Add missing kms permissions to ElastioAssetAccountDeployer (#108)

Veetaha · web-flow · commit c12ccfd757e9 · 2025-03-28T13:07:09.000+02:00
I forgot to add `kms` permissions to the deployer role, which are
required if `encryptWithCmk` is enabled.
diff --git a/asset-account/terraform/cloudformation-stack/examples/advanced/.terraform.lock.hcl b/asset-account/terraform/cloudformation-stack/examples/advanced/.terraform.lock.hcl
diff --git a/asset-account/terraform/cloudformation-stack/examples/advanced/main.tf b/asset-account/terraform/cloudformation-stack/examples/advanced/main.tf
@@ -0,0 +1,46 @@
+module "elastio_asset_account" {
+  source = "../../"
+
+  template_url     = var.template_url
+  encrypt_with_cmk = true
+  iam_role_arn     = time_sleep.iam.triggers.deployer_role_arn
+}
+
+resource "aws_iam_role" "deployer" {
+  name = "ElastioAssetAccountDeployer"
+  assume_role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : "cloudformation.amazonaws.com"
+          },
+          "Action" : "sts:AssumeRole"
+        }
+      ]
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "elastio_asset_account_deployer" {
+  role       = aws_iam_role.deployer.name
+  policy_arn = module.elastio_policies.policies.ElastioAssetAccountDeployer.arn
+}
+
+module "elastio_policies" {
+  source   = "../../../../../iam-policies/terraform"
+  policies = ["ElastioAssetAccountDeployer"]
+}
+
+# Wait for the IAM role and policies to propagate
+resource "time_sleep" "iam" {
+  create_duration = "20s"
+
+  depends_on = [aws_iam_role_policy_attachment.elastio_asset_account_deployer]
+
+  triggers = {
+    deployer_role_arn = aws_iam_role.deployer.arn
+  }
+}
diff --git a/asset-account/terraform/cloudformation-stack/examples/advanced/variables.tf b/asset-account/terraform/cloudformation-stack/examples/advanced/variables.tf
@@ -0,0 +1,13 @@
+variable "template_url" {
+  description = <<-DESCR
+    The URL of the Elastio Asset Account CloudFormation template obtained from
+    the Elastio Portal.
+
+    This parameter is sensitive, because anyone who knows this URL can deploy
+    Elastio Account stack and linking it to your Elastio tenant.
+  DESCR
+
+  sensitive = true
+  type      = string
+  nullable  = false
+}
diff --git a/asset-account/terraform/cloudformation-stack/examples/advanced/versions.tf b/asset-account/terraform/cloudformation-stack/examples/advanced/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = "~> 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = "~> 0.13"
+    }
+  }
+}
diff --git a/codegen/src/policies/ElastioAssetAccountDeployer.ts b/codegen/src/policies/ElastioAssetAccountDeployer.ts
@@ -101,5 +101,61 @@ export default {
       Action: "iam:PassRole",
       Resource: ["arn:*:iam::*:role/*Elastio*"],
     },
+
+    {
+      Sid: "ElastioKmsRead",
+      Action: [
+        "kms:DescribeKey",
+        "kms:GetKeyPolicy",
+        "kms:GetKeyRotationStatus",
+        "kms:ListResourceTags",
+      ],
+      Resource: "*",
+    },
+
+    {
+      Sid: "ElastioKmsCreate",
+      Action: ["kms:CreateKey"],
+      Resource: "*",
+      Condition: iam.hasRequestTag("elastio:resource"),
+    },
+
+    {
+      Sid: "ElastioKmsWrite",
+      Action: [
+        "kms:PutKeyPolicy",
+        "kms:ScheduleKeyDeletion",
+        "kms:EnableKeyRotation",
+        "kms:DisableKeyRotation",
+
+        "kms:TagResource",
+        "kms:UntagResource",
+
+        // Data-level KMS operations are required for example to encrypt/decrypt
+        // lambda env vars for lambda deployed as part of the Asset Account stack.
+        "kms:Decrypt",
+        "kms:Encrypt",
+        "kms:GenerateDataKey",
+        "kms:CreateGrant",
+      ],
+      Resource: "*",
+      Condition: iam.hasResourceTag("elastio:resource"),
+    },
+
+    // For KMS aliases we need separate permissions for the alias resource
+    // restricting it with the `elastio-` prefix.
+    {
+      Action: ["kms:CreateAlias", "kms:DeleteAlias", "kms:UpdateAlias"],
+      Resource: [`arn:aws:kms:*:*:alias/elastio-*`],
+    },
+
+    // Aliases require the same permissions both on the alias resource and on
+    // the KMS key resource. This is separate statement to use a condition
+    // by `elastio:resource` tag.
+    {
+      Action: ["kms:CreateAlias", "kms:DeleteAlias", "kms:UpdateAlias"],
+      Resource: [`arn:aws:kms:*:*:key/*`],
+      Condition: iam.hasResourceTag("elastio:resource"),
+    },
   ],
 } satisfies iam.Policy;
diff --git a/iam-policies/terraform/.module.toml b/iam-policies/terraform/.module.toml
@@ -2,4 +2,4 @@
 name = "aws-elastio-iam-policies"
 description = "A collection of AWS IAM policies for use with Elastio"
 type = "terraform"
-version = "0.33.1"
+version = "0.33.2"
diff --git a/iam-policies/terraform/README.md b/iam-policies/terraform/README.md
@@ -9,7 +9,7 @@ This Terraform module deploys additional Elastio IAM managed policies that you c
 ```tf
 module "elastio_policies" {
   source  = "terraform.cloudsmith.io/public/elastio-iam-policies/aws"
-  version = "0.33.1"
+  version = "0.33.2"
 
   // Provide input parameters
 }
diff --git a/iam-policies/terraform/policies/ElastioAssetAccountDeployer.json b/iam-policies/terraform/policies/ElastioAssetAccountDeployer.json
@@ -78,6 +78,65 @@
         "Action": "iam:PassRole",
         "Resource": ["arn:*:iam::*:role/*Elastio*"],
         "Effect": "Allow"
+      },
+      {
+        "Sid": "ElastioKmsRead",
+        "Action": [
+          "kms:DescribeKey",
+          "kms:GetKeyPolicy",
+          "kms:GetKeyRotationStatus",
+          "kms:ListResourceTags"
+        ],
+        "Resource": "*",
+        "Effect": "Allow"
+      },
+      {
+        "Sid": "ElastioKmsCreate",
+        "Action": ["kms:CreateKey"],
+        "Resource": "*",
+        "Condition": {
+          "StringLike": {
+            "aws:RequestTag/elastio:resource": "*"
+          }
+        },
+        "Effect": "Allow"
+      },
+      {
+        "Sid": "ElastioKmsWrite",
+        "Action": [
+          "kms:PutKeyPolicy",
+          "kms:ScheduleKeyDeletion",
+          "kms:EnableKeyRotation",
+          "kms:DisableKeyRotation",
+          "kms:TagResource",
+          "kms:UntagResource",
+          "kms:Decrypt",
+          "kms:Encrypt",
+          "kms:GenerateDataKey",
+          "kms:CreateGrant"
+        ],
+        "Resource": "*",
+        "Condition": {
+          "StringLike": {
+            "aws:ResourceTag/elastio:resource": "*"
+          }
+        },
+        "Effect": "Allow"
+      },
+      {
+        "Action": ["kms:CreateAlias", "kms:DeleteAlias", "kms:UpdateAlias"],
+        "Resource": ["arn:aws:kms:*:*:alias/elastio-*"],
+        "Effect": "Allow"
+      },
+      {
+        "Action": ["kms:CreateAlias", "kms:DeleteAlias", "kms:UpdateAlias"],
+        "Resource": ["arn:aws:kms:*:*:key/*"],
+        "Condition": {
+          "StringLike": {
+            "aws:ResourceTag/elastio:resource": "*"
+          }
+        },
+        "Effect": "Allow"
       }
     ]
   }

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ This Terraform module deploys additional Elastio IAM managed policies that you c`
`9`	`9`	```tf
`10`	`10`	`module "elastio_policies" {`
`11`	`11`	`source = "terraform.cloudsmith.io/public/elastio-iam-policies/aws"`
`12`		`- version = "0.33.1"`
	`12`	`+ version = "0.33.2"`
`13`	`13`
`14`	`14`	`// Provide input parameters`
`15`	`15`	`}`