From 0395f39d98fe07e5c5a66071d4368da94bdd0376 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 10 May 2024 15:05:03 +0100 Subject: [PATCH 1/3] UML-3418: add KMS key for elasticache --- terraform/environment/elasticache.tf | 83 ++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) diff --git a/terraform/environment/elasticache.tf b/terraform/environment/elasticache.tf index 0ea25330..d98b8222 100644 --- a/terraform/environment/elasticache.tf +++ b/terraform/environment/elasticache.tf @@ -17,6 +17,8 @@ resource "aws_elasticache_replication_group" "lpa_redis" { security_group_ids = [aws_security_group.lpa_redis_sg.id] tags = local.default_tags apply_immediately = true + at_rest_encryption_enabled = true + kms_key_id = aws_kms_alias.elasticache_kms_alias.target_key_arn } resource "aws_security_group" "lpa_redis_sg" { @@ -70,3 +72,84 @@ resource "aws_security_group_rule" "lpa_redis_rules" { cidr_blocks = each.value.target_type == "cidr_block" ? [each.value.target] : null self = each.value.target_type == "self" ? each.value.target : null } + +resource "aws_kms_key" "elasticache_kms" { + description = "KMS Key for elasticache" + policy = data.aws_iam_policy_document.elasticache_kms_key.json + deletion_window_in_days = 7 +} + +data "aws_iam_policy_document" "elasticache_kms_key" { + statement { + sid = "Enable IAM User Permissions" + effect = "Allow" + resources = ["*"] + actions = ["kms:*"] + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + } + + statement { + sid = "Allow access for Key Administrators" + effect = "Allow" + resources = ["*"] + + actions = [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:TagResource", + "kms:UntagResource", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + ] + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ci"] + } + } + + statement { + sid = "Allow Elasticache to use KMS key" + effect = "Allow" + resources = ["*"] + + actions = [ + "kms:DescribeKey", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:Decrypt" + ] + + condition { + test = "StringEquals" + variable = "kms:ViaService" + values = ["elasticache.region.amazonaws.com", "dax.region.amazonaws.com"] + } + + condition { + test = "StringEquals" + variable = "aws:SourceAccount" + values = [data.aws_caller_identity.current.account_id] + } + } +} + +resource "aws_kms_alias" "elasticache_kms_alias" { + name = "alias/elasticache-lpa" + target_key_id = aws_kms_key.elasticache_kms.id +} + +data "aws_caller_identity" "current" {} From c968800f5269c4a1bae20368367225733b26aeeb Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 10 May 2024 15:10:59 +0100 Subject: [PATCH 2/3] add missing region lookup --- terraform/environment/elasticache.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environment/elasticache.tf b/terraform/environment/elasticache.tf index d98b8222..841f3ad6 100644 --- a/terraform/environment/elasticache.tf +++ b/terraform/environment/elasticache.tf @@ -136,7 +136,7 @@ data "aws_iam_policy_document" "elasticache_kms_key" { condition { test = "StringEquals" variable = "kms:ViaService" - values = ["elasticache.region.amazonaws.com", "dax.region.amazonaws.com"] + values = ["elasticache.${data.aws_region.region.name}.amazonaws.com", "dax.${data.aws_region.region.name}.amazonaws.com"] } condition { From 6787651190efd6944521e6fbc9d1e328f885b09d Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 10 May 2024 16:08:53 +0100 Subject: [PATCH 3/3] Add missing principal --- terraform/environment/elasticache.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/environment/elasticache.tf b/terraform/environment/elasticache.tf index 841f3ad6..809a24d1 100644 --- a/terraform/environment/elasticache.tf +++ b/terraform/environment/elasticache.tf @@ -144,6 +144,11 @@ data "aws_iam_policy_document" "elasticache_kms_key" { variable = "aws:SourceAccount" values = [data.aws_caller_identity.current.account_id] } + + principals { + type = "AWS" + identifiers = ["*"] + } } }