From 3eec858006b01e87ebe753a143c394a0cdcda147 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Taveira=20Ara=C3=BAjo?= <joao@observeinc.com>
Date: Wed, 1 May 2024 10:22:06 -0700
Subject: [PATCH] feat: allow KMS encryption of token environment variable

This commit adds support for encrypting the `OBSERVE_TOKEN` environment
variable in transit.

Previously, this module accepted a `kms_key_arn` variable which affected
all environment variables _at rest_. However, this still exposed the
token in different contexts (e.g. AWS Config). We now allow reusing the
KMS key to encrypt the variable, which gets decrypted by our lambda as
of version `v1.0.20240501`.

This commit also introduces a subtle API change to the module. We pass
in an object, `kms_key`, rather than a string, `kms_key_arn`. This is
more friendly to the `count` operator, which cannot determine the value
of an attribute until apply time.
---
 README.md    |  6 +++++-
 main.tf      | 49 ++++++++++++++++++++++++++++++++++++++++++++++---
 variables.tf | 17 +++++++++++------
 3 files changed, 62 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 6b0a860..7741261 100644
--- a/README.md
+++ b/README.md
@@ -54,11 +54,14 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_cloudwatch_log_group.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_policy.kms_decrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.lambda_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.vpc_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.kms_decrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.lambda_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.vpc_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_ciphertext.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_ciphertext) | resource |
 | [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
@@ -69,7 +72,8 @@ No modules.
 | <a name="input_dead_letter_queue_destination"></a> [dead\_letter\_queue\_destination](#input\_dead\_letter\_queue\_destination) | Send failed events/function executions to a dead letter queue arn sns or sqs | `string` | `null` | no |
 | <a name="input_description"></a> [description](#input\_description) | Lambda description | `string` | `"Lambda function to forward events towards Observe"` | no |
 | <a name="input_iam_name_prefix"></a> [iam\_name\_prefix](#input\_iam\_name\_prefix) | Prefix used for all created IAM roles and policies | `string` | `"observe-lambda-"` | no |
-| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the AWS Key Management Service (AWS KMS) key that's used to encrypt your function's environment variables.<br>If it's not provided, AWS Lambda uses a default service key. | `string` | `""` | no |
+| <a name="input_kms_key"></a> [kms\_key](#input\_kms\_key) | The AWS Key Management Service (AWS KMS) key that's used to encrypt your<br>function's environment variables at rest. Additionally, the Observe Token<br>will be encrypted in transit. | `object({ arn = string })` | `null` | no |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the AWS Key Management Service (AWS KMS) key that's used to encrypt your function's environment variables.<br>If it's not provided, AWS Lambda uses a default service key. Deprecated, please use kms\_key instead" | `string` | `""` | no |
 | <a name="input_lambda_envvars"></a> [lambda\_envvars](#input\_lambda\_envvars) | Environment variables | `map(any)` | `{}` | no |
 | <a name="input_lambda_iam_role_arn"></a> [lambda\_iam\_role\_arn](#input\_lambda\_iam\_role\_arn) | ARN of IAM role to use for Lambda | `string` | `""` | no |
 | <a name="input_lambda_s3_custom_rules"></a> [lambda\_s3\_custom\_rules](#input\_lambda\_s3\_custom\_rules) | List of rules to evaluate how to upload a given S3 object to Observe | <pre>list(object({<br>    pattern = string<br>    headers = map(string)<br>  }))</pre> | `[]` | no |
diff --git a/main.tf b/main.tf
index 56e675b..2b9f889 100644
--- a/main.tf
+++ b/main.tf
@@ -4,7 +4,7 @@ locals {
   lambda_iam_role_name  = regex(".*role/(?P<role_name>.*)$", local.lambda_iam_role_arn)["role_name"]
   s3_bucket             = var.s3_bucket != "" ? var.s3_bucket : lookup(var.s3_regional_buckets, data.aws_region.current.name, local.default_lambda_bucket)
   s3_key                = var.s3_key != "" ? var.s3_key : join("/", [var.s3_key_prefix, format("%s.zip", var.lambda_version)])
-
+  observe_token         = var.kms_key != null ? aws_kms_ciphertext.token[0].ciphertext_blob : var.observe_token
   goarch = lookup(
     {
       "amd64" : {
@@ -29,6 +29,15 @@ locals {
 
 data "aws_region" "current" {}
 
+resource "aws_kms_ciphertext" "token" {
+  count     = var.kms_key != null ? 1 : 0
+  key_id    = var.kms_key.arn
+  plaintext = var.observe_token
+  context = {
+    LambdaFunctionName = var.name
+  }
+}
+
 resource "aws_lambda_function" "this" {
   function_name     = var.name
   s3_bucket         = local.s3_bucket
@@ -40,7 +49,7 @@ resource "aws_lambda_function" "this" {
   handler       = local.goarch.handler
   runtime       = local.goarch.runtime
   description   = var.description
-  kms_key_arn   = var.kms_key_arn
+  kms_key_arn   = var.kms_key != null ? var.kms_key.arn : var.kms_key_arn
   tags          = var.tags
 
   memory_size                    = var.memory_size
@@ -55,7 +64,7 @@ resource "aws_lambda_function" "this" {
   environment {
     variables = merge({
       OBSERVE_COLLECTION_ENDPOINT = var.observe_collection_endpoint != null ? var.observe_collection_endpoint : format("https://%s.collect.%s", var.observe_customer, var.observe_domain)
-      OBSERVE_TOKEN               = var.observe_token
+      OBSERVE_TOKEN               = local.observe_token
       }, length(var.lambda_s3_custom_rules) > 0 ? {
       S3_CUSTOM_RULES = base64encode(jsonencode(var.lambda_s3_custom_rules))
       } : {}
@@ -163,3 +172,37 @@ resource "aws_iam_role_policy_attachment" "vpc_access" {
   role       = local.lambda_iam_role_name
   policy_arn = aws_iam_policy.vpc_access[0].arn
 }
+
+resource "aws_iam_policy" "kms_decrypt" {
+  count       = var.kms_key != null ? 1 : 0
+  name_prefix = var.iam_name_prefix
+  description = "IAM policy for decrypting ciphertext using KMS"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "kms:Decrypt"
+      ],
+      "Resource": [
+          "${var.kms_key.arn}"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "kms:EncryptionContext:LambdaFunctionName": "${var.name}"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "kms_decrypt" {
+  count      = length(aws_iam_policy.kms_decrypt)
+  role       = local.lambda_iam_role_name
+  policy_arn = aws_iam_policy.kms_decrypt[count.index].arn
+}
diff --git a/variables.tf b/variables.tf
index 2e1038a..6bd371b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -22,11 +22,6 @@ variable "observe_customer" {
 variable "observe_token" {
   description = "Observe Token"
   type        = string
-
-  validation {
-    condition     = contains(split("", var.observe_token), ":")
-    error_message = "Token format does not follow {datastream_id}:{datastream_secret} format."
-  }
 }
 
 variable "observe_domain" {
@@ -136,10 +131,20 @@ variable "iam_name_prefix" {
   default     = "observe-lambda-"
 }
 
+variable "kms_key" {
+  description = <<-EOF
+    The AWS Key Management Service (AWS KMS) key that's used to encrypt your
+    function's environment variables at rest. Additionally, the Observe Token
+    will be encrypted in transit.
+  EOF
+  type        = object({ arn = string })
+  default     = null
+}
+
 variable "kms_key_arn" {
   description = <<-EOF
     The ARN of the AWS Key Management Service (AWS KMS) key that's used to encrypt your function's environment variables.
-    If it's not provided, AWS Lambda uses a default service key.
+    If it's not provided, AWS Lambda uses a default service key. Deprecated, please use kms_key instead"
   EOF
   type        = string
   nullable    = false