From e82646e7f82a40e8e58f64c2c23c22231f7a7bf1 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Mon, 8 Jul 2024 15:40:15 +0100
Subject: [PATCH] MLPAB-2202 - Refactor KMS resources into a module (#1333)

* createe a module to creatre kms keys

* output alias name from module

* use module for cloudwatch kms key
---
 terraform/account/cloudwatch_kms.tf           | 37 ++++++-------------
 .../account/modules/kms_key/data_sources.tf   |  3 ++
 terraform/account/modules/kms_key/kms_key.tf  | 28 ++++++++++++++
 terraform/account/modules/kms_key/outputs.tf  |  3 ++
 .../account/modules/kms_key/variables.tf      | 32 ++++++++++++++++
 terraform/account/modules/kms_key/versions.tf | 17 +++++++++
 terraform/account/refactoring.tf              | 20 ++++++++++
 terraform/account/regions.tf                  |  4 +-
 8 files changed, 116 insertions(+), 28 deletions(-)
 create mode 100644 terraform/account/modules/kms_key/data_sources.tf
 create mode 100644 terraform/account/modules/kms_key/kms_key.tf
 create mode 100644 terraform/account/modules/kms_key/outputs.tf
 create mode 100644 terraform/account/modules/kms_key/variables.tf
 create mode 100644 terraform/account/modules/kms_key/versions.tf

diff --git a/terraform/account/cloudwatch_kms.tf b/terraform/account/cloudwatch_kms.tf
index 4fe1c48eee..282801132a 100644
--- a/terraform/account/cloudwatch_kms.tf
+++ b/terraform/account/cloudwatch_kms.tf
@@ -1,30 +1,15 @@
-resource "aws_kms_key" "cloudwatch" {
-  description             = "${local.default_tags.application} Cloudwatch application logs encryption key"
-  deletion_window_in_days = 10
+module "cloudwatch_kms" {
+  source                  = "./modules/kms_key"
+  encrypted_resource      = "Cloudwatch application logs"
+  kms_key_alias_name      = "${local.default_tags.application}_cloudwatch_application_logs_encryption"
   enable_key_rotation     = true
-  policy                  = local.account.account_name == "development" ? data.aws_iam_policy_document.cloudwatch_kms_merged.json : data.aws_iam_policy_document.cloudwatch_kms.json
-  multi_region            = true
-  provider                = aws.eu_west_1
-}
-
-resource "aws_kms_replica_key" "cloudwatch_replica" {
-  description             = "${local.default_tags.application} Cloudwatch application logs Multi-Region replica key"
-  deletion_window_in_days = 7
-  primary_key_arn         = aws_kms_key.cloudwatch.arn
-  policy                  = local.account.account_name == "development" ? data.aws_iam_policy_document.cloudwatch_kms_merged.json : data.aws_iam_policy_document.cloudwatch_kms.json
-  provider                = aws.eu_west_2
-}
-
-resource "aws_kms_alias" "cloudwatch_alias_eu_west_1" {
-  name          = "alias/${local.default_tags.application}_cloudwatch_application_logs_encryption"
-  target_key_id = aws_kms_key.cloudwatch.key_id
-  provider      = aws.eu_west_1
-}
-
-resource "aws_kms_alias" "cloudwatch_alias_eu_west_2" {
-  name          = "alias/${local.default_tags.application}_cloudwatch_application_logs_encryption"
-  target_key_id = aws_kms_replica_key.cloudwatch_replica.key_id
-  provider      = aws.eu_west_2
+  enable_multi_region     = true
+  deletion_window_in_days = 10
+  kms_key_policy          = local.account.account_name == "development" ? data.aws_iam_policy_document.cloudwatch_kms_merged.json : data.aws_iam_policy_document.cloudwatch_kms.json
+  providers = {
+    aws.eu_west_1 = aws.eu_west_1
+    aws.eu_west_2 = aws.eu_west_2
+  }
 }
 
 # See the following link for further information
diff --git a/terraform/account/modules/kms_key/data_sources.tf b/terraform/account/modules/kms_key/data_sources.tf
new file mode 100644
index 0000000000..5efa261ab7
--- /dev/null
+++ b/terraform/account/modules/kms_key/data_sources.tf
@@ -0,0 +1,3 @@
+data "aws_default_tags" "current" {
+  provider = aws.eu_west_1
+}
diff --git a/terraform/account/modules/kms_key/kms_key.tf b/terraform/account/modules/kms_key/kms_key.tf
new file mode 100644
index 0000000000..2e2cb3d6e5
--- /dev/null
+++ b/terraform/account/modules/kms_key/kms_key.tf
@@ -0,0 +1,28 @@
+resource "aws_kms_key" "main" {
+  description             = "${data.aws_default_tags.current.tags.application} ${var.encrypted_resource} encryption key"
+  deletion_window_in_days = var.deletion_window_in_days
+  enable_key_rotation     = var.enable_key_rotation
+  policy                  = var.kms_key_policy
+  multi_region            = var.enable_multi_region
+  provider                = aws.eu_west_1
+}
+
+resource "aws_kms_replica_key" "main" {
+  description             = "${data.aws_default_tags.current.tags.application} ${var.encrypted_resource} multi-region replica key"
+  deletion_window_in_days = var.deletion_window_in_days
+  primary_key_arn         = aws_kms_key.main.arn
+  policy                  = var.kms_key_policy
+  provider                = aws.eu_west_2
+}
+
+resource "aws_kms_alias" "main_eu_west_1" {
+  name          = "alias/${var.kms_key_alias_name}"
+  target_key_id = aws_kms_key.main.key_id
+  provider      = aws.eu_west_1
+}
+
+resource "aws_kms_alias" "main_eu_west_2" {
+  name          = "alias/${var.kms_key_alias_name}"
+  target_key_id = aws_kms_replica_key.main.key_id
+  provider      = aws.eu_west_2
+}
diff --git a/terraform/account/modules/kms_key/outputs.tf b/terraform/account/modules/kms_key/outputs.tf
new file mode 100644
index 0000000000..821de6dfd6
--- /dev/null
+++ b/terraform/account/modules/kms_key/outputs.tf
@@ -0,0 +1,3 @@
+output "kms_key_alias_name" {
+  value = aws_kms_alias.main_eu_west_1.name
+}
diff --git a/terraform/account/modules/kms_key/variables.tf b/terraform/account/modules/kms_key/variables.tf
new file mode 100644
index 0000000000..899d8aa69c
--- /dev/null
+++ b/terraform/account/modules/kms_key/variables.tf
@@ -0,0 +1,32 @@
+variable "kms_key_policy" {
+  type        = string
+  description = "Policy json to attach to the KMS key and replica key."
+}
+
+variable "encrypted_resource" {
+  type        = string
+  description = "The resource that will be encrypted by the KMS key."
+}
+
+variable "kms_key_alias_name" {
+  type        = string
+  description = "The alias name for the KMS key."
+}
+
+variable "enable_key_rotation" {
+  type        = bool
+  description = "Whether to enable key rotation for the KMS key."
+  default     = true
+}
+
+variable "enable_multi_region" {
+  type        = bool
+  description = "Whether to enable multi-region replication for the KMS key."
+  default     = true
+}
+
+variable "deletion_window_in_days" {
+  type        = number
+  description = "The number of days to retain the KMS key before it is deleted."
+  default     = 10
+}
diff --git a/terraform/account/modules/kms_key/versions.tf b/terraform/account/modules/kms_key/versions.tf
new file mode 100644
index 0000000000..5ea8d61b8a
--- /dev/null
+++ b/terraform/account/modules/kms_key/versions.tf
@@ -0,0 +1,17 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.57.0"
+      configuration_aliases = [
+        aws.eu_west_1,
+        aws.eu_west_2,
+      ]
+    }
+    pagerduty = {
+      source  = "PagerDuty/pagerduty"
+      version = "3.14.5"
+    }
+  }
+  required_version = "1.9.1"
+}
diff --git a/terraform/account/refactoring.tf b/terraform/account/refactoring.tf
index 50894989ce..2e46a1250c 100644
--- a/terraform/account/refactoring.tf
+++ b/terraform/account/refactoring.tf
@@ -2,3 +2,23 @@ moved {
   from = module.eu_west_1.aws_backup_vault.main
   to   = aws_backup_vault.eu_west_1
 }
+
+moved {
+  from = aws_kms_key.cloudwatch
+  to   = module.cloudwatch_kms.aws_kms_key.main
+}
+
+moved {
+  from = aws_kms_replica_key.cloudwatch_replica
+  to   = module.cloudwatch_kms.aws_kms_replica_key.main
+}
+
+moved {
+  from = aws_kms_alias.cloudwatch_alias_eu_west_1
+  to   = module.cloudwatch_kms.aws_kms_alias.main_eu_west_1
+}
+
+moved {
+  from = aws_kms_alias.cloudwatch_alias_eu_west_2
+  to   = module.cloudwatch_kms.aws_kms_alias.main_eu_west_2
+}
diff --git a/terraform/account/regions.tf b/terraform/account/regions.tf
index da2ea77b90..100391a719 100644
--- a/terraform/account/regions.tf
+++ b/terraform/account/regions.tf
@@ -2,7 +2,7 @@ module "eu_west_1" {
   source                                                   = "./region"
   count                                                    = contains(local.account.regions, "eu-west-1") ? 1 : 0
   network_cidr_block                                       = "10.162.0.0/16"
-  cloudwatch_log_group_kms_key_alias                       = aws_kms_alias.cloudwatch_alias_eu_west_1.name
+  cloudwatch_log_group_kms_key_alias                       = module.cloudwatch_kms.kms_key_alias_name
   sns_kms_key_alias                                        = aws_kms_alias.sns_alias_eu_west_1.name
   secrets_manager_kms_key_alias                            = aws_kms_alias.secrets_manager_alias_eu_west_1.name
   reduced_fees_uploads_s3_encryption_kms_key_alias         = aws_kms_alias.reduced_fees_uploads_s3_alias_eu_west_1.name
@@ -18,7 +18,7 @@ module "eu_west_2" {
   source                                                   = "./region"
   count                                                    = contains(local.account.regions, "eu-west-2") ? 1 : 0
   network_cidr_block                                       = "10.162.0.0/16"
-  cloudwatch_log_group_kms_key_alias                       = aws_kms_alias.cloudwatch_alias_eu_west_2.name
+  cloudwatch_log_group_kms_key_alias                       = module.cloudwatch_kms.kms_key_alias_name
   sns_kms_key_alias                                        = aws_kms_alias.sns_alias_eu_west_2.name
   secrets_manager_kms_key_alias                            = aws_kms_alias.secrets_manager_alias_eu_west_2.name
   reduced_fees_uploads_s3_encryption_kms_key_alias         = aws_kms_alias.reduced_fees_uploads_s3_alias_eu_west_2.name