diff --git a/src/kms-key.tf b/src/kms-key.tf new file mode 100644 index 0000000..1cf3351 --- /dev/null +++ b/src/kms-key.tf @@ -0,0 +1,90 @@ +module "kms_key_archive" { + source = "cloudposse/kms-key/aws" + version = "0.12.2" + + description = "KMS key for Datadog Log Archives" + deletion_window_in_days = 10 + enable_key_rotation = true + policy = join("", data.aws_iam_policy_document.kms_key_archive[*].json) + + context = module.this.context +} + +data "aws_iam_policy_document" "kms_key_archive" { + count = local.enabled ? 1 : 0 + + statement { + sid = "Enable IAM User Permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format("arn:${local.aws_partition}:iam::%s:root", local.aws_account_id) + ] + } + actions = ["kms:*"] + resources = ["*"] + } + + statement { + sid = "Allow CloudTrail to use the key" + effect = "Allow" + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + actions = [ + "kms:Encrypt", + "kms:GenerateDataKey*" + ] + resources = ["*"] + condition { + test = "StringLike" + variable = "kms:EncryptionContext:aws:cloudtrail:arn" + values = [ + format("arn:${local.aws_partition}:cloudtrail:*:%s:trail/*", local.aws_account_id) + ] + } + } + + statement { + sid = "Allow use of the key" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format("arn:${local.aws_partition}:iam::%s:role/${local.datadog_aws_role_name}", local.aws_account_id) + ] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = ["*"] + } + + statement { + sid = "Allow attachment of persistent resources" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format("arn:${local.aws_partition}:iam::%s:role/${local.datadog_aws_role_name}", local.aws_account_id) + ] + } + actions = [ + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant" + ] + resources = ["*"] + condition { + test = "Bool" + variable = "kms:GrantIsForAWSResource" + values = ["true"] + } + } +} diff --git a/src/main.tf b/src/main.tf index 9cedbb4..4a09947 100644 --- a/src/main.tf +++ b/src/main.tf @@ -140,7 +140,9 @@ module "bucket_policy" { source = "cloudposse/iam-policy/aws" version = "2.0.2" - iam_policy_statements = try(lookup(local.policy, "Statement"), null) + iam_policy = local.enabled ? { + statements = local.policy.Statement + } : null context = module.this.context } @@ -167,6 +169,9 @@ module "archive_bucket" { enabled = local.enabled force_destroy = var.s3_force_destroy + kms_master_key_arn = module.kms_key_archive.key_arn + sse_algorithm = "aws:kms" + lifecycle_rules = [ { prefix = null @@ -229,6 +234,9 @@ module "cloudtrail_s3_bucket" { enabled = local.enabled force_destroy = var.s3_force_destroy + kms_master_key_arn = module.kms_key_archive.key_arn + sse_algorithm = "aws:kms" + source_policy_documents = data.aws_iam_policy_document.default.*.json lifecycle_rules = [ @@ -239,8 +247,8 @@ module "cloudtrail_s3_bucket" { abort_incomplete_multipart_upload_days = null enable_glacier_transition = var.enable_glacier_transition - glacier_transition_days = 365 - noncurrent_version_glacier_transition_days = 365 + glacier_transition_days = var.glacier_transition_days + noncurrent_version_glacier_transition_days = var.glacier_transition_days enable_deeparchive_transition = false deeparchive_transition_days = 0 noncurrent_version_deeparchive_transition_days = 0 @@ -302,6 +310,7 @@ module "cloudtrail" { enabled = local.enabled enable_logging = true s3_bucket_name = module.cloudtrail_s3_bucket[0].bucket_id + kms_key_arn = module.kms_key_archive.key_arn event_selector = [ {