fix(KMS): Kms key for CloudWatch

dasmeta · Dec 3, 2024 · 35f4ebb · 35f4ebb
1 parent 27e2f95
commit 35f4ebb
Show file tree

Hide file tree

Showing 10 changed files with 215 additions and 0 deletions.
diff --git a/modules/kms/README.md b/modules/kms/README.md
@@ -0,0 +1,42 @@
+# cloudwatch-logs-encription
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_kms_key_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_kms_alias_name"></a> [kms\_alias\_name](#input\_kms\_alias\_name) | Alias name for the KMS key | `string` | `"cloudwatch-key"` | no |
+| <a name="input_kms_key_cloudwatch"></a> [kms\_key\_cloudwatch](#input\_kms\_key\_cloudwatch) | KMS key policy for CloudWatch logs | `bool` | `true` | no |
+| <a name="input_kms_key_description"></a> [kms\_key\_description](#input\_kms\_key\_description) | Description for the KMS key | `string` | `"KMS key for CloudWatch log group encryption"` | no |
+| <a name="input_kms_key_policy"></a> [kms\_key\_policy](#input\_kms\_key\_policy) | KMS key policy | `any` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the KMS key |
+| <a name="output_kms_key_id"></a> [kms\_key\_id](#output\_kms\_key\_id) | The ID of the KMS key |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/kms/data.tf b/modules/kms/data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
diff --git a/modules/kms/locals.tf b/modules/kms/locals.tf
@@ -0,0 +1,34 @@
+locals {
+  cloudwatch_logs_policy = jsonencode(
+    {
+      Id = "CloudWatch"
+      Statement = [
+        {
+          Action = [
+            "kms:*"
+          ],
+          Effect = "Allow"
+          Principal = {
+            Service = "logs.amazonaws.com"
+          }
+
+          Resource = "*"
+          Sid      = "AllowCloudWatchToUseKey"
+        },
+        {
+          Action = [
+            "kms:*"
+          ],
+          Effect = "Allow"
+          Principal = {
+            AWS = data.aws_caller_identity.current.account_id
+          }
+
+          Resource = "*"
+          Sid      = "AllowAccountManageKey"
+        }
+      ]
+      Version = "2012-10-17"
+    }
+  )
+}
diff --git a/modules/kms/main.tf b/modules/kms/main.tf
@@ -0,0 +1,15 @@
+resource "aws_kms_key" "this" {
+  description         = var.kms_key_description
+  enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "alias" {
+  name          = "alias/${var.kms_alias_name}"
+  target_key_id = aws_kms_key.this.id
+}
+
+
+resource "aws_kms_key_policy" "this" {
+  key_id = aws_kms_key.this.id
+  policy = var.kms_key_cloudwatch ? local.cloudwatch_logs_policy : var.kms_key_policy
+}
diff --git a/modules/kms/output.tf b/modules/kms/output.tf
@@ -0,0 +1,9 @@
+output "kms_key_id" {
+  description = "The ID of the KMS key"
+  value       = aws_kms_key.this.id
+}
+
+output "kms_key_arn" {
+  description = "The ARN of the KMS key"
+  value       = aws_kms_key.this.arn
+}
diff --git a/modules/kms/tests/basic/README.md b/modules/kms/tests/basic/README.md
@@ -0,0 +1,29 @@
+# basic
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kms_for_cloudwatch"></a> [kms\_for\_cloudwatch](#module\_kms\_for\_cloudwatch) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/kms/tests/basic/main.tf b/modules/kms/tests/basic/main.tf
@@ -0,0 +1,6 @@
+module "kms_for_cloudwatch" {
+  source = "../../"
+
+  kms_key_description = "Encryption key for example log group"
+  kms_alias_name      = "example-log-group-key"
+}
diff --git a/modules/kms/tests/policy/README.md b/modules/kms/tests/policy/README.md
@@ -0,0 +1,29 @@
+# policy
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kms_for_cloudwatch"></a> [kms\_for\_cloudwatch](#module\_kms\_for\_cloudwatch) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/kms/tests/policy/main.tf b/modules/kms/tests/policy/main.tf
@@ -0,0 +1,27 @@
+module "kms_for_cloudwatch" {
+  source = "../../"
+
+  kms_key_description = "Encryption key for example log group"
+  kms_alias_name      = "example-log-group-key"
+  kms_key_cloudwatch  = false
+  kms_key_policy = jsonencode(
+    {
+      Id = "CloudWatch"
+      Statement = [
+        {
+          Action = [
+            "kms:*"
+          ],
+          Effect = "Allow"
+          Principal = {
+            Service = "logs.amazonaws.com"
+          }
+
+          Resource = "*"
+          Sid      = "AllowCloudWatchToUseKey"
+        }
+      ]
+      Version = "2012-10-17"
+    }
+  )
+}
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
@@ -0,0 +1,23 @@
+variable "kms_key_description" {
+  description = "Description for the KMS key"
+  type        = string
+  default     = "KMS key for CloudWatch log group encryption"
+}
+
+variable "kms_alias_name" {
+  description = "Alias name for the KMS key"
+  type        = string
+  default     = "cloudwatch-key"
+}
+
+variable "kms_key_cloudwatch" {
+  type        = bool
+  default     = true
+  description = "KMS key policy for CloudWatch logs"
+}
+
+variable "kms_key_policy" {
+  type        = any
+  description = "KMS key policy"
+  default     = null
+}