Update CHANGELOG

Author: ingalls

CHANGELOG.md

@@ -12,6 +12,10 @@
 
 ### Pending Release
 
+### v2.5.0
+
+- :rocket: Add top level KMS Key for encrypting logs & performance metrics
+
 ### v2.4.0
 
 - :rocket: Associate self with myApplication

cloudformation/lib/kms.js

@@ -0,0 +1,41 @@
+import cf from '@openaddresses/cloudfriend';
+
+export default {
+    Resources: {
+        KMSAlias: {
+            Type: 'AWS::KMS::Alias',
+            Properties: {
+                AliasName: cf.join(['alias/', cf.stackName]),
+                TargetKeyId: cf.ref('KMS')
+            }
+        },
+        KMS: {
+            Type: 'AWS::KMS::Key',
+            Properties: {
+                Description: 'Used to encrypt logs & metrics related to platform operations',
+                Enabled: true,
+                EnableKeyRotation: false,
+                KeyPolicy: {
+                    Id: cf.stackName,
+                    Statement: [{
+                        Effect: 'Allow',
+                        Principal: {
+                            AWS: cf.join(['arn:', cf.partition, ':iam::', cf.accountId, ':root'])
+                        },
+                        Action: ['kms:*'],
+                        Resource: '*'
+                    }]
+                }
+            }
+        },
+    },
+    Outputs: {
+        KMS: {
+            Description: 'KMS',
+            Export: {
+                Name: cf.join([cf.stackName, '-kms'])
+            },
+            Value: cf.getAtt('KMS', 'Arn')
+        }
+    }
+};

cloudformation/vpc.template.js

@@ -1,5 +1,6 @@
 import cf from '@openaddresses/cloudfriend';
 import VPC from './lib/vpc.js';
+import KMS from './lib/kms.js';
 import Connect from './lib/connect.js';
 import ELBLogs from './lib/elb-logs.js';
 import ECSCluster from './lib/ecs-cluster.js';
@@ -66,4 +67,4 @@ export default cf.merge({
             Value: cf.ref('HostedZoneID')
         }
     }
-}, VPC, Connect, ELBLogs, ECSCluster);
+}, VPC, KMS, Connect, ELBLogs, ECSCluster);