From db30da79d2af6125b95c854f2f5d23700023c836 Mon Sep 17 00:00:00 2001 From: Luiz Rocha Date: Thu, 3 Mar 2022 13:21:15 +1100 Subject: [PATCH] Move the cmk creation to outside of the module (#12) * Move the cmk creation to the outside of the module * terraform-docs: automated update action Co-authored-by: lzrocha --- README.md | 2 +- _outputs.tf | 0 _variables.tf | 7 +++--- ecr-repositories.tf | 4 +--- kms.tf | 57 --------------------------------------------- 5 files changed, 5 insertions(+), 65 deletions(-) delete mode 100644 _outputs.tf delete mode 100644 kms.tf diff --git a/README.md b/README.md index 9dad3ac..7194279 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ The following resources will be created: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| ecr\_cmk\_encryption | Enabled KMS CMK encryption for ECR repository | `bool` | `false` | no | +| kms\_key\_arn | KMS Key ARN to use a CMK instead of default key | `string` | n/a | yes | | name | Name for ECR repository | `any` | n/a | yes | | trust\_accounts | Accounts to trust and allow ECR fetch | `list(string)` | n/a | yes | diff --git a/_outputs.tf b/_outputs.tf deleted file mode 100644 index e69de29..0000000 diff --git a/_variables.tf b/_variables.tf index 7a37fdf..877ab3a 100644 --- a/_variables.tf +++ b/_variables.tf @@ -7,8 +7,7 @@ variable "trust_accounts" { description = "Accounts to trust and allow ECR fetch" } -variable "ecr_cmk_encryption" { - type = bool - description = "Enabled KMS CMK encryption for ECR repository" - default = false +variable "kms_key_arn" { + type = string + description = "KMS Key ARN to use a CMK instead of default key" } \ No newline at end of file diff --git a/ecr-repositories.tf b/ecr-repositories.tf index 28ffcb6..6fb4b69 100644 --- a/ecr-repositories.tf +++ b/ecr-repositories.tf @@ -7,8 +7,6 @@ resource "aws_ecr_repository" "default" { encryption_configuration { encryption_type = "KMS" - kms_key = try(var.ecr_cmk_encryption, false) ? aws_kms_key.ecr[0].arn : null + kms_key = length(var.kms_key_arn) > 0 ? var.kms_key_arn : null } - - depends_on = [aws_kms_alias.ecr] } diff --git a/kms.tf b/kms.tf deleted file mode 100644 index 2c2c07e..0000000 --- a/kms.tf +++ /dev/null @@ -1,57 +0,0 @@ -data "aws_iam_policy_document" "kms_policy_ecr" { - count = var.ecr_cmk_encryption ? 1 : 0 - statement { - sid = "Allow direct access to key metadata to the account" - effect = "Allow" - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] - } - actions = [ - "kms:*" - ] - resources = ["*"] - } - statement { - actions = [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:DescribeKey", - "kms:CreateGrant", - "kms:RetireGrant" - ] - principals { - type = "AWS" - identifiers = ["*"] - } - resources = ["*"] - condition { - test = "StringEquals" - variable = "kms:CallerAccount" - values = [join(",", var.trust_accounts)] - } - condition { - test = "StringEquals" - variable = "kms:ViaService" - values = ["ecr.${data.aws_region.current.name}.amazonaws.com"] - } - sid = "Allow access through Amazon ECR for all principals in the account that are authorized to use Amazon ECR" - } -} - - -resource "aws_kms_key" "ecr" { - count = var.ecr_cmk_encryption ? 1 : 0 - deletion_window_in_days = 30 - description = "Customer-managed key that protects ECR data" - enable_key_rotation = true - policy = data.aws_iam_policy_document.kms_policy_ecr[0].json -} - -resource "aws_kms_alias" "ecr" { - count = var.ecr_cmk_encryption ? 1 : 0 - name = "alias/cmk/ecr" - target_key_id = aws_kms_key.ecr[0].key_id -} \ No newline at end of file