Merge pull request #32 from trussworks/cg_encrypt_service_logs

Encrypt ECS service logs
trussworks · Nov 25, 2019 · 413ecdc · 413ecdc
2 parents a0a577a + c8b9bf2
commit 413ecdc
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 3 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -17,7 +17,7 @@ repos:
       - id: markdownlint
 
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.19.0
+    rev: v1.21.0
     hooks:
       - id: terraform_docs
       - id: terraform_fmt
@@ -26,5 +26,3 @@ repos:
     rev: v1.21.0
     hooks:
       - id: golangci-lint
-        entry: golangci-lint run --verbose
-        verbose: true
diff --git a/README.md b/README.md
@@ -33,6 +33,7 @@ module "app_ecs_service" {
   ecs_cluster                   = aws_ecs_cluster.mycluster
   ecs_vpc_id                    = module.vpc.vpc_id
   ecs_subnet_ids                = module.vpc.private_subnets
+  kms_key_id                    = aws_kms_key.main.arn
   tasks_desired_count           = 2
   tasks_minimum_healthy_percent = 50
   tasks_maximum_percent         = 200
@@ -55,6 +56,7 @@ module "app_ecs_service" {
   ecs_cluster                   = aws_ecs_cluster.mycluster
   ecs_vpc_id                    = module.vpc.vpc_id
   ecs_subnet_ids                = module.vpc.private_subnets
+  kms_key_id                    = aws_kms_key.main.arn
   tasks_desired_count           = 2
   tasks_minimum_healthy_percent = 50
   tasks_maximum_percent         = 200
@@ -92,6 +94,7 @@ module "app_ecs_service" {
 | environment | Environment tag, e.g prod. | string | n/a | yes |
 | fargate\_task\_cpu | Number of cpu units used in initial task definition. Default is minimum. | string | `"256"` | no |
 | fargate\_task\_memory | Amount (in MiB) of memory used in initial task definition. Default is minimum. | string | `"512"` | no |
+| kms\_key\_id | KMS customer managed key (CMK) ARN for encrypting application logs. | string | n/a | yes |
 | lb\_target\_group | Either Application Load Balancer (ALB) or Network Load Balancer (NLB) target group ARN tasks will register with. | string | `""` | no |
 | logs\_cloudwatch\_group | CloudWatch log group to create and use. Default: /ecs/{name}-{environment} | string | `""` | no |
 | logs\_cloudwatch\_retention | Number of days you want to retain log events in the log group. | string | `"90"` | no |
@@ -119,6 +122,60 @@ module "app_ecs_service" {
 
 ## Upgrade Path
 
+### 2.0.0 to 2.1.0
+
+In 2.1.0 KMS log encryption is required by default. This requires that you create and attach a new AWS KMS key ARN.
+As an example here is how to set that up (please review on your own):
+
+```hcl
+data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+      ]
+    }
+
+    actions = [
+      "kms:*",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow logs KMS access"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["logs.us-west-2.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_key" "main" {
+  description         = "Key for ECS log encryption"
+  enable_key_rotation = true
+
+  policy = data.aws_iam_policy_document.cloudwatch_logs_allow_kms.json
+}
+```
+
+**NOTE:** Best practice is to use a separate KMS key per ECS Service. Do not re-use KMS keys if it can be avoided.
+
 ### 1.15.0 to 2.0.0
 
 v2.0.0 of this module is built against Terraform v0.12. In addition to

diff --git a/main.tf b/main.tf
@@ -34,6 +34,7 @@
  *   ecs_cluster                   = aws_ecs_cluster.mycluster
  *   ecs_vpc_id                    = module.vpc.vpc_id
  *   ecs_subnet_ids                = module.vpc.private_subnets
+ *   kms_key_id                    = aws_kms_key.main.arn
  *   tasks_desired_count           = 2
  *   tasks_minimum_healthy_percent = 50
  *   tasks_maximum_percent         = 200
@@ -56,6 +57,7 @@
  *   ecs_cluster                   = aws_ecs_cluster.mycluster
  *   ecs_vpc_id                    = module.vpc.vpc_id
  *   ecs_subnet_ids                = module.vpc.private_subnets
+ *   kms_key_id                    = aws_kms_key.main.arn
  *   tasks_desired_count           = 2
  *   tasks_minimum_healthy_percent = 50
  *   tasks_maximum_percent         = 200
@@ -122,6 +124,8 @@ resource "aws_cloudwatch_log_group" "main" {
   name              = local.awslogs_group
   retention_in_days = var.logs_cloudwatch_retention
 
+  kms_key_id = var.kms_key_id
+
   tags = {
     Name        = "${var.name}-${var.environment}"
     Environment = var.environment

diff --git a/variables.tf b/variables.tf
@@ -182,3 +182,7 @@ variable "nlb_subnet_cidr_blocks" {
   type        = list(string)
 }
 
+variable "kms_key_id" {
+  description = "KMS customer managed key (CMK) ARN for encrypting application logs."
+  type        = string
+}