Merge pull request #25 from iress/encrypt-sec-manager-secret-cmk

Encrypt sec manager secret cmk
iress · Sep 30, 2021 · 57af25c · 57af25c
2 parents 16abdc5 + 70bbe91
commit 57af25c
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 0 deletions.
diff --git a/infra/terraform/modules/_auth/main.tf b/infra/terraform/modules/_auth/main.tf
@@ -30,6 +30,7 @@ module "auth" {
   timeout                  = 5
   iam_policy_override_json = data.aws_iam_policy_document.auth.json
   lambda_at_edge           = true
+  kms_key_arn              = var.kms_key_arn
 }
 
 module "rotation" {
@@ -40,6 +41,7 @@ module "rotation" {
   package_url              = "https://github.com/iress/cloudfront-auth/releases/download/${var.release_version}/rotate_key_pair.zip"
   timeout                  = 30
   iam_policy_override_json = data.aws_iam_policy_document.rotation.json
+  kms_key_arn              = var.kms_key_arn
 }
 
 resource "aws_lambda_permission" "allow_secrets_manager" {

diff --git a/infra/terraform/modules/_auth/secrets.tf b/infra/terraform/modules/_auth/secrets.tf
@@ -2,6 +2,7 @@ resource "aws_secretsmanager_secret" "key_pair" {
   name                    = "${var.name}/key-pair"
   recovery_window_in_days = 0
   tags                    = var.tags
+  kms_key_id              = var.kms_key_arn
 }
 
 resource "aws_secretsmanager_secret_rotation" "key_pair" {

diff --git a/infra/terraform/modules/_auth/variables.tf b/infra/terraform/modules/_auth/variables.tf
@@ -22,3 +22,9 @@ variable "key_pair_rotation_period_days" {
   description = "The number of days between automatic scheduled rotations of the key pair"
   type        = number
 }
+
+variable "kms_key_arn" {
+  description = "The ARN of the KMS key used to encrypt the key pair"
+  type        = string
+  default     = null
+}
diff --git a/infra/terraform/modules/_lambda/iam.tf b/infra/terraform/modules/_lambda/iam.tf
@@ -1,3 +1,7 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
 data "aws_iam_policy_document" "assume_role" {
   statement {
     actions = ["sts:AssumeRole"]
@@ -23,6 +27,14 @@ data "aws_iam_policy_document" "execution" {
 
     resources = ["arn:aws:logs:*:*:*"]
   }
+
+  dynamic "statement" {
+    for_each = var.kms_key_arn != null ? [var.kms_key_arn] : []
+    content {
+      actions   = ["kms:Decrypt","kms:GenerateDataKey"]
+      resources = [ statement.value ]
+    }
+  }
 }
 
 resource "aws_iam_role" "lambda" {

diff --git a/infra/terraform/modules/_lambda/variables.tf b/infra/terraform/modules/_lambda/variables.tf
@@ -30,3 +30,9 @@ variable "lambda_at_edge" {
   type        = bool
   default     = false
 }
+
+variable "kms_key_arn" {
+  description = "The ARN of the KMS key used to encrypt the key pair"
+  type        = string
+  default     = null
+}
diff --git a/infra/terraform/modules/okta_native/main.tf b/infra/terraform/modules/okta_native/main.tf
@@ -6,4 +6,5 @@ module "auth" {
   tags                          = var.tags
   package_url                   = "https://github.com/iress/cloudfront-auth/releases/download/${var.release_version}/okta_native.zip"
   key_pair_rotation_period_days = var.key_pair_rotation_period_days
+  kms_key_arn                   = var.kms_key_arn
 }
diff --git a/infra/terraform/modules/okta_native/variables.tf b/infra/terraform/modules/okta_native/variables.tf
@@ -58,3 +58,9 @@ variable "scope" {
   type        = string
   default     = "openid email"
 }
+
+variable "kms_key_arn" {
+  description = "The ARN of the KMS key used to encrypt the key pair"
+  type        = string
+  default     = null
+}