feat: updated cmk module and created localstack example

LocalStack/Security/LabCmk/main.tf

@@ -0,0 +1,15 @@
+module "cmk" {
+  source = "../../../modules/security_identity_compliance/CustomerManagedKmsKeys"
+
+  enable_key_rotation     = true
+  deletion_window_in_days = 7
+
+  create-allpurpose-key = true
+  create-backup-key     = true
+  create-database-key   = true
+  create-eksebs-key     = true
+  create-log-key        = true
+  create-notify-key     = true
+  create-secret-key     = true
+  create-storage-key    = true
+}

LocalStack/Security/LabCmk/provider.tf

@@ -0,0 +1,60 @@
+provider "aws" {
+  region = var.aws-region
+
+  # localstack config
+  access_key                  = "test"
+  secret_key                  = "test"
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_requesting_account_id  = true
+
+  # localstack endpoints https://docs.localstack.cloud/aws/integrations/infrastructure-as-code/terraform/#:~:text=tflocal%20is%20a%20small%20wrapper,unmodified%20Terraform%20scripts%20against%20LocalStack.
+  endpoints {
+    apigateway     = "http://192.168.86.96:4566"
+    apigatewayv2   = "http://192.168.86.96:4566"
+    cloudformation = "http://192.168.86.96:4566"
+    cloudwatch     = "http://192.168.86.96:4566"
+    dynamodb       = "http://192.168.86.96:4566"
+    ec2            = "http://192.168.86.96:4566"
+    es             = "http://192.168.86.96:4566"
+    elasticache    = "http://192.168.86.96:4566"
+    firehose       = "http://192.168.86.96:4566"
+    iam            = "http://192.168.86.96:4566"
+    kinesis        = "http://192.168.86.96:4566"
+    kms            = "http://192.168.86.96:4566"
+    lambda         = "http://192.168.86.96:4566"
+    rds            = "http://192.168.86.96:4566"
+    redshift       = "http://192.168.86.96:4566"
+    route53        = "http://192.168.86.96:4566"
+    s3             = "http://192.168.86.96:4566"
+    secretsmanager = "http://192.168.86.96:4566"
+    ses            = "http://192.168.86.96:4566"
+    sns            = "http://192.168.86.96:4566"
+    sqs            = "http://192.168.86.96:4566"
+    ssm            = "http://192.168.86.96:4566"
+    stepfunctions  = "http://192.168.86.96:4566"
+    sts            = "http://192.168.86.96:4566"
+  }
+
+  default_tags {
+    tags = {
+      Environment  = var.environment
+      Project      = var.project
+      Application  = var.application
+      LocalStack   = true
+      TerraformDir = join("/", reverse(slice(reverse(split("/", path.cwd)), 0, 2)))
+    }
+  }
+}
+
+terraform {
+  required_version = ">= 1.11.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# data aws_caller_identity current {}

LocalStack/Security/LabCmk/terraform.tfvars

@@ -0,0 +1,4 @@
+application = "localstack"
+environment = "locallab"
+project     = "iac"
+aws-region  = "us-east-1"

LocalStack/Security/LabCmk/variables.tf

@@ -0,0 +1,4 @@
+variable "aws-region" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}

modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf

@@ -44,7 +44,7 @@ resource "aws_kms_key" "storage" {
 # Key use for EBS volumes on EKS nodes
 resource "aws_kms_key" "eks_ebs" {
   count                              = var.create-eksebs-key ? 1 : 0
-  description                        = "CMK for use with ENS volumes on EKS nodes"
+  description                        = "CMK for use with EBS volumes on EKS nodes"
   enable_key_rotation                = var.enable_key_rotation
   rotation_period_in_days            = var.rotation_period_in_days
   is_enabled                         = var.is_enabled
@@ -307,9 +307,24 @@ data "aws_iam_policy_document" "rds" {
   }
 }
 
-data "aws_iam_role" "asg-service-linked-role" {
+# create an ASG service linked role if not already exist
-  count = var.create-eksebs-key ? 1 : 0
+data "aws_iam_roles" "autoscaling" {
-  name  = "AWSServiceRoleForAutoScaling"
+  count      = var.create_asg_role ? 0 : 1
+  name_regex = "^AWSServiceRoleForAutoScaling$"
+}
+
+resource "aws_iam_service_linked_role" "autoscaling" {
+  count            = var.create_asg_role ? 1 : 0
+  aws_service_name = "autoscaling.amazonaws.com"
+  description      = "Service-linked role for AutoScaling"
+}
+
+locals {
+  AsgServiceRoleArn = try(aws_iam_service_linked_role.autoscaling[0].arn, one(data.aws_iam_roles.autoscaling[0].arns))
+}
+
+output "debug" {
+  value = local.AsgServiceRoleArn
 }
 
 data "aws_iam_policy_document" "eksebs" {
@@ -320,7 +335,7 @@ data "aws_iam_policy_document" "eksebs" {
     effect = "Allow"
     principals {
       identifiers = [
-        data.aws_iam_role.asg-service-linked-role[0].arn
+        local.AsgServiceRoleArn
       ]
       type = "AWS"
     }
@@ -339,7 +354,7 @@ data "aws_iam_policy_document" "eksebs" {
     effect = "Allow"
     principals {
       identifiers = [
-        data.aws_iam_role.asg-service-linked-role[0].arn
+        local.AsgServiceRoleArn
       ]
       type = "AWS"
     }

modules/security_identity_compliance/CustomerManagedKmsKeys/variables.tf

@@ -110,6 +110,12 @@ variable "key_administrator_arn" {
   default     = null
 }
 
+variable "create_asg_role" {
+  description = "Create service linked role for autoscaling, required in key policy"
+  type        = bool
+  default     = true
+}
+
 ################################################################################
 # Grant
 ################################################################################