Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: create KMS key decryption policy for S3 #216

Merged
merged 4 commits into from
Feb 27, 2025
Merged

feat: create KMS key decryption policy for S3 #216

merged 4 commits into from
Feb 27, 2025

Conversation

alexandermarston
Copy link
Contributor

Description

  • Updates the Coralogix AWS Shipper module to accept a s3_bucket_kms_arn variable, to dynamically create the inline policy required for decrypting objects using a KMS Key.

How Has This Been Tested?

Tested locally.

Omitting the variable results in no changes, including the variable results in a new addition to the policy statement.

10:28:43.055 STDOUT terraform: Terraform will perform the following actions:
10:28:43.055 STDOUT terraform:   # aws_iam_policy.lambda_policy["integration"] will be updated in-place
10:28:43.055 STDOUT terraform:   ~ resource "aws_iam_policy" "lambda_policy" {
10:28:43.055 STDOUT terraform:         id               = "arn:aws:iam::xxx:policy/policy-for-coralogix-lambda-dgiK80"
10:28:43.055 STDOUT terraform:         name             = "policy-for-coralogix-lambda-dgiK80"
10:28:43.055 STDOUT terraform:       ~ policy           = jsonencode(

Checklist:

  • I have updated the relevant example in the examples directory for the module.
  • I have updated the relevant test file for the module.
  • This change does not affect module (e.g. it's readme file change)

@alexandermarston alexandermarston requested a review from a team as a code owner February 25, 2025 10:35
@CLAassistant
Copy link

CLAassistant commented Feb 25, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@alexandermarston alexandermarston changed the title Feat coralogix aws shipper kms decrypt Add KMS Key Decryption to Lambda Policy Feb 25, 2025
@alexandermarston alexandermarston force-pushed the feat-coralogix-aws-shipper-kms-decrypt branch from c8ecdea to 0c6907d Compare February 25, 2025 10:39
guyrenny
guyrenny requested changes Feb 26, 2025
View reviewed changes
Copy link
Contributor

@guyrenny guyrenny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @alexandermarston, looks good, just 2 small things:

  1. If you can add the variable to the README file
  2. In order to release a new version we require the PR title to start with feat: <title>, and the commit messages to also be in the formate of feat: . You can see more information about it here

@alexandermarston
Copy link
Contributor Author

Hey @alexandermarston, looks good, just 2 small things:

  1. If you can add the variable to the README file
  2. In order to release a new version we require the PR title to start with feat: <title>, and the commit messages to also be in the formate of feat: . You can see more information about it here

Thanks for the feedback.

I was wondering if it actually makes more sense to just always create the kms:decrypt policy for * resources when S3 is the backend, rather than a specific KMS key ARN. WDYT?

@guyrenny
Copy link
Contributor

Hey @alexandermarston, looks good, just 2 small things:

  1. If you can add the variable to the README file
  2. In order to release a new version we require the PR title to start with feat: <title>, and the commit messages to also be in the formate of feat: . You can see more information about it here

Thanks for the feedback.

I was wondering if it actually makes more sense to just always create the kms:decrypt policy for * resources when S3 is the backend, rather than a specific KMS key ARN. WDYT?

We prefer to limit the amount of wild cards that we use in the module to avoid security issues, a lot of time we are requested to remove wild cards from the code, so unfortunately, I think that we should leave it as is right now

@alexandermarston alexandermarston changed the title Add KMS Key Decryption to Lambda Policy feat: create KMS key decryption policy for S3 Feb 26, 2025
@alexandermarston
Copy link
Contributor Author

Hey @alexandermarston, looks good, just 2 small things:

  1. If you can add the variable to the README file
  2. In order to release a new version we require the PR title to start with feat: <title>, and the commit messages to also be in the formate of feat: . You can see more information about it here

Thanks for the feedback.
I was wondering if it actually makes more sense to just always create the kms:decrypt policy for * resources when S3 is the backend, rather than a specific KMS key ARN. WDYT?

We prefer to limit the amount of wild cards that we use in the module to avoid security issues, a lot of time we are requested to remove wild cards from the code, so unfortunately, I think that we should leave it as is right now

Got ya.

I've made the changes you've requested.

@guyrenny
Copy link
Contributor

@alexandermarston I have approved the PR, but I just noticed that not all of the Commits have verified signatures, so I can't merge the PR at the moment, if you could sign the unsigned commits please.

@alexandermarston alexandermarston force-pushed the feat-coralogix-aws-shipper-kms-decrypt branch from 88995d9 to d70e46a Compare February 27, 2025 08:51
@alexandermarston
Copy link
Contributor Author

@alexandermarston I have approved the PR, but I just noticed that not all of the Commits have verified signatures, so I can't merge the PR at the moment, if you could sign the unsigned commits please.

Sorry - forgot to resign all of the commit history. It should be sorted now.

@guyrenny guyrenny merged commit 4b73529 into coralogix:master Feb 27, 2025
6 checks passed
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 2.8.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guyrenny guyrenny guyrenny approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alexandermarston @CLAassistant @guyrenny