From 9bd02c22c7fc64650f86dec6d3f2721acf92be79 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris.wilson@iress.com>
Date: Wed, 29 Sep 2021 14:12:31 +0100
Subject: [PATCH 1/2] allow secrets manager secrets to be encrypted with a CMK

---
 infra/terraform/modules/_auth/main.tf            |  2 ++
 infra/terraform/modules/_auth/secrets.tf         |  1 +
 infra/terraform/modules/_auth/variables.tf       |  6 ++++++
 infra/terraform/modules/_lambda/iam.tf           | 12 ++++++++++++
 infra/terraform/modules/_lambda/variables.tf     |  6 ++++++
 infra/terraform/modules/okta_native/main.tf      |  1 +
 infra/terraform/modules/okta_native/variables.tf |  6 ++++++
 7 files changed, 34 insertions(+)

diff --git a/infra/terraform/modules/_auth/main.tf b/infra/terraform/modules/_auth/main.tf
index 328c93b..60d05c4 100644
--- a/infra/terraform/modules/_auth/main.tf
+++ b/infra/terraform/modules/_auth/main.tf
@@ -30,6 +30,7 @@ module "auth" {
   timeout                  = 5
   iam_policy_override_json = data.aws_iam_policy_document.auth.json
   lambda_at_edge           = true
+  kms_key_arn              = var.kms_key_arn
 }
 
 module "rotation" {
@@ -40,6 +41,7 @@ module "rotation" {
   package_url              = "https://github.com/iress/cloudfront-auth/releases/download/${var.release_version}/rotate_key_pair.zip"
   timeout                  = 30
   iam_policy_override_json = data.aws_iam_policy_document.rotation.json
+  kms_key_arn              = var.kms_key_arn
 }
 
 resource "aws_lambda_permission" "allow_secrets_manager" {
diff --git a/infra/terraform/modules/_auth/secrets.tf b/infra/terraform/modules/_auth/secrets.tf
index 4302580..a47c02e 100644
--- a/infra/terraform/modules/_auth/secrets.tf
+++ b/infra/terraform/modules/_auth/secrets.tf
@@ -2,6 +2,7 @@ resource "aws_secretsmanager_secret" "key_pair" {
   name                    = "${var.name}/key-pair"
   recovery_window_in_days = 0
   tags                    = var.tags
+  kms_key_id              = var.kms_key_arn
 }
 
 resource "aws_secretsmanager_secret_rotation" "key_pair" {
diff --git a/infra/terraform/modules/_auth/variables.tf b/infra/terraform/modules/_auth/variables.tf
index 7c196fc..ba00a70 100644
--- a/infra/terraform/modules/_auth/variables.tf
+++ b/infra/terraform/modules/_auth/variables.tf
@@ -22,3 +22,9 @@ variable "key_pair_rotation_period_days" {
   description = "The number of days between automatic scheduled rotations of the key pair"
   type        = number
 }
+
+variable "kms_key_arn" {
+  description = "kms key to encrypt secrets manager secret"
+  type        = string
+  default     = null
+}
diff --git a/infra/terraform/modules/_lambda/iam.tf b/infra/terraform/modules/_lambda/iam.tf
index 59b3027..66c0382 100644
--- a/infra/terraform/modules/_lambda/iam.tf
+++ b/infra/terraform/modules/_lambda/iam.tf
@@ -1,3 +1,7 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
 data "aws_iam_policy_document" "assume_role" {
   statement {
     actions = ["sts:AssumeRole"]
@@ -23,6 +27,14 @@ data "aws_iam_policy_document" "execution" {
 
     resources = ["arn:aws:logs:*:*:*"]
   }
+
+  dynamic "statement" {
+    for_each = var.kms_key_arn != null ? [var.kms_key_arn] : []
+    content {
+      actions   = ["kms:Decrypt","kms:GenerateDataKey"]
+      resources = [ statement.value ]
+    }
+  }
 }
 
 resource "aws_iam_role" "lambda" {
diff --git a/infra/terraform/modules/_lambda/variables.tf b/infra/terraform/modules/_lambda/variables.tf
index bf226d6..affe0b4 100644
--- a/infra/terraform/modules/_lambda/variables.tf
+++ b/infra/terraform/modules/_lambda/variables.tf
@@ -30,3 +30,9 @@ variable "lambda_at_edge" {
   type        = bool
   default     = false
 }
+
+variable "kms_key_arn" {
+  description = "kms key to encrypt secrets manager secret"
+  type        = string
+  default     = null
+}
diff --git a/infra/terraform/modules/okta_native/main.tf b/infra/terraform/modules/okta_native/main.tf
index 5493b04..32e7544 100644
--- a/infra/terraform/modules/okta_native/main.tf
+++ b/infra/terraform/modules/okta_native/main.tf
@@ -6,4 +6,5 @@ module "auth" {
   tags                          = var.tags
   package_url                   = "https://github.com/iress/cloudfront-auth/releases/download/${var.release_version}/okta_native.zip"
   key_pair_rotation_period_days = var.key_pair_rotation_period_days
+  kms_key_arn                   = var.kms_key_arn
 }
diff --git a/infra/terraform/modules/okta_native/variables.tf b/infra/terraform/modules/okta_native/variables.tf
index ab60f7d..6f91373 100644
--- a/infra/terraform/modules/okta_native/variables.tf
+++ b/infra/terraform/modules/okta_native/variables.tf
@@ -58,3 +58,9 @@ variable "scope" {
   type        = string
   default     = "openid email"
 }
+
+variable "kms_key_arn" {
+  description = "kms key to encrypt secrets manager secret"
+  type        = string
+  default     = null
+}

From 70bbe91fba4d1711f122e1022e0d5d412f669bd4 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris.wilson@iress.com>
Date: Wed, 29 Sep 2021 14:24:43 +0100
Subject: [PATCH 2/2] updated variable description

---
 infra/terraform/modules/_auth/variables.tf       | 2 +-
 infra/terraform/modules/_lambda/variables.tf     | 2 +-
 infra/terraform/modules/okta_native/variables.tf | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/infra/terraform/modules/_auth/variables.tf b/infra/terraform/modules/_auth/variables.tf
index ba00a70..842ad86 100644
--- a/infra/terraform/modules/_auth/variables.tf
+++ b/infra/terraform/modules/_auth/variables.tf
@@ -24,7 +24,7 @@ variable "key_pair_rotation_period_days" {
 }
 
 variable "kms_key_arn" {
-  description = "kms key to encrypt secrets manager secret"
+  description = "The ARN of the KMS key used to encrypt the key pair"
   type        = string
   default     = null
 }
diff --git a/infra/terraform/modules/_lambda/variables.tf b/infra/terraform/modules/_lambda/variables.tf
index affe0b4..fb70767 100644
--- a/infra/terraform/modules/_lambda/variables.tf
+++ b/infra/terraform/modules/_lambda/variables.tf
@@ -32,7 +32,7 @@ variable "lambda_at_edge" {
 }
 
 variable "kms_key_arn" {
-  description = "kms key to encrypt secrets manager secret"
+  description = "The ARN of the KMS key used to encrypt the key pair"
   type        = string
   default     = null
 }
diff --git a/infra/terraform/modules/okta_native/variables.tf b/infra/terraform/modules/okta_native/variables.tf
index 6f91373..da9e868 100644
--- a/infra/terraform/modules/okta_native/variables.tf
+++ b/infra/terraform/modules/okta_native/variables.tf
@@ -60,7 +60,7 @@ variable "scope" {
 }
 
 variable "kms_key_arn" {
-  description = "kms key to encrypt secrets manager secret"
+  description = "The ARN of the KMS key used to encrypt the key pair"
   type        = string
   default     = null
 }