cloudtrail-kms-key"
 }
 
 variable "kms_key_id" {
-  description = "(Optional) ARN of the kms key used to encrypt the CloudTrail logs. If no ARN is provided, the module will create a KMS key to encrypt with"
+  description = "(Optional) ARN of the kms key used to encrypt the CloudTrail logs."
   type        = string
   default     = null
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -10,4 +10,5 @@ module "no_cloudtrail" { @@
       }
       create_cloudtrail = false
+      create_kms_key    = false
     }