From 518e6e3e024ca63dd272d8d427a55ea16aa83d1e Mon Sep 17 00:00:00 2001 From: kristianiliev1 Date: Wed, 29 May 2024 17:59:49 +0300 Subject: [PATCH 01/12] Add KMS key creation and conditional policy for SNS --- main.tf | 21 +++++--- modules/monitoring/availability_tests.tf | 4 +- modules/monitoring/cmk.tf | 65 ++++++++++++++++++++++++ modules/monitoring/outputs.tf | 7 +++ modules/monitoring/sns.tf | 4 +- modules/monitoring/variables.tf | 50 ++++++++++++++++++ variables.tf | 36 +++++++++++++ 7 files changed, 176 insertions(+), 11 deletions(-) create mode 100644 modules/monitoring/cmk.tf diff --git a/main.tf b/main.tf index aa52b11..cf74e0a 100644 --- a/main.tf +++ b/main.tf @@ -119,13 +119,18 @@ module "monitoring" { count = var.deploy_monitoring ? 1 : 0 - resource_name_prefix = var.resource_name_prefix - aws_region = var.aws_region - route53_availability_check_region = var.monitoring_route53_health_check_aws_region - cloudwatch_alarms_actions_enabled = var.monitoring_actions_enabled - sns_topic_endpoint = var.deploy_monitoring ? var.monitoring_sns_topic_endpoint : null - sns_endpoint_auto_confirms = var.monitoring_endpoint_auto_confirms - sns_protocol = var.monitoring_sns_protocol + resource_name_prefix = var.resource_name_prefix + aws_region = var.aws_region + route53_availability_check_region = var.monitoring_route53_health_check_aws_region + cloudwatch_alarms_actions_enabled = var.monitoring_actions_enabled + sns_topic_endpoint = var.deploy_monitoring ? var.monitoring_sns_topic_endpoint : null + sns_endpoint_auto_confirms = var.monitoring_endpoint_auto_confirms + sns_protocol = var.monitoring_sns_protocol + kms_master_key_id = var.kms_master_key_id + cmk_description = var.cmk_description + sns_key_admin_arn = var.sns_key_admin_arn + enable_cmk = var.enable_cmk + cloudwatch_log_group_retention_in_days = var.monitoring_log_group_retention_in_days route53_availability_request_url = module.load_balancer.lb_dns_name route53_availability_measure_latency = var.monitoring_route53_measure_latency @@ -215,4 +220,4 @@ module "graphdb" { asg_enable_instance_refresh = var.asg_enable_instance_refresh asg_instance_refresh_checkpoint_delay = var.asg_instance_refresh_checkpoint_delay graphdb_enable_userdata_scripts_on_reboot = var.graphdb_enable_userdata_scripts_on_reboot -} +} \ No newline at end of file diff --git a/modules/monitoring/availability_tests.tf b/modules/monitoring/availability_tests.tf index d25e0f5..aaca8b3 100644 --- a/modules/monitoring/availability_tests.tf +++ b/modules/monitoring/availability_tests.tf @@ -5,7 +5,9 @@ resource "aws_sns_topic" "graphdb_route53_sns_topic" { provider = aws.useast1 name = "${var.resource_name_prefix}-route53-sns-notifications" - kms_master_key_id = "alias/aws/sns" + kms_master_key_id = var.enable_cmk ? aws_kms_key.cmk[0].arn : "alias/aws/sns" + + } resource "aws_sns_topic_subscription" "graphdb_route53_sns_topic_subscription" { diff --git a/modules/monitoring/cmk.tf b/modules/monitoring/cmk.tf new file mode 100644 index 0000000..ed7fee8 --- /dev/null +++ b/modules/monitoring/cmk.tf @@ -0,0 +1,65 @@ +# Creates/manages KMS CMK +resource "aws_kms_key" "cmk" { + count = var.enable_cmk ? 1 : 0 + + #description = var.description + customer_master_key_spec = var.key_spec + is_enabled = var.enabled + enable_key_rotation = var.rotation_enabled + #tags = var.tags + deletion_window_in_days = 30 + + policy = jsonencode({ + "Version" : "2012-10-17", + "Id" : "key-default-1", + "Statement" : [ + { + "Sid" : "Enable IAM User Permissions", + "Effect" : "Allow", + "Principal" : { + "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + }, + "Action" : "kms:*", + "Resource" : "*" + }, + { + "Sid" : "Allow access for Key Administrators", + "Effect" : "Allow", + "Principal" : { + #Use 'var.sns_key_admin_arn' if available and root if not provided + "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + + }, + "Action" : "kms:*", + "Resource" : "*" + }, + { + "Sid" : "Allow use of the key", + "Effect" : "Allow", + "Principal" : { + "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + }, + "Action" : [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Resource" : "*" + } + ] + }) + +} + +# Add an alias to the key +resource "aws_kms_alias" "cmk_alias" { + count = var.enable_cmk ? 1 : 0 + + name = "alias/${var.cmk_key_alias}" + target_key_id = aws_kms_key.cmk[0].key_id +} + + +data "aws_caller_identity" "current" {} \ No newline at end of file diff --git a/modules/monitoring/outputs.tf b/modules/monitoring/outputs.tf index e69de29..0856834 100644 --- a/modules/monitoring/outputs.tf +++ b/modules/monitoring/outputs.tf @@ -0,0 +1,7 @@ +output "cmk_arn" { + value = var.enable_cmk && length(aws_kms_key.cmk) > 0 ? aws_kms_key.cmk[0].arn : null +} + +output "cmk_alias_arn" { + value = var.enable_cmk && length(aws_kms_alias.cmk_alias) > 0 ? aws_kms_alias.cmk_alias[0].arn : null +} \ No newline at end of file diff --git a/modules/monitoring/sns.tf b/modules/monitoring/sns.tf index ab03254..560babc 100644 --- a/modules/monitoring/sns.tf +++ b/modules/monitoring/sns.tf @@ -1,8 +1,8 @@ # SNS Topic - resource "aws_sns_topic" "graphdb_sns_topic" { name = "${var.resource_name_prefix}-graphdb-notifications" - kms_master_key_id = "alias/aws/sns" + kms_master_key_id = var.enable_cmk ? aws_kms_key.cmk[0].arn : "alias/aws/sns" + } # SNS Topic subscription diff --git a/modules/monitoring/variables.tf b/modules/monitoring/variables.tf index bac8a95..0fdf6c3 100644 --- a/modules/monitoring/variables.tf +++ b/modules/monitoring/variables.tf @@ -119,3 +119,53 @@ variable "route53_availability_check_region" { description = "Define route53 health check region" type = string } + + +#KMS CMK VARS: + +variable "tags" { + description = "A map of tags to assign to the resources." + type = map(string) + default = {} +} + + +variable "kms_master_key_id" { + description = "ARN of the Customer Managed Key (CMK)." + type = string + default = "" +} + +variable "cmk_description" { + default = "KMS Key to encrypt SNS" +} + +variable "key_spec" { + default = "SYMMETRIC_DEFAULT" +} + +variable "enabled" { + default = true +} + +variable "rotation_enabled" { + default = true +} + +variable "cmk_key_alias" { + description = "The alias for the CMK key." + type = string + default = "graphdb-cmk-key" +} + +variable "enable_cmk" { + description = "Enable CMK for encryption. If false, use AWS managed key." + type = bool + default = false +} + +variable "sns_key_admin_arn" { + description = "ARN of the role or user who will have administrative access to the SNS KMS key" + type = string + default = "" +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index a78dfa7..07e3957 100644 --- a/variables.tf +++ b/variables.tf @@ -469,3 +469,39 @@ variable "graphdb_enable_userdata_scripts_on_reboot" { type = bool default = false } + +#cmk building in progress +variable "enable_cmk" { + description = "Enable CMK for encryption. If false, use AWS managed key." + type = bool + default = false +} + +variable "kms_master_key_id" { + description = "ARN of the Customer Managed Key (CMK)." + type = string + default = "" +} + +variable "policy" { + description = "The IAM policy JSON document." + type = string + default = "" +} + +variable "tags" { + description = "A map of tags to assign to the resources." + type = map(string) + default = {} +} + +variable "cmk_description" { + type = string + default = "KMS Key to encrypt SNS" +} + +variable "sns_key_admin_arn" { + description = "ARN of the role or user who will have administrative access to the SNS KMS key" + type = string + default = "" +} \ No newline at end of file From 8ebeac4b274055029f5a89f562315767f485a69d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 29 May 2024 15:02:50 +0000 Subject: [PATCH 02/12] terraform-docs: updated markdown table --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index bb1ab03..48d0f61 100644 --- a/README.md +++ b/README.md @@ -161,6 +161,12 @@ Before you begin using this Terraform module, ensure you meet the following prer | asg\_enable\_instance\_refresh | Enables instance refresh for the GraphDB Auto scaling group. A refresh is started when any of the following Auto Scaling Group properties change: launch\_configuration, launch\_template, mixed\_instances\_policy | `bool` | `false` | no | | asg\_instance\_refresh\_checkpoint\_delay | Number of seconds to wait after a checkpoint. | `number` | `3600` | no | | graphdb\_enable\_userdata\_scripts\_on\_reboot | (Experimental) Modifies cloud-config to always run user data scripts on EC2 boot | `bool` | `false` | no | +| enable\_cmk | Enable CMK for encryption. If false, use AWS managed key. | `bool` | `false` | no | +| kms\_master\_key\_id | ARN of the Customer Managed Key (CMK). | `string` | `""` | no | +| policy | The IAM policy JSON document. | `string` | `""` | no | +| tags | A map of tags to assign to the resources. | `map(string)` | `{}` | no | +| cmk\_description | n/a | `string` | `"KMS Key to encrypt SNS"` | no | +| sns\_key\_admin\_arn | ARN of the role or user who will have administrative access to the SNS KMS key | `string` | `""` | no | ## Usage From b68e3c22a5ac096c0f0dbf662e970e54e7b5eb5c Mon Sep 17 00:00:00 2001 From: kristianiliev1 Date: Thu, 30 May 2024 15:35:24 +0300 Subject: [PATCH 03/12] Fix comments from Simeon --- modules/monitoring/availability_tests.tf | 2 -- modules/monitoring/cmk.tf | 14 ++++++-------- modules/monitoring/outputs.tf | 2 ++ modules/monitoring/sns.tf | 2 +- modules/monitoring/variables.tf | 9 +++++---- variables.tf | 8 +++++--- 6 files changed, 19 insertions(+), 18 deletions(-) diff --git a/modules/monitoring/availability_tests.tf b/modules/monitoring/availability_tests.tf index aaca8b3..0ba3586 100644 --- a/modules/monitoring/availability_tests.tf +++ b/modules/monitoring/availability_tests.tf @@ -6,8 +6,6 @@ resource "aws_sns_topic" "graphdb_route53_sns_topic" { provider = aws.useast1 name = "${var.resource_name_prefix}-route53-sns-notifications" kms_master_key_id = var.enable_cmk ? aws_kms_key.cmk[0].arn : "alias/aws/sns" - - } resource "aws_sns_topic_subscription" "graphdb_route53_sns_topic_subscription" { diff --git a/modules/monitoring/cmk.tf b/modules/monitoring/cmk.tf index ed7fee8..4cc79a1 100644 --- a/modules/monitoring/cmk.tf +++ b/modules/monitoring/cmk.tf @@ -2,16 +2,16 @@ resource "aws_kms_key" "cmk" { count = var.enable_cmk ? 1 : 0 - #description = var.description + description = var.cmk_description customer_master_key_spec = var.key_spec - is_enabled = var.enabled + is_enabled = var.key_enabled enable_key_rotation = var.rotation_enabled - #tags = var.tags - deletion_window_in_days = 30 + tags = var.tags + deletion_window_in_days = 30 policy = jsonencode({ "Version" : "2012-10-17", - "Id" : "key-default-1", + "Id" : "kms-key-policy-access-control", "Statement" : [ { "Sid" : "Enable IAM User Permissions", @@ -26,7 +26,7 @@ resource "aws_kms_key" "cmk" { "Sid" : "Allow access for Key Administrators", "Effect" : "Allow", "Principal" : { - #Use 'var.sns_key_admin_arn' if available and root if not provided + # Use 'var.sns_key_admin_arn' if available and root if not provided "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }, @@ -50,7 +50,6 @@ resource "aws_kms_key" "cmk" { } ] }) - } # Add an alias to the key @@ -61,5 +60,4 @@ resource "aws_kms_alias" "cmk_alias" { target_key_id = aws_kms_key.cmk[0].key_id } - data "aws_caller_identity" "current" {} \ No newline at end of file diff --git a/modules/monitoring/outputs.tf b/modules/monitoring/outputs.tf index 0856834..b2bf285 100644 --- a/modules/monitoring/outputs.tf +++ b/modules/monitoring/outputs.tf @@ -1,7 +1,9 @@ output "cmk_arn" { + description = "ARN of the KMS CMK" value = var.enable_cmk && length(aws_kms_key.cmk) > 0 ? aws_kms_key.cmk[0].arn : null } output "cmk_alias_arn" { + description = "ARN of the CMK Alias" value = var.enable_cmk && length(aws_kms_alias.cmk_alias) > 0 ? aws_kms_alias.cmk_alias[0].arn : null } \ No newline at end of file diff --git a/modules/monitoring/sns.tf b/modules/monitoring/sns.tf index 560babc..07ed2fd 100644 --- a/modules/monitoring/sns.tf +++ b/modules/monitoring/sns.tf @@ -1,8 +1,8 @@ # SNS Topic + resource "aws_sns_topic" "graphdb_sns_topic" { name = "${var.resource_name_prefix}-graphdb-notifications" kms_master_key_id = var.enable_cmk ? aws_kms_key.cmk[0].arn : "alias/aws/sns" - } # SNS Topic subscription diff --git a/modules/monitoring/variables.tf b/modules/monitoring/variables.tf index 0fdf6c3..38f8047 100644 --- a/modules/monitoring/variables.tf +++ b/modules/monitoring/variables.tf @@ -120,8 +120,7 @@ variable "route53_availability_check_region" { type = string } - -#KMS CMK VARS: +# KMS CMK VARS: variable "tags" { description = "A map of tags to assign to the resources." @@ -129,7 +128,6 @@ variable "tags" { default = {} } - variable "kms_master_key_id" { description = "ARN of the Customer Managed Key (CMK)." type = string @@ -137,14 +135,17 @@ variable "kms_master_key_id" { } variable "cmk_description" { + description = "Description of the Key to be created" default = "KMS Key to encrypt SNS" } variable "key_spec" { + description = "Specification of the Key" default = "SYMMETRIC_DEFAULT" } -variable "enabled" { +variable "key_enabled" { + description = "Specifies whether the key is enabled" default = true } diff --git a/variables.tf b/variables.tf index 07e3957..3c75543 100644 --- a/variables.tf +++ b/variables.tf @@ -470,7 +470,8 @@ variable "graphdb_enable_userdata_scripts_on_reboot" { default = false } -#cmk building in progress +# KMS CMK + variable "enable_cmk" { description = "Enable CMK for encryption. If false, use AWS managed key." type = bool @@ -483,7 +484,7 @@ variable "kms_master_key_id" { default = "" } -variable "policy" { +variable "sns_cmk_policy" { description = "The IAM policy JSON document." type = string default = "" @@ -496,12 +497,13 @@ variable "tags" { } variable "cmk_description" { + description = "Description for the key" type = string default = "KMS Key to encrypt SNS" } variable "sns_key_admin_arn" { - description = "ARN of the role or user who will have administrative access to the SNS KMS key" + description = "ARN of the role or user granted administrative access to the SNS KMS key" type = string default = "" } \ No newline at end of file From be5a82dbc0d6af5c5e2f24f95c7ae4bc4218dac2 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 30 May 2024 12:39:00 +0000 Subject: [PATCH 04/12] terraform-docs: updated markdown table --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 48d0f61..3791d29 100644 --- a/README.md +++ b/README.md @@ -163,10 +163,10 @@ Before you begin using this Terraform module, ensure you meet the following prer | graphdb\_enable\_userdata\_scripts\_on\_reboot | (Experimental) Modifies cloud-config to always run user data scripts on EC2 boot | `bool` | `false` | no | | enable\_cmk | Enable CMK for encryption. If false, use AWS managed key. | `bool` | `false` | no | | kms\_master\_key\_id | ARN of the Customer Managed Key (CMK). | `string` | `""` | no | -| policy | The IAM policy JSON document. | `string` | `""` | no | +| sns\_cmk\_policy | The IAM policy JSON document. | `string` | `""` | no | | tags | A map of tags to assign to the resources. | `map(string)` | `{}` | no | -| cmk\_description | n/a | `string` | `"KMS Key to encrypt SNS"` | no | -| sns\_key\_admin\_arn | ARN of the role or user who will have administrative access to the SNS KMS key | `string` | `""` | no | +| cmk\_description | Description for the key | `string` | `"KMS Key to encrypt SNS"` | no | +| sns\_key\_admin\_arn | ARN of the role or user granted administrative access to the SNS KMS key | `string` | `""` | no | ## Usage From d0431669604baafb38e5aae63b3f59e331da1745 Mon Sep 17 00:00:00 2001 From: kristianiliev1 Date: Thu, 30 May 2024 15:44:28 +0300 Subject: [PATCH 05/12] Fix formating --- modules/monitoring/outputs.tf | 4 ++-- modules/monitoring/variables.tf | 6 +++--- variables.tf | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/monitoring/outputs.tf b/modules/monitoring/outputs.tf index b2bf285..f97624f 100644 --- a/modules/monitoring/outputs.tf +++ b/modules/monitoring/outputs.tf @@ -1,9 +1,9 @@ output "cmk_arn" { description = "ARN of the KMS CMK" - value = var.enable_cmk && length(aws_kms_key.cmk) > 0 ? aws_kms_key.cmk[0].arn : null + value = var.enable_cmk && length(aws_kms_key.cmk) > 0 ? aws_kms_key.cmk[0].arn : null } output "cmk_alias_arn" { description = "ARN of the CMK Alias" - value = var.enable_cmk && length(aws_kms_alias.cmk_alias) > 0 ? aws_kms_alias.cmk_alias[0].arn : null + value = var.enable_cmk && length(aws_kms_alias.cmk_alias) > 0 ? aws_kms_alias.cmk_alias[0].arn : null } \ No newline at end of file diff --git a/modules/monitoring/variables.tf b/modules/monitoring/variables.tf index 38f8047..e0bc887 100644 --- a/modules/monitoring/variables.tf +++ b/modules/monitoring/variables.tf @@ -136,17 +136,17 @@ variable "kms_master_key_id" { variable "cmk_description" { description = "Description of the Key to be created" - default = "KMS Key to encrypt SNS" + default = "KMS Key to encrypt SNS" } variable "key_spec" { description = "Specification of the Key" - default = "SYMMETRIC_DEFAULT" + default = "SYMMETRIC_DEFAULT" } variable "key_enabled" { description = "Specifies whether the key is enabled" - default = true + default = true } variable "rotation_enabled" { diff --git a/variables.tf b/variables.tf index 3c75543..0f1fda6 100644 --- a/variables.tf +++ b/variables.tf @@ -498,8 +498,8 @@ variable "tags" { variable "cmk_description" { description = "Description for the key" - type = string - default = "KMS Key to encrypt SNS" + type = string + default = "KMS Key to encrypt SNS" } variable "sns_key_admin_arn" { From 1c1a5eff889f18fca4bc622a926e2d7ae5e35b06 Mon Sep 17 00:00:00 2001 From: kristianiliev1 Date: Fri, 31 May 2024 10:46:00 +0300 Subject: [PATCH 06/12] fix comments from Viktor --- modules/monitoring/cmk.tf | 2 +- modules/monitoring/variables.tf | 15 +++++++++++++-- variables.tf | 10 ++++++++-- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/modules/monitoring/cmk.tf b/modules/monitoring/cmk.tf index 4cc79a1..fd7d387 100644 --- a/modules/monitoring/cmk.tf +++ b/modules/monitoring/cmk.tf @@ -7,7 +7,7 @@ resource "aws_kms_key" "cmk" { is_enabled = var.key_enabled enable_key_rotation = var.rotation_enabled tags = var.tags - deletion_window_in_days = 30 + deletion_window_in_days = var.deletion_window_in_days policy = jsonencode({ "Version" : "2012-10-17", diff --git a/modules/monitoring/variables.tf b/modules/monitoring/variables.tf index e0bc887..358378b 100644 --- a/modules/monitoring/variables.tf +++ b/modules/monitoring/variables.tf @@ -136,20 +136,31 @@ variable "kms_master_key_id" { variable "cmk_description" { description = "Description of the Key to be created" + type = string default = "KMS Key to encrypt SNS" } +variable "deletion_window_in_days" { + description = "The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30)." + type = number + default = 30 +} + variable "key_spec" { - description = "Specification of the Key" + description = "Specification of the Key." + type = string default = "SYMMETRIC_DEFAULT" } variable "key_enabled" { - description = "Specifies whether the key is enabled" + description = "Specifies whether the key is enabled." + type = bool default = true } variable "rotation_enabled" { + description = "Specifies whether key rotation is enabled." + type = bool default = true } diff --git a/variables.tf b/variables.tf index 0f1fda6..3f72833 100644 --- a/variables.tf +++ b/variables.tf @@ -503,7 +503,13 @@ variable "cmk_description" { } variable "sns_key_admin_arn" { - description = "ARN of the role or user granted administrative access to the SNS KMS key" + description = "ARN of the role or user granted administrative access to the SNS KMS key." type = string default = "" -} \ No newline at end of file +} + +variable "deletion_window_in_days" { + description = "The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30)." + type = number + default = 30 +} \ No newline at end of file From 16d60443a3f1af6b9829d3414085cbfe6224a29e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 31 May 2024 07:46:29 +0000 Subject: [PATCH 07/12] terraform-docs: updated markdown table --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3791d29..eedb739 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,8 @@ Before you begin using this Terraform module, ensure you meet the following prer | sns\_cmk\_policy | The IAM policy JSON document. | `string` | `""` | no | | tags | A map of tags to assign to the resources. | `map(string)` | `{}` | no | | cmk\_description | Description for the key | `string` | `"KMS Key to encrypt SNS"` | no | -| sns\_key\_admin\_arn | ARN of the role or user granted administrative access to the SNS KMS key | `string` | `""` | no | +| sns\_key\_admin\_arn | ARN of the role or user granted administrative access to the SNS KMS key. | `string` | `""` | no | +| deletion\_window\_in\_days | The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30). | `number` | `30` | no | ## Usage From b85645c816c23ee762afc6fa369ff9dc23450b3b Mon Sep 17 00:00:00 2001 From: kristianiliev1 Date: Fri, 31 May 2024 10:51:54 +0300 Subject: [PATCH 08/12] fix formating --- modules/monitoring/variables.tf | 8 ++++---- variables.tf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/monitoring/variables.tf b/modules/monitoring/variables.tf index 358378b..44e0277 100644 --- a/modules/monitoring/variables.tf +++ b/modules/monitoring/variables.tf @@ -143,8 +143,8 @@ variable "cmk_description" { variable "deletion_window_in_days" { description = "The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30)." type = number - default = 30 -} + default = 30 +} variable "key_spec" { description = "Specification of the Key." @@ -160,8 +160,8 @@ variable "key_enabled" { variable "rotation_enabled" { description = "Specifies whether key rotation is enabled." - type = bool - default = true + type = bool + default = true } variable "cmk_key_alias" { diff --git a/variables.tf b/variables.tf index 3f72833..915e9e7 100644 --- a/variables.tf +++ b/variables.tf @@ -511,5 +511,5 @@ variable "sns_key_admin_arn" { variable "deletion_window_in_days" { description = "The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30)." type = number - default = 30 + default = 30 } \ No newline at end of file From e0f8d02131a5ceb8bd440f2ea47feb5f173c611c Mon Sep 17 00:00:00 2001 From: kristianiliev1 Date: Fri, 21 Jun 2024 14:20:32 +0300 Subject: [PATCH 09/12] fix comments, add proper encryption --- main.tf | 12 ++- modules/monitoring/availability_tests.tf | 2 +- modules/monitoring/cmk.tf | 104 ++++++++++++++++++----- modules/monitoring/iam.tf | 24 ++++++ modules/monitoring/outputs.tf | 8 +- modules/monitoring/sns.tf | 2 +- modules/monitoring/variables.tf | 36 +++----- variables.tf | 64 +++++++++----- 8 files changed, 179 insertions(+), 73 deletions(-) create mode 100644 modules/monitoring/iam.tf diff --git a/main.tf b/main.tf index cf74e0a..a7a0051 100644 --- a/main.tf +++ b/main.tf @@ -126,10 +126,16 @@ module "monitoring" { sns_topic_endpoint = var.deploy_monitoring ? var.monitoring_sns_topic_endpoint : null sns_endpoint_auto_confirms = var.monitoring_endpoint_auto_confirms sns_protocol = var.monitoring_sns_protocol - kms_master_key_id = var.kms_master_key_id - cmk_description = var.cmk_description + sns_cmk_description = var.sns_cmk_description sns_key_admin_arn = var.sns_key_admin_arn - enable_cmk = var.enable_cmk + enable_sns_kms_key = var.enable_sns_kms_key + sns_external_kms_key = var.sns_external_kms_key + rotation_enabled = var.rotation_enabled + deletion_window_in_days = var.deletion_window_in_days + key_enabled = var.key_enabled + key_spec = var.key_spec + sns_default_kms_key = var.sns_default_kms_key + cmk_key_alias = var.cmk_key_alias cloudwatch_log_group_retention_in_days = var.monitoring_log_group_retention_in_days route53_availability_request_url = module.load_balancer.lb_dns_name diff --git a/modules/monitoring/availability_tests.tf b/modules/monitoring/availability_tests.tf index 0ba3586..cd1e224 100644 --- a/modules/monitoring/availability_tests.tf +++ b/modules/monitoring/availability_tests.tf @@ -5,7 +5,7 @@ resource "aws_sns_topic" "graphdb_route53_sns_topic" { provider = aws.useast1 name = "${var.resource_name_prefix}-route53-sns-notifications" - kms_master_key_id = var.enable_cmk ? aws_kms_key.cmk[0].arn : "alias/aws/sns" + kms_master_key_id = var.sns_external_kms_key != "" ? var.sns_external_kms_key : (var.enable_sns_kms_key ? aws_kms_key.sns_cmk[0].arn : var.sns_default_kms_key) } resource "aws_sns_topic_subscription" "graphdb_route53_sns_topic_subscription" { diff --git a/modules/monitoring/cmk.tf b/modules/monitoring/cmk.tf index fd7d387..b3e8be1 100644 --- a/modules/monitoring/cmk.tf +++ b/modules/monitoring/cmk.tf @@ -1,13 +1,21 @@ +data "aws_region" "current" {} + +data "aws_caller_identity" "current" {} + # Creates/manages KMS CMK -resource "aws_kms_key" "cmk" { - count = var.enable_cmk ? 1 : 0 +resource "aws_kms_key" "sns_cmk" { + count = var.enable_sns_kms_key ? 1 : 0 - description = var.cmk_description + description = var.sns_cmk_description customer_master_key_spec = var.key_spec is_enabled = var.key_enabled enable_key_rotation = var.rotation_enabled - tags = var.tags deletion_window_in_days = var.deletion_window_in_days +} + +resource "aws_kms_key_policy" "sns_cmk_policy" { + count = var.enable_sns_kms_key ? 1 : 0 + key_id = aws_kms_key.sns_cmk[0].id policy = jsonencode({ "Version" : "2012-10-17", @@ -17,27 +25,44 @@ resource "aws_kms_key" "cmk" { "Sid" : "Enable IAM User Permissions", "Effect" : "Allow", "Principal" : { - "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : aws_iam_role.sns_topic_role.arn }, "Action" : "kms:*", - "Resource" : "*" + "Resource" : "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/${aws_kms_key.sns_cmk[0].id}" }, { "Sid" : "Allow access for Key Administrators", "Effect" : "Allow", "Principal" : { - # Use 'var.sns_key_admin_arn' if available and root if not provided - "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" - + "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : aws_iam_role.sns_topic_role.arn }, - "Action" : "kms:*", - "Resource" : "*" + "Action" : [ + "kms:CreateAlias", + "kms:CreateKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListGrants", + "kms:ListKeyPolicies", + "kms:ListKeys", + "kms:PutKeyPolicy", + "kms:UpdateAlias", + "kms:EnableKeyRotation", + "kms:ListResourceTags", + "kms:ScheduleKeyDeletion", + "kms:DisableKeyRotation" + ], + "Resource" : "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/${aws_kms_key.sns_cmk[0].id}" }, { "Sid" : "Allow use of the key", "Effect" : "Allow", "Principal" : { - "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : aws_iam_role.sns_topic_role.arn }, "Action" : [ "kms:Encrypt", @@ -46,18 +71,59 @@ resource "aws_kms_key" "cmk" { "kms:GenerateDataKey*", "kms:DescribeKey" ], - "Resource" : "*" + "Resource" : "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/${aws_kms_key.sns_cmk[0].id}" + }, + { + "Sid" : "Allow use of the key for SNS", + "Effect" : "Allow", + "Principal" : { + "Service" : [ + "sns.amazonaws.com", + "ec2.amazonaws.com" + ] + }, + "Action" : [ + "kms:GenerateDataKeyWithoutPlaintext", + "kms:DescribeKey" + ], + "Resource" : "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/${aws_kms_key.sns_cmk[0].id}" + }, + { + "Sid" : "Allow root user to manage key", + "Effect" : "Allow", + "Principal" : { + "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + }, + "Action" : [ + "kms:CreateAlias", + "kms:CreateKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListGrants", + "kms:ListKeyPolicies", + "kms:ListKeys", + "kms:PutKeyPolicy", + "kms:UpdateAlias", + "kms:EnableKeyRotation", + "kms:ListResourceTags", + "kms:ScheduleKeyDeletion", + "kms:DisableKeyRotation" + ], + "Resource" : "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/${aws_kms_key.sns_cmk[0].id}" } ] }) } # Add an alias to the key -resource "aws_kms_alias" "cmk_alias" { - count = var.enable_cmk ? 1 : 0 +resource "aws_kms_alias" "sns_cmk_alias" { + count = var.enable_sns_kms_key ? 1 : 0 name = "alias/${var.cmk_key_alias}" - target_key_id = aws_kms_key.cmk[0].key_id -} - -data "aws_caller_identity" "current" {} \ No newline at end of file + target_key_id = aws_kms_key.sns_cmk[0].key_id +} \ No newline at end of file diff --git a/modules/monitoring/iam.tf b/modules/monitoring/iam.tf new file mode 100644 index 0000000..4b57ef1 --- /dev/null +++ b/modules/monitoring/iam.tf @@ -0,0 +1,24 @@ +data "aws_iam_policy_document" "sns_topic_role" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = [ + "s3.amazonaws.com", + "ebs.amazonaws.com", + "sns.amazonaws.com", + "ssm.amazonaws.com" + ] + } + + actions = [ + "sts:AssumeRole" + ] + } +} + +resource "aws_iam_role" "sns_topic_role" { + name = "${var.resource_name_prefix}-sns-topic-role" + assume_role_policy = data.aws_iam_policy_document.sns_topic_role.json +} diff --git a/modules/monitoring/outputs.tf b/modules/monitoring/outputs.tf index f97624f..57adb1a 100644 --- a/modules/monitoring/outputs.tf +++ b/modules/monitoring/outputs.tf @@ -1,9 +1,9 @@ -output "cmk_arn" { +output "sns_cmk_arn" { description = "ARN of the KMS CMK" - value = var.enable_cmk && length(aws_kms_key.cmk) > 0 ? aws_kms_key.cmk[0].arn : null + value = var.enable_sns_kms_key && length(aws_kms_key.sns_cmk) > 0 ? aws_kms_key.sns_cmk[0].arn : null } -output "cmk_alias_arn" { +output "sns_cmk_alias_arn" { description = "ARN of the CMK Alias" - value = var.enable_cmk && length(aws_kms_alias.cmk_alias) > 0 ? aws_kms_alias.cmk_alias[0].arn : null + value = var.enable_sns_kms_key && length(aws_kms_alias.sns_cmk_alias) > 0 ? aws_kms_alias.sns_cmk_alias[0].arn : null } \ No newline at end of file diff --git a/modules/monitoring/sns.tf b/modules/monitoring/sns.tf index 07ed2fd..2bfc602 100644 --- a/modules/monitoring/sns.tf +++ b/modules/monitoring/sns.tf @@ -2,7 +2,7 @@ resource "aws_sns_topic" "graphdb_sns_topic" { name = "${var.resource_name_prefix}-graphdb-notifications" - kms_master_key_id = var.enable_cmk ? aws_kms_key.cmk[0].arn : "alias/aws/sns" + kms_master_key_id = var.sns_external_kms_key != "" ? var.sns_external_kms_key : (var.enable_sns_kms_key ? aws_kms_key.sns_cmk[0].arn : var.sns_default_kms_key) } # SNS Topic subscription diff --git a/modules/monitoring/variables.tf b/modules/monitoring/variables.tf index 44e0277..915db07 100644 --- a/modules/monitoring/variables.tf +++ b/modules/monitoring/variables.tf @@ -120,64 +120,56 @@ variable "route53_availability_check_region" { type = string } -# KMS CMK VARS: +# KMS Encryption for SNS topics: -variable "tags" { - description = "A map of tags to assign to the resources." - type = map(string) - default = {} -} - -variable "kms_master_key_id" { - description = "ARN of the Customer Managed Key (CMK)." - type = string - default = "" -} - -variable "cmk_description" { +variable "sns_cmk_description" { description = "Description of the Key to be created" type = string - default = "KMS Key to encrypt SNS" } variable "deletion_window_in_days" { description = "The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30)." type = number - default = 30 } variable "key_spec" { description = "Specification of the Key." type = string - default = "SYMMETRIC_DEFAULT" } variable "key_enabled" { description = "Specifies whether the key is enabled." type = bool - default = true } variable "rotation_enabled" { description = "Specifies whether key rotation is enabled." type = bool - default = true } variable "cmk_key_alias" { description = "The alias for the CMK key." type = string - default = "graphdb-cmk-key" } -variable "enable_cmk" { +variable "enable_sns_kms_key" { description = "Enable CMK for encryption. If false, use AWS managed key." type = bool - default = false } variable "sns_key_admin_arn" { description = "ARN of the role or user who will have administrative access to the SNS KMS key" type = string default = "" +} + +variable "sns_external_kms_key" { + description = "ARN of the external KMS key that will be used for encryption of SNS topics" + type = string + default = "" +} + +variable "sns_default_kms_key" { + description = "ARN of the default KMS key that will be used for encryption of SNS topics" + type = string } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 915e9e7..65aafff 100644 --- a/variables.tf +++ b/variables.tf @@ -470,46 +470,64 @@ variable "graphdb_enable_userdata_scripts_on_reboot" { default = false } -# KMS CMK +# SNS Encryption -variable "enable_cmk" { - description = "Enable CMK for encryption. If false, use AWS managed key." +variable "enable_sns_kms_key" { + description = "Enable Customer managed keys for encryption. If set to false it will use AWS managed key." type = bool default = false } -variable "kms_master_key_id" { - description = "ARN of the Customer Managed Key (CMK)." +variable "sns_cmk_description" { + description = "Description for the KMS key for the encryption of SNS" type = string - default = "" + default = "KMS Key to encrypt SNS" } -variable "sns_cmk_policy" { - description = "The IAM policy JSON document." +variable "sns_key_admin_arn" { + description = "ARN of the role or user granted administrative access to the SNS KMS key." type = string default = "" } -variable "tags" { - description = "A map of tags to assign to the resources." - type = map(string) - default = {} +variable "deletion_window_in_days" { + description = "The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30)." + type = number + default = 30 } -variable "cmk_description" { - description = "Description for the key" +variable "sns_external_kms_key" { + description = "ARN of the external KMS key that will be used for encryption of SNS topics" type = string - default = "KMS Key to encrypt SNS" + default = "" } -variable "sns_key_admin_arn" { - description = "ARN of the role or user granted administrative access to the SNS KMS key." +variable "key_spec" { + description = "Specification of the Key." type = string - default = "" + default = "SYMMETRIC_DEFAULT" } -variable "deletion_window_in_days" { - description = "The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30)." - type = number - default = 30 -} \ No newline at end of file +variable "key_enabled" { + description = "Specifies whether the key is enabled." + type = bool + default = true +} + +variable "rotation_enabled" { + description = "Specifies whether key rotation is enabled." + type = bool + default = true +} + +variable "cmk_key_alias" { + description = "The alias for the CMK key." + type = string + default = "graphdb-cmk-key" +} + +variable "sns_default_kms_key" { + description = "ARN of the default KMS key that will be used for encryption of SNS topics" + type = string + default = "alias/aws/sns" +} \ No newline at end of file From 7d062041d2c9bd671f5a125cc65258c475bce7ca Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 21 Jun 2024 11:20:59 +0000 Subject: [PATCH 10/12] terraform-docs: updated markdown table --- README.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index eedb739..df08467 100644 --- a/README.md +++ b/README.md @@ -161,13 +161,16 @@ Before you begin using this Terraform module, ensure you meet the following prer | asg\_enable\_instance\_refresh | Enables instance refresh for the GraphDB Auto scaling group. A refresh is started when any of the following Auto Scaling Group properties change: launch\_configuration, launch\_template, mixed\_instances\_policy | `bool` | `false` | no | | asg\_instance\_refresh\_checkpoint\_delay | Number of seconds to wait after a checkpoint. | `number` | `3600` | no | | graphdb\_enable\_userdata\_scripts\_on\_reboot | (Experimental) Modifies cloud-config to always run user data scripts on EC2 boot | `bool` | `false` | no | -| enable\_cmk | Enable CMK for encryption. If false, use AWS managed key. | `bool` | `false` | no | -| kms\_master\_key\_id | ARN of the Customer Managed Key (CMK). | `string` | `""` | no | -| sns\_cmk\_policy | The IAM policy JSON document. | `string` | `""` | no | -| tags | A map of tags to assign to the resources. | `map(string)` | `{}` | no | -| cmk\_description | Description for the key | `string` | `"KMS Key to encrypt SNS"` | no | +| enable\_sns\_kms\_key | Enable Customer managed keys for encryption. If set to false it will use AWS managed key. | `bool` | `false` | no | +| sns\_cmk\_description | Description for the KMS key for the encryption of SNS | `string` | `"KMS Key to encrypt SNS"` | no | | sns\_key\_admin\_arn | ARN of the role or user granted administrative access to the SNS KMS key. | `string` | `""` | no | | deletion\_window\_in\_days | The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30). | `number` | `30` | no | +| sns\_external\_kms\_key | ARN of the external KMS key that will be used for encryption of SNS topics | `string` | `""` | no | +| key\_spec | Specification of the Key. | `string` | `"SYMMETRIC_DEFAULT"` | no | +| key\_enabled | Specifies whether the key is enabled. | `bool` | `true` | no | +| rotation\_enabled | Specifies whether key rotation is enabled. | `bool` | `true` | no | +| cmk\_key\_alias | The alias for the CMK key. | `string` | `"graphdb-cmk-key"` | no | +| sns\_default\_kms\_key | ARN of the default KMS key that will be used for encryption of SNS topics | `string` | `"alias/aws/sns"` | no | ## Usage From 03adea9c0872752b7cc95e6be0260d8336b65e6a Mon Sep 17 00:00:00 2001 From: kristianiliev1 Date: Fri, 28 Jun 2024 11:05:22 +0300 Subject: [PATCH 11/12] remove root permissions. Change IAM permissions --- modules/monitoring/cmk.tf | 29 +++++++++++++++---- modules/monitoring/iam.tf | 61 +++++++++++++++++++++++++++++++++++++-- variables.tf | 4 +-- 3 files changed, 84 insertions(+), 10 deletions(-) diff --git a/modules/monitoring/cmk.tf b/modules/monitoring/cmk.tf index b3e8be1..95dd6f3 100644 --- a/modules/monitoring/cmk.tf +++ b/modules/monitoring/cmk.tf @@ -25,16 +25,35 @@ resource "aws_kms_key_policy" "sns_cmk_policy" { "Sid" : "Enable IAM User Permissions", "Effect" : "Allow", "Principal" : { - "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : aws_iam_role.sns_topic_role.arn + "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : aws_iam_role.graphdb_sns_key_admin_role.arn }, - "Action" : "kms:*", + "Action" : [ + "kms:CreateAlias", + "kms:CreateKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListGrants", + "kms:ListKeyPolicies", + "kms:ListKeys", + "kms:PutKeyPolicy", + "kms:UpdateAlias", + "kms:EnableKeyRotation", + "kms:ListResourceTags", + "kms:ScheduleKeyDeletion", + "kms:DisableKeyRotation" + ], "Resource" : "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/${aws_kms_key.sns_cmk[0].id}" }, { "Sid" : "Allow access for Key Administrators", "Effect" : "Allow", "Principal" : { - "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : aws_iam_role.sns_topic_role.arn + "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : aws_iam_role.graphdb_sns_key_admin_role.arn }, "Action" : [ "kms:CreateAlias", @@ -62,7 +81,7 @@ resource "aws_kms_key_policy" "sns_cmk_policy" { "Sid" : "Allow use of the key", "Effect" : "Allow", "Principal" : { - "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : aws_iam_role.sns_topic_role.arn + "AWS" : var.sns_key_admin_arn != "" ? var.sns_key_admin_arn : aws_iam_role.graphdb_sns_key_admin_role.arn }, "Action" : [ "kms:Encrypt", @@ -89,7 +108,7 @@ resource "aws_kms_key_policy" "sns_cmk_policy" { "Resource" : "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/${aws_kms_key.sns_cmk[0].id}" }, { - "Sid" : "Allow root user to manage key", + "Sid" : "Allow the current user to manage key", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" diff --git a/modules/monitoring/iam.tf b/modules/monitoring/iam.tf index 4b57ef1..f319f60 100644 --- a/modules/monitoring/iam.tf +++ b/modules/monitoring/iam.tf @@ -1,4 +1,19 @@ -data "aws_iam_policy_document" "sns_topic_role" { +data "aws_iam_policy_document" "graphdb_sns_key_admin_role_assume" { + statement { + effect = "Allow" + + principals { + type = "AWS" + identifiers = [ + "${data.aws_caller_identity.current.arn}" + ] + } + + actions = [ + "sts:AssumeRole" + ] + } + statement { effect = "Allow" @@ -18,7 +33,47 @@ data "aws_iam_policy_document" "sns_topic_role" { } } -resource "aws_iam_role" "sns_topic_role" { +data "aws_iam_policy_document" "graphdb_sns_key_admin_role_permissions" { + statement { + effect = "Allow" + + actions = [ + "kms:CreateAlias", + "kms:CreateKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + + "kms:UpdateKeyDescription", + "kms:ListGrants", + "kms:ListKeyPolicies", + "kms:ListKeys", + "kms:PutKeyPolicy", + "kms:UpdateAlias", + "kms:EnableKeyRotation", + "kms:ListResourceTags", + "kms:ScheduleKeyDeletion", + "kms:DisableKeyRotation", + "tag:GetResources", + ] + + resources = [ + "*" + ] + } +} + +resource "aws_iam_role_policy" "graphdb_sns_key_admin_role_permissions" { + name = "KMSPermissionsPolicy-SNS" + role = aws_iam_role.graphdb_sns_key_admin_role.name + policy = data.aws_iam_policy_document.graphdb_sns_key_admin_role_permissions.json +} + +resource "aws_iam_role" "graphdb_sns_key_admin_role" { name = "${var.resource_name_prefix}-sns-topic-role" - assume_role_policy = data.aws_iam_policy_document.sns_topic_role.json + assume_role_policy = data.aws_iam_policy_document.graphdb_sns_key_admin_role_assume.json } diff --git a/variables.tf b/variables.tf index 65aafff..85be394 100644 --- a/variables.tf +++ b/variables.tf @@ -481,7 +481,7 @@ variable "enable_sns_kms_key" { variable "sns_cmk_description" { description = "Description for the KMS key for the encryption of SNS" type = string - default = "KMS Key to encrypt SNS" + default = "KMS CMK Key to encrypt SNS topics" } variable "sns_key_admin_arn" { @@ -523,7 +523,7 @@ variable "rotation_enabled" { variable "cmk_key_alias" { description = "The alias for the CMK key." type = string - default = "graphdb-cmk-key" + default = "sns-cmk-key" } variable "sns_default_kms_key" { From f3208addfeaeceb436ac0caf44ccd13b9ae3f49b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 28 Jun 2024 08:07:16 +0000 Subject: [PATCH 12/12] terraform-docs: updated markdown table --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index df08467..f930336 100644 --- a/README.md +++ b/README.md @@ -162,14 +162,14 @@ Before you begin using this Terraform module, ensure you meet the following prer | asg\_instance\_refresh\_checkpoint\_delay | Number of seconds to wait after a checkpoint. | `number` | `3600` | no | | graphdb\_enable\_userdata\_scripts\_on\_reboot | (Experimental) Modifies cloud-config to always run user data scripts on EC2 boot | `bool` | `false` | no | | enable\_sns\_kms\_key | Enable Customer managed keys for encryption. If set to false it will use AWS managed key. | `bool` | `false` | no | -| sns\_cmk\_description | Description for the KMS key for the encryption of SNS | `string` | `"KMS Key to encrypt SNS"` | no | +| sns\_cmk\_description | Description for the KMS key for the encryption of SNS | `string` | `"KMS CMK Key to encrypt SNS topics"` | no | | sns\_key\_admin\_arn | ARN of the role or user granted administrative access to the SNS KMS key. | `string` | `""` | no | | deletion\_window\_in\_days | The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30). | `number` | `30` | no | | sns\_external\_kms\_key | ARN of the external KMS key that will be used for encryption of SNS topics | `string` | `""` | no | | key\_spec | Specification of the Key. | `string` | `"SYMMETRIC_DEFAULT"` | no | | key\_enabled | Specifies whether the key is enabled. | `bool` | `true` | no | | rotation\_enabled | Specifies whether key rotation is enabled. | `bool` | `true` | no | -| cmk\_key\_alias | The alias for the CMK key. | `string` | `"graphdb-cmk-key"` | no | +| cmk\_key\_alias | The alias for the CMK key. | `string` | `"sns-cmk-key"` | no | | sns\_default\_kms\_key | ARN of the default KMS key that will be used for encryption of SNS topics | `string` | `"alias/aws/sns"` | no |