Merge pull request #85 from zama-ai/fred/feat/add-mpc-backup-key-module

feat: add mpc-backup-vault module

Author: fegmorte

modules/mpc-backup-key/README.md

@@ -0,0 +1,44 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.this_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.this_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_mpc_party_cross_account_iam_role_arn"></a> [mpc\_party\_cross\_account\_iam\_role\_arn](#input\_mpc\_party\_cross\_account\_iam\_role\_arn) | ARN of cross-account IAM role allowed for usage of KMS key | `string` | `null` | no |
+| <a name="input_mpc_party_kms_alias"></a> [mpc\_party\_kms\_alias](#input\_mpc\_party\_kms\_alias) | Alias for the KMS key | `string` | `null` | no |
+| <a name="input_mpc_party_kms_backup_description"></a> [mpc\_party\_kms\_backup\_description](#input\_mpc\_party\_kms\_backup\_description) | Description of KMS Key | `string` | `"Asymmetric KMS key backup for MPC Party"` | no |
+| <a name="input_mpc_party_kms_backup_vault_customer_master_key_spec"></a> [mpc\_party\_kms\_backup\_vault\_customer\_master\_key\_spec](#input\_mpc\_party\_kms\_backup\_vault\_customer\_master\_key\_spec) | Key spec for the backup vault | `string` | `"ASYMMETRIC_DEFAULT"` | no |
+| <a name="input_mpc_party_kms_backup_vault_key_usage"></a> [mpc\_party\_kms\_backup\_vault\_key\_usage](#input\_mpc\_party\_kms\_backup\_vault\_key\_usage) | Key usage for the backup vault | `string` | `"ENCRYPT_DECRYPT"` | no |
+| <a name="input_mpc_party_kms_deletion_window_in_days"></a> [mpc\_party\_kms\_deletion\_window\_in\_days](#input\_mpc\_party\_kms\_deletion\_window\_in\_days) | Deletion window in days for KMS key | `number` | `30` | no |
+| <a name="input_mpc_party_kms_image_attestation_sha"></a> [mpc\_party\_kms\_image\_attestation\_sha](#input\_mpc\_party\_kms\_image\_attestation\_sha) | Attestation SHA for KMS image | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resource | `map(string)` | <pre>{<br/>  "module": "mpc-party-backup",<br/>  "terraform": "true"<br/>}</pre> | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

modules/mpc-backup-key/main.tf

@@ -0,0 +1,77 @@
+# ************
+# Data Sources
+# ************
+data "aws_caller_identity" "current" {}
+
+# ************
+#  ASYMMETRIC KMS Key Backup for MPC Party
+# ************
+resource "aws_kms_key" "this_backup" {
+  description              = var.mpc_party_kms_backup_description
+  key_usage                = var.mpc_party_kms_backup_vault_key_usage
+  customer_master_key_spec = var.mpc_party_kms_backup_vault_customer_master_key_spec
+  enable_key_rotation      = false
+  deletion_window_in_days  = var.mpc_party_kms_deletion_window_in_days
+  tags                     = var.tags
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "Allow access for Key Administrators", # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators
+        Effect = "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        Action = [
+          "kms:Create*",
+          "kms:Describe*",
+          "kms:Enable*",
+          "kms:List*",
+          "kms:Put*",
+          "kms:Update*",
+          "kms:Revoke*",
+          "kms:Disable*",
+          "kms:Get*",
+          "kms:Delete*",
+          "kms:TagResource",
+          "kms:UntagResource",
+          "kms:ScheduleKeyDeletion",
+          "kms:CancelKeyDeletion"
+        ],
+        Resource = "*"
+      },
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = var.mpc_party_cross_account_iam_role_arn
+        },
+        Action = [
+          "kms:GetPublicKey",
+        ],
+        Resource = "*"
+      },
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = var.mpc_party_cross_account_iam_role_arn
+        },
+        Action = [
+          "kms:Decrypt",
+          "kms:GenerateDataKey",
+        ],
+        Resource = "*",
+        Condition = {
+          StringEqualsIgnoreCase = {
+            "kms:RecipientAttestation:ImageSha384" : var.mpc_party_kms_image_attestation_sha
+          }
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_kms_alias" "this_backup" {
+  name          = "${var.mpc_party_kms_alias}-backup"
+  target_key_id = aws_kms_key.this_backup.key_id
+}

modules/mpc-backup-key/outputs.tf

@@ -0,0 +1,58 @@
+# ************
+# General variables
+# ************
+# Tagging
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to assign to the resource"
+  default = {
+    "terraform" = "true"
+    "module"    = "mpc-party-backup"
+  }
+}
+
+# ************
+# Variables for usage in main.tf
+# ************
+
+variable "mpc_party_cross_account_iam_role_arn" {
+  type        = string
+  description = "ARN of cross-account IAM role allowed for usage of KMS key"
+  default     = null
+}
+
+variable "mpc_party_kms_image_attestation_sha" {
+  type        = string
+  description = "Attestation SHA for KMS image"
+  default     = null
+}
+
+variable "mpc_party_kms_alias" {
+  type        = string
+  description = "Alias for the KMS key"
+  default     = null
+}
+
+variable "mpc_party_kms_deletion_window_in_days" {
+  type        = number
+  description = "Deletion window in days for KMS key"
+  default     = 30
+}
+
+variable "mpc_party_kms_backup_description" {
+  type        = string
+  description = "Description of KMS Key"
+  default     = "Asymmetric KMS key backup for MPC Party"
+}
+
+variable "mpc_party_kms_backup_vault_key_usage" {
+  type        = string
+  description = "Key usage for the backup vault"
+  default     = "ENCRYPT_DECRYPT"
+}
+
+variable "mpc_party_kms_backup_vault_customer_master_key_spec" {
+  type        = string
+  description = "Key spec for the backup vault"
+  default     = "ASYMMETRIC_DEFAULT"
+}

modules/mpc-backup-key/variables.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.10"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1"
+    }
+  }
+}

modules/mpc-backup-key/versions.tf

@@ -0,0 +1,61 @@
+# MPC Key backup modules\
+
+This module is aim to create :
+- bucket for backup vault
+
+The kms keys is handled by kms-stack terraform module in infra repo.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.mpc_aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.mpc_backup_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.mpc_backup_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_s3_bucket.backup_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_ownership_controls.backup_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.backup_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.backup_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_versioning.backup_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [random_id.mpc_party_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_bucket_cross_account_id"></a> [bucket\_cross\_account\_id](#input\_bucket\_cross\_account\_id) | ID of the AWS account that can access the backup bucket. | `string` | n/a | yes |
+| <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | The prefix for the S3 bucket names | `string` | `"mpc-backup-vault"` | no |
+| <a name="input_party_name"></a> [party\_name](#input\_party\_name) | The name of the MPC party (used for resource naming and tagging) | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resource | `map(string)` | <pre>{<br/>  "module": "mpc-party",<br/>  "terraform": "true"<br/>}</pre> | no |
+| <a name="input_trusted_principal_arns"></a> [trusted\_principal\_arns](#input\_trusted\_principal\_arns) | List of ARNs (users, roles, or root accounts) that can assume the backup role. | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_arn"></a> [bucket\_arn](#output\_bucket\_arn) | The ARN of the created S3 bucket |
+| <a name="output_bucket_name"></a> [bucket\_name](#output\_bucket\_name) | The name of the created S3 bucket |
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the IAM role created for accessing the bucket |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the IAM role created for accessing the bucket |
+<!-- END_TF_DOCS -->

modules/mpc-backup-vault/README.md

@@ -0,0 +1,120 @@
+# ***************************************
+#  Local variables
+# ***************************************
+resource "random_id" "mpc_party_suffix" {
+  byte_length = 4
+}
+locals {
+  backup_bucket_name = "${var.bucket_prefix}-${var.party_name}-${random_id.mpc_party_suffix.hex}"
+}
+
+# ***************************************
+#  S3 Buckets for Vault Private Storage
+# ***************************************
+resource "aws_s3_bucket" "backup_bucket" {
+  force_destroy = true
+  bucket        = local.backup_bucket_name
+  tags = merge(var.tags, {
+    "Name"    = local.backup_bucket_name
+    "Type"    = "backup-vault"
+    "Party"   = var.party_name
+    "Purpose" = "mpc-backup-storage"
+  })
+}
+
+resource "aws_s3_bucket_ownership_controls" "backup_bucket" {
+  bucket = aws_s3_bucket.backup_bucket.id
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+
+resource "aws_s3_bucket_versioning" "backup_bucket" {
+  bucket = aws_s3_bucket.backup_bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "backup_bucket" {
+  bucket                  = aws_s3_bucket.backup_bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "backup_bucket" {
+  bucket = aws_s3_bucket.backup_bucket.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowCrossAccountBackup"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${var.bucket_cross_account_id}:root"
+        }
+        Action = "s3:*"
+        Resource = [
+          "arn:aws:s3:::${aws_s3_bucket.backup_bucket.id}",
+          "arn:aws:s3:::${aws_s3_bucket.backup_bucket.id}/*"
+        ]
+      }
+    ]
+  })
+}
+
+# ***************************************
+#  IAM Role & Policy for MPC Backup Vault
+# ***************************************
+
+# Trust policy: Allow trusted principals to assume this role
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = var.trusted_principal_arns
+    }
+  }
+}
+
+resource "aws_iam_role" "mpc_backup_role" {
+  name               = "mpc-backup-${var.party_name}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+  tags               = var.tags
+}
+
+# Policy allowing access to the bucket
+resource "aws_iam_policy" "mpc_aws" {
+  name = "mpc-backup-${var.party_name}"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowObjectActions"
+        Effect = "Allow"
+        Action = "s3:*Object"
+        Resource = [
+          "arn:aws:s3:::${aws_s3_bucket.backup_bucket.id}/*"
+        ]
+      },
+      {
+        Sid    = "AllowListBucket"
+        Effect = "Allow"
+        Action = "s3:ListBucket"
+        Resource = [
+          "arn:aws:s3:::${aws_s3_bucket.backup_bucket.id}"
+        ]
+      }
+    ]
+  })
+}
+
+# Attach policy to the role
+resource "aws_iam_role_policy_attachment" "mpc_backup_attach" {
+  role       = aws_iam_role.mpc_backup_role.name
+  policy_arn = aws_iam_policy.mpc_aws.arn
+}

modules/mpc-backup-vault/main.tf

@@ -0,0 +1,19 @@
+output "bucket_name" {
+  description = "The name of the created S3 bucket"
+  value       = aws_s3_bucket.backup_bucket.id
+}
+
+output "bucket_arn" {
+  description = "The ARN of the created S3 bucket"
+  value       = aws_s3_bucket.backup_bucket.arn
+}
+
+output "role_name" {
+  description = "The name of the IAM role created for accessing the bucket"
+  value       = aws_iam_role.mpc_backup_role.name
+}
+
+output "role_arn" {
+  description = "The ARN of the IAM role created for accessing the bucket"
+  value       = aws_iam_role.mpc_backup_role.arn
+}