Merge pull request #33 from trussworks/mk-add-kms-terratest

Include kms key in simple terratest

examples/simple/main.tf

@@ -1,3 +1,49 @@
+
+#
+# KMS Key
+#
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+      ]
+    }
+    actions = [
+      "kms:*",
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "Allow logs KMS access"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_key" "main" {
+  description         = "Key for ECS log encryption"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.cloudwatch_logs_allow_kms.json
+}
+
 #
 # ECS Service Module
 #
@@ -8,6 +54,8 @@ module "app_ecs_service" {
   name        = var.ecs_service_name
   environment = "test"
 
+  kms_key_id = aws_kms_key.main.arn
+
   ecs_cluster    = aws_ecs_cluster.main
   ecs_vpc_id     = aws_vpc.main.id
   ecs_subnet_ids = [aws_subnet.main.id]