From d9e13af404cd0e0b2219a582fd9585d60f2aa0a4 Mon Sep 17 00:00:00 2001 From: Ricardo Mendes Date: Sun, 26 May 2024 20:36:18 -0300 Subject: [PATCH] chore: disable SSE-KMS encryption in S3 --- .../environments/dev/.terraform.lock.hcl | 1 + infrastructure/environments/dev/main.tf | 9 +++++--- infrastructure/environments/prod/main.tf | 9 +++++--- infrastructure/environments/qa/main.tf | 9 +++++--- infrastructure/environments/staging/main.tf | 9 +++++--- infrastructure/modules/core/kms.tf | 23 +++++++++++-------- infrastructure/modules/core/outputs.tf | 9 +++++--- infrastructure/modules/core/s3.tf | 23 +++++++++++-------- infrastructure/modules/glue/data.tf | 23 +++++++++++-------- infrastructure/modules/glue/variables.tf | 13 +++++++---- 10 files changed, 79 insertions(+), 49 deletions(-) diff --git a/infrastructure/environments/dev/.terraform.lock.hcl b/infrastructure/environments/dev/.terraform.lock.hcl index 559ffc5..1f062d5 100644 --- a/infrastructure/environments/dev/.terraform.lock.hcl +++ b/infrastructure/environments/dev/.terraform.lock.hcl @@ -6,6 +6,7 @@ provider "registry.terraform.io/hashicorp/aws" { constraints = "~> 5.0" hashes = [ "h1:9qDT1IbwexFiMzv4er3gxNSYjEZvV3gBGoqu3iOu3W4=", + "h1:McIRw8larBNW5TeXxyiWd8fD55oj1szEbMOuSQOSDBs=", "h1:UkBMGEScvNP+9JDzKXGrgj931LngYpIB8TBBUY+mvdg=", "zh:11a4062491e574c8e96b6bc7ced67b5e9338ccfa068223fc9042f9e1e7eda47a", "zh:4331f85aeb22223ab656d04b48337a033f44f02f685c8def604c4f8f4687d10f", diff --git a/infrastructure/environments/dev/main.tf b/infrastructure/environments/dev/main.tf index 8a2e7c9..2542699 100644 --- a/infrastructure/environments/dev/main.tf +++ b/infrastructure/environments/dev/main.tf @@ -8,9 +8,12 @@ module "core" { module "glue" { source = "../../modules/glue" - environment = var.environment - data_bucket_id = module.core.data_bucket_id - s3_encryption_key_arn = module.core.s3_encryption_key_arn + environment = var.environment + data_bucket_id = module.core.data_bucket_id + # ===================================================================================== + # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. + # ===================================================================================== + # s3_encryption_key_arn = module.core.s3_encryption_key_arn glue_assets_bucket_name = var.glue_assets_bucket_name glue_scripts_bucket_name = var.glue_scripts_bucket_name } diff --git a/infrastructure/environments/prod/main.tf b/infrastructure/environments/prod/main.tf index 8a2e7c9..2542699 100644 --- a/infrastructure/environments/prod/main.tf +++ b/infrastructure/environments/prod/main.tf @@ -8,9 +8,12 @@ module "core" { module "glue" { source = "../../modules/glue" - environment = var.environment - data_bucket_id = module.core.data_bucket_id - s3_encryption_key_arn = module.core.s3_encryption_key_arn + environment = var.environment + data_bucket_id = module.core.data_bucket_id + # ===================================================================================== + # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. + # ===================================================================================== + # s3_encryption_key_arn = module.core.s3_encryption_key_arn glue_assets_bucket_name = var.glue_assets_bucket_name glue_scripts_bucket_name = var.glue_scripts_bucket_name } diff --git a/infrastructure/environments/qa/main.tf b/infrastructure/environments/qa/main.tf index 8a2e7c9..2542699 100644 --- a/infrastructure/environments/qa/main.tf +++ b/infrastructure/environments/qa/main.tf @@ -8,9 +8,12 @@ module "core" { module "glue" { source = "../../modules/glue" - environment = var.environment - data_bucket_id = module.core.data_bucket_id - s3_encryption_key_arn = module.core.s3_encryption_key_arn + environment = var.environment + data_bucket_id = module.core.data_bucket_id + # ===================================================================================== + # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. + # ===================================================================================== + # s3_encryption_key_arn = module.core.s3_encryption_key_arn glue_assets_bucket_name = var.glue_assets_bucket_name glue_scripts_bucket_name = var.glue_scripts_bucket_name } diff --git a/infrastructure/environments/staging/main.tf b/infrastructure/environments/staging/main.tf index 8a2e7c9..2542699 100644 --- a/infrastructure/environments/staging/main.tf +++ b/infrastructure/environments/staging/main.tf @@ -8,9 +8,12 @@ module "core" { module "glue" { source = "../../modules/glue" - environment = var.environment - data_bucket_id = module.core.data_bucket_id - s3_encryption_key_arn = module.core.s3_encryption_key_arn + environment = var.environment + data_bucket_id = module.core.data_bucket_id + # ===================================================================================== + # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. + # ===================================================================================== + # s3_encryption_key_arn = module.core.s3_encryption_key_arn glue_assets_bucket_name = var.glue_assets_bucket_name glue_scripts_bucket_name = var.glue_scripts_bucket_name } diff --git a/infrastructure/modules/core/kms.tf b/infrastructure/modules/core/kms.tf index 39cbd24..a33e718 100644 --- a/infrastructure/modules/core/kms.tf +++ b/infrastructure/modules/core/kms.tf @@ -6,12 +6,17 @@ # Service keys (SSE-KMS) instead. Please refer to # https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html for further # details. -resource "aws_kms_key" "s3" { - description = "This key protects S3 objects tackled by the AWS Glue CI/CD Blueprint" - enable_key_rotation = true -} - -resource "aws_kms_alias" "s3" { - name = "alias/glue-ci-cd-blueprint/s3-${var.environment}" - target_key_id = aws_kms_key.s3.key_id -} +# ======================================================================================= +# THE KMS KEY IS DISABLED BY DEFAULT TO AVOID EXTRA COSTS IN THE BLUEPRINT VALIDATION +# ACCOUNTS. DELETE THE LINES DELIMITED BY `# =...=` AND UNCOMMENT THE FOLLOWING RESOURCES +# TO CREATE/ENABLE THEM. +# ======================================================================================= +# resource "aws_kms_key" "s3" { +# description = "This key protects S3 objects tackled by the AWS Glue CI/CD Blueprint" +# enable_key_rotation = true +# } +# +# resource "aws_kms_alias" "s3" { +# name = "alias/glue-ci-cd-blueprint/s3-${var.environment}" +# target_key_id = aws_kms_key.s3.key_id +# } diff --git a/infrastructure/modules/core/outputs.tf b/infrastructure/modules/core/outputs.tf index 0b60781..f9bd4ba 100644 --- a/infrastructure/modules/core/outputs.tf +++ b/infrastructure/modules/core/outputs.tf @@ -2,6 +2,9 @@ output "data_bucket_id" { value = aws_s3_bucket.data.id } -output "s3_encryption_key_arn" { - value = aws_kms_key.s3.arn -} +# ======================================================================================= +# KMS KEY ARE DISABLED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS. +# ======================================================================================= +# output "s3_encryption_key_arn" { +# value = aws_kms_key.s3.arn +# } diff --git a/infrastructure/modules/core/s3.tf b/infrastructure/modules/core/s3.tf index 2117648..4859fb9 100644 --- a/infrastructure/modules/core/s3.tf +++ b/infrastructure/modules/core/s3.tf @@ -2,13 +2,16 @@ resource "aws_s3_bucket" "data" { bucket = "${var.data_bucket_name}-${var.environment}" } -resource "aws_s3_bucket_server_side_encryption_configuration" "data" { - bucket = aws_s3_bucket.data.id - - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.s3.arn - sse_algorithm = "aws:kms" - } - } -} +# ======================================================================================= +# KMS KEY ARE DISABLED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS. +# ======================================================================================= +# resource "aws_s3_bucket_server_side_encryption_configuration" "data" { +# bucket = aws_s3_bucket.data.id +# +# rule { +# apply_server_side_encryption_by_default { +# kms_master_key_id = aws_kms_key.s3.arn +# sse_algorithm = "aws:kms" +# } +# } +# } diff --git a/infrastructure/modules/glue/data.tf b/infrastructure/modules/glue/data.tf index e8f997e..ca92c69 100644 --- a/infrastructure/modules/glue/data.tf +++ b/infrastructure/modules/glue/data.tf @@ -3,16 +3,19 @@ data "aws_s3_bucket" "data" { } data "aws_iam_policy_document" "glue_service_custom" { - statement { - effect = "Allow" - actions = [ - "kms:Decrypt", - "kms:GenerateDataKey" - ] - resources = [ - var.s3_encryption_key_arn - ] - } + # ===================================================================================== + # DELETE THIS AND UNCOMMENT THE FOLLOWING STATEMENT TO ENABLE SSE-KMS ENCRYPTION IN S3. + # ===================================================================================== + # statement { + # effect = "Allow" + # actions = [ + # "kms:Decrypt", + # "kms:GenerateDataKey" + # ] + # resources = [ + # var.s3_encryption_key_arn + # ] + # } statement { effect = "Allow" actions = [ diff --git a/infrastructure/modules/glue/variables.tf b/infrastructure/modules/glue/variables.tf index be5966c..8119db1 100644 --- a/infrastructure/modules/glue/variables.tf +++ b/infrastructure/modules/glue/variables.tf @@ -10,11 +10,14 @@ variable "data_bucket_id" { default = "" } -variable "s3_encryption_key_arn" { - description = "ARN of the key that protects S3 objects tackled by the AWS Glue CI/CD Blueprint." - type = string - default = "" -} +# ======================================================================================= +# DELETE THIS AND UNCOMMENT THE FOLLOWING VARIABLE TO ENABLE SSE-KMS ENCRYPTION IN S3. +# ======================================================================================= +# variable "s3_encryption_key_arn" { +# description = "ARN of the key that protects S3 objects tackled by the AWS Glue CI/CD Blueprint." +# type = string +# default = "" +# } variable "glue_assets_bucket_name" { description = "Name of the S3 bucket used to store AWS Glue assets."