Merge pull request #351 from ministryofjustice/custom_kms_key

Allow using a custom kms key

README.md

@@ -69,6 +69,11 @@ module "bastion_linux" {
 }
 ```
 
+#### Note:
+Passing in a custom KMS key? You'll need to make sure the bastion iam role has permissions to use it.
+See `aws_kms_key_policy.bastion_s3` in `main.tf` for an example.
+This module ouputs the bastion iam role object (see `outputs.tf`), so you can use it in your own policy.
+
 ## Looking for issues?
 If you're looking to raise an issue with this module, please create a new issue in the [Modernisation Platform repository](https://github.com/ministryofjustice/modernisation-platform/issues).
 
@@ -156,6 +161,7 @@ In order to prevent older versions from being retained forever, in addition to t
 | <a name="input_autoscaling_cron"></a> [autoscaling\_cron](#input\_autoscaling\_cron) | Cron expressions for scale up and scale down | `map(string)` | <pre>{<br>  "down": "0 20 * * *",<br>  "up": "0 5 * * *"<br>}</pre> | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Bucket used for bucket log storage and user public keys | `string` | n/a | yes |
 | <a name="input_business_unit"></a> [business\_unit](#input\_business\_unit) | Fixed variable to specify business-unit for RAM shared subnets | `string` | n/a | yes |
+| <a name="input_custom_s3_kms_arn"></a> [custom\_s3\_kms\_arn](#input\_custom\_s3\_kms\_arn) | KMS ARN for S3 bucket encryption | `string` | `""` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | application environment | `string` | n/a | yes |
 | <a name="input_extra_user_data_content"></a> [extra\_user\_data\_content](#input\_extra\_user\_data\_content) | Extra user data content for Bastion ec2 | `string` | `""` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | Name of instance | `string` | `"bastion_linux"` | no |
@@ -173,6 +179,7 @@ In order to prevent older versions from being retained forever, in addition to t
 
 | Name | Description |
 |------|-------------|
+| <a name="output_bastion_iam_role"></a> [bastion\_iam\_role](#output\_bastion\_iam\_role) | IAM role of bastion |
 | <a name="output_bastion_launch_template"></a> [bastion\_launch\_template](#output\_bastion\_launch\_template) | Launch template of bastion |
 | <a name="output_bastion_s3_bucket"></a> [bastion\_s3\_bucket](#output\_bastion\_s3\_bucket) | S3 bucket of bastion |
 | <a name="output_bastion_security_group"></a> [bastion\_security\_group](#output\_bastion\_security\_group) | Security group of bastion |

locals.tf

@@ -0,0 +1,3 @@
+locals {
+  kms_key_arn = var.custom_s3_kms_arn != "" ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
+}

main.tf

@@ -50,6 +50,7 @@ data "aws_vpc_endpoint" "s3" {
 
 # S3
 resource "aws_kms_key" "bastion_s3" {
+  count               = var.custom_s3_kms_arn != "" ? 0 : 1
   enable_key_rotation = true
 
   tags = merge(
@@ -61,12 +62,16 @@ resource "aws_kms_key" "bastion_s3" {
 }
 
 resource "aws_kms_alias" "bastion_s3_alias" {
+  count = var.custom_s3_kms_arn != "" ? 0 : 1
+
   name          = "alias/s3-${var.bucket_name}_key"
-  target_key_id = aws_kms_key.bastion_s3.arn
+  target_key_id = aws_kms_key.bastion_s3[0].arn
 }
 
 resource "aws_kms_key_policy" "bastion_s3" {
-  key_id = aws_kms_key.bastion_s3.id
+  count = var.custom_s3_kms_arn != "" ? 0 : 1
+
+  key_id = aws_kms_key.bastion_s3[0].id
   policy = jsonencode({
     Id = "bastion-key-access"
     Statement = [
@@ -77,7 +82,7 @@ resource "aws_kms_key_policy" "bastion_s3" {
           "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
         },
         "Action" : "kms:*",
-        "Resource" : aws_kms_key.bastion_s3.arn
+        "Resource" : aws_kms_key.bastion_s3[0].arn
       },
       {
         Action = [
@@ -89,7 +94,7 @@ resource "aws_kms_key_policy" "bastion_s3" {
           AWS = aws_iam_role.bastion_role.arn
         }
 
-        Resource = aws_kms_key.bastion_s3.arn
+        Resource = aws_kms_key.bastion_s3[0].arn
       },
     ]
     Version = "2012-10-17"
@@ -115,6 +120,8 @@ module "s3-bucket" {
   replication_enabled = false
   force_destroy       = true
 
+  custom_kms_key = var.custom_s3_kms_arn != "" ? var.custom_s3_kms_arn : ""
+
   lifecycle_rule = [
     {
       id      = "log"
@@ -169,7 +176,7 @@ resource "aws_s3_object" "bucket_public_keys_readme" {
 
   key        = "public-keys/README.txt"
   content    = "Drop here the ssh public keys of the instances you want to control"
-  kms_key_id = aws_kms_key.bastion_s3.arn
+  kms_key_id = local.kms_key_arn
 
   tags = merge(
     var.tags_common,
@@ -186,7 +193,7 @@ resource "aws_s3_object" "user_public_keys" {
   bucket     = module.s3-bucket.bucket.id
   key        = "public-keys/${each.key}.pub"
   content    = each.value
-  kms_key_id = aws_kms_key.bastion_s3.arn
+  kms_key_id = local.kms_key_arn
 
   tags = merge(
     var.tags_common,
@@ -313,7 +320,7 @@ data "aws_iam_policy_document" "bastion_policy_document" {
       "kms:Encrypt",
       "kms:Decrypt"
     ]
-    resources = [aws_kms_key.bastion_s3.arn]
+    resources = [local.kms_key_arn]
   }
 }
 

outputs.tf

@@ -12,3 +12,9 @@ output "bastion_s3_bucket" {
   description = "S3 bucket of bastion"
   value       = module.s3-bucket
 }
+
+
+output "bastion_iam_role" {
+  description = "IAM role of bastion"
+  value       = aws_iam_role.bastion_role
+}

variables.tf

@@ -108,3 +108,9 @@ variable "autoscaling_cron" {
     "down" = "0 20 * * *" # 20.00 UTC or 21.00 BST
   }
 }
+
+variable "custom_s3_kms_arn" {
+  description = "KMS ARN for S3 bucket encryption"
+  type        = string
+  default     = ""
+}