diff --git a/LocalStack/Security/LabCmk/main.tf b/LocalStack/Security/LabCmk/main.tf new file mode 100644 index 0000000..44c0888 --- /dev/null +++ b/LocalStack/Security/LabCmk/main.tf @@ -0,0 +1,15 @@ +module "cmk" { + source = "../../../modules/security_identity_compliance/CustomerManagedKmsKeys" + + enable_key_rotation = true + deletion_window_in_days = 7 + + create-allpurpose-key = true + create-backup-key = true + create-database-key = true + create-eksebs-key = true + create-log-key = true + create-notify-key = true + create-secret-key = true + create-storage-key = true +} \ No newline at end of file diff --git a/LocalStack/Security/LabCmk/outputs.tf b/LocalStack/Security/LabCmk/outputs.tf new file mode 100644 index 0000000..473a0f4 diff --git a/LocalStack/Security/LabCmk/provider.tf b/LocalStack/Security/LabCmk/provider.tf new file mode 100644 index 0000000..bebb056 --- /dev/null +++ b/LocalStack/Security/LabCmk/provider.tf @@ -0,0 +1,60 @@ +provider "aws" { + region = var.aws-region + + # localstack config + access_key = "test" + secret_key = "test" + skip_credentials_validation = true + skip_metadata_api_check = true + skip_requesting_account_id = true + + # localstack endpoints https://docs.localstack.cloud/aws/integrations/infrastructure-as-code/terraform/#:~:text=tflocal%20is%20a%20small%20wrapper,unmodified%20Terraform%20scripts%20against%20LocalStack. + endpoints { + apigateway = "http://192.168.86.96:4566" + apigatewayv2 = "http://192.168.86.96:4566" + cloudformation = "http://192.168.86.96:4566" + cloudwatch = "http://192.168.86.96:4566" + dynamodb = "http://192.168.86.96:4566" + ec2 = "http://192.168.86.96:4566" + es = "http://192.168.86.96:4566" + elasticache = "http://192.168.86.96:4566" + firehose = "http://192.168.86.96:4566" + iam = "http://192.168.86.96:4566" + kinesis = "http://192.168.86.96:4566" + kms = "http://192.168.86.96:4566" + lambda = "http://192.168.86.96:4566" + rds = "http://192.168.86.96:4566" + redshift = "http://192.168.86.96:4566" + route53 = "http://192.168.86.96:4566" + s3 = "http://192.168.86.96:4566" + secretsmanager = "http://192.168.86.96:4566" + ses = "http://192.168.86.96:4566" + sns = "http://192.168.86.96:4566" + sqs = "http://192.168.86.96:4566" + ssm = "http://192.168.86.96:4566" + stepfunctions = "http://192.168.86.96:4566" + sts = "http://192.168.86.96:4566" + } + + default_tags { + tags = { + Environment = var.environment + Project = var.project + Application = var.application + LocalStack = true + TerraformDir = join("/", reverse(slice(reverse(split("/", path.cwd)), 0, 2))) + } + } +} + +terraform { + required_version = ">= 1.11.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 6.0" + } + } +} + +# data aws_caller_identity current {} \ No newline at end of file diff --git a/LocalStack/Security/LabCmk/terraform.tfvars b/LocalStack/Security/LabCmk/terraform.tfvars new file mode 100644 index 0000000..1446415 --- /dev/null +++ b/LocalStack/Security/LabCmk/terraform.tfvars @@ -0,0 +1,4 @@ +application = "localstack" +environment = "locallab" +project = "iac" +aws-region = "us-east-1" \ No newline at end of file diff --git a/LocalStack/Security/LabCmk/variables.tf b/LocalStack/Security/LabCmk/variables.tf new file mode 100644 index 0000000..ddf3dac --- /dev/null +++ b/LocalStack/Security/LabCmk/variables.tf @@ -0,0 +1,4 @@ +variable "aws-region" {} +variable "environment" {} +variable "project" {} +variable "application" {} \ No newline at end of file diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf index c84ca21..5f5db57 100644 --- a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf +++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf @@ -44,7 +44,7 @@ resource "aws_kms_key" "storage" { # Key use for EBS volumes on EKS nodes resource "aws_kms_key" "eks_ebs" { count = var.create-eksebs-key ? 1 : 0 - description = "CMK for use with ENS volumes on EKS nodes" + description = "CMK for use with EBS volumes on EKS nodes" enable_key_rotation = var.enable_key_rotation rotation_period_in_days = var.rotation_period_in_days is_enabled = var.is_enabled @@ -307,9 +307,24 @@ data "aws_iam_policy_document" "rds" { } } -data "aws_iam_role" "asg-service-linked-role" { - count = var.create-eksebs-key ? 1 : 0 - name = "AWSServiceRoleForAutoScaling" +# create an ASG service linked role if not already exist +data "aws_iam_roles" "autoscaling" { + count = var.create_asg_role ? 0 : 1 + name_regex = "^AWSServiceRoleForAutoScaling$" +} + +resource "aws_iam_service_linked_role" "autoscaling" { + count = var.create_asg_role ? 1 : 0 + aws_service_name = "autoscaling.amazonaws.com" + description = "Service-linked role for AutoScaling" +} + +locals { + AsgServiceRoleArn = try(aws_iam_service_linked_role.autoscaling[0].arn, one(data.aws_iam_roles.autoscaling[0].arns)) +} + +output "debug" { + value = local.AsgServiceRoleArn } data "aws_iam_policy_document" "eksebs" { @@ -320,7 +335,7 @@ data "aws_iam_policy_document" "eksebs" { effect = "Allow" principals { identifiers = [ - data.aws_iam_role.asg-service-linked-role[0].arn + local.AsgServiceRoleArn ] type = "AWS" } @@ -339,7 +354,7 @@ data "aws_iam_policy_document" "eksebs" { effect = "Allow" principals { identifiers = [ - data.aws_iam_role.asg-service-linked-role[0].arn + local.AsgServiceRoleArn ] type = "AWS" } diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/variables.tf b/modules/security_identity_compliance/CustomerManagedKmsKeys/variables.tf index 9a239b5..a75e5ac 100644 --- a/modules/security_identity_compliance/CustomerManagedKmsKeys/variables.tf +++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/variables.tf @@ -110,6 +110,12 @@ variable "key_administrator_arn" { default = null } +variable "create_asg_role" { + description = "Create service linked role for autoscaling, required in key policy" + type = bool + default = true +} + ################################################################################ # Grant ################################################################################