fix: Fixed kms key policy and updated example folder

clouddrove · Jul 24, 2023 · 309542d · 309542d
1 parent 95a1a68
commit 309542d
Show file tree

Hide file tree

Showing 9 changed files with 153 additions and 37 deletions.
diff --git a/_example/basic/example.tf b/_example/basic/example.tf
@@ -0,0 +1,19 @@
+##-----------------------------------------------------------------------------
+## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS.
+##-----------------------------------------------------------------------------
+provider "aws" {
+  region = "us-west-1"
+}
+##-----------------------------------------------------------------------------
+## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center.
+##-----------------------------------------------------------------------------
+module "vpc" {
+  source                           = "../.."
+  name                             = "vpc"
+  environment                      = "example"
+  label_order                      = ["name", "environment"]
+  cidr_block                       = "10.0.0.0/16"
+  additional_cidr_block            = ["172.3.0.0/16", "172.2.0.0/16"]
+  dhcp_options_domain_name         = "service.consul"
+  dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
+}
diff --git a/_example/outputs.tf → _example/basic/outputs.tf b/_example/outputs.tf → _example/basic/outputs.tf
diff --git a/_example/complete/example.tf b/_example/complete/example.tf
@@ -0,0 +1,20 @@
+##-----------------------------------------------------------------------------
+## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS.
+##-----------------------------------------------------------------------------
+provider "aws" {
+  region = "us-west-1"
+}
+##-----------------------------------------------------------------------------
+## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center.
+##-----------------------------------------------------------------------------
+module "vpc" {
+  source                           = "../.."
+  name                             = "vpc"
+  environment                      = "example"
+  label_order                      = ["name", "environment"]
+  cidr_block                       = "10.0.0.0/16"
+  enable_flow_log                  = true # Flow logs will be stored in cloudwatch log group. Variables passed in default.
+  additional_cidr_block            = ["172.3.0.0/16", "172.2.0.0/16"]
+  dhcp_options_domain_name         = "service.consul"
+  dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
+}
diff --git a/_example/complete/outputs.tf b/_example/complete/outputs.tf
@@ -0,0 +1,29 @@
+output "id" {
+  value       = module.vpc.*.vpc_id
+  description = "The ID of the VPC."
+}
+
+output "tags" {
+  value       = module.vpc.*.tags
+  description = "A mapping of tags to assign to the resource."
+}
+
+output "vpc_cidr" {
+  value       = module.vpc.*.vpc_cidr_block
+  description = "The primary IPv4 CIDR block"
+}
+
+output "vpc_ipv6_cidr_block" {
+  value       = module.vpc.*.ipv6_cidr_block
+  description = "The primary IPv6 CIDR block"
+}
+
+output "vpc_ipv6_association_id" {
+  value       = module.vpc.*.vpc_ipv6_association_id
+  description = "The association ID for the primary IPv6 CIDR block"
+}
+
+output "ipv6_cidr_block_network_border_group" {
+  value       = module.vpc.*.ipv6_cidr_block_network_border_group
+  description = "The Network Border Group Zone name"
+}
diff --git a/_example/test/example.tf b/_example/test/example.tf
diff --git a/_example/example.tf → _example/vpc_with_flow_logs_in_s3/example.tf b/_example/example.tf → _example/vpc_with_flow_logs_in_s3/example.tf
@@ -8,16 +8,16 @@ provider "aws" {
 ## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center.
 ####------------------------------------------------------------------------------------------------------------------
 module "vpc" {
-  source = "../"
-
-  name        = "vpc"
-  environment = "example"
-  label_order = ["name", "environment"]
-
-  cidr_block                       = "10.0.0.0/16"
-  enable_flow_log                  = true
-  flow_logs_bucket_name            = "prakassh-vpc-flow-logs-bucket"
-  additional_cidr_block            = ["172.3.0.0/16", "172.2.0.0/16"]
-  dhcp_options_domain_name         = "service.consul"
-  dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
+  source                              = "../.."
+  name                                = "vpc"
+  environment                         = "example"
+  label_order                         = ["name", "environment"]
+  cidr_block                          = "10.0.0.0/16"
+  enable_flow_log                     = true
+  flow_log_destination_type           = "s3"
+  create_flow_log_cloudwatch_iam_role = false
+  flow_logs_bucket_name               = "gc-vpc-flow-logs-bucket"
+  additional_cidr_block               = ["172.3.0.0/16", "172.2.0.0/16"]
+  dhcp_options_domain_name            = "service.consul"
+  dhcp_options_domain_name_servers    = ["127.0.0.1", "10.10.0.2"]
 }
diff --git a/_example/vpc_with_flow_logs_in_s3/outputs.tf b/_example/vpc_with_flow_logs_in_s3/outputs.tf
@@ -0,0 +1,29 @@
+output "id" {
+  value       = module.vpc.*.vpc_id
+  description = "The ID of the VPC."
+}
+
+output "tags" {
+  value       = module.vpc.*.tags
+  description = "A mapping of tags to assign to the resource."
+}
+
+output "vpc_cidr" {
+  value       = module.vpc.*.vpc_cidr_block
+  description = "The primary IPv4 CIDR block"
+}
+
+output "vpc_ipv6_cidr_block" {
+  value       = module.vpc.*.ipv6_cidr_block
+  description = "The primary IPv6 CIDR block"
+}
+
+output "vpc_ipv6_association_id" {
+  value       = module.vpc.*.vpc_ipv6_association_id
+  description = "The association ID for the primary IPv6 CIDR block"
+}
+
+output "ipv6_cidr_block_network_border_group" {
+  value       = module.vpc.*.ipv6_cidr_block_network_border_group
+  description = "The Network Border Group Zone name"
+}
diff --git a/main.tf b/main.tf
@@ -186,16 +186,51 @@ resource "aws_vpc_dhcp_options_association" "this" {
 ## Description : Provides a kms key resource.
 ##               It create and control the cryptographic keys that are used to protect your data.
 ##-----------------------------------------------------------------------------
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
 resource "aws_kms_key" "kms" {
   count                   = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null ? 1 : 0
   deletion_window_in_days = var.kms_key_deletion_window
 }
 
 resource "aws_kms_alias" "kms-alias" {
-  name          = "alias/flow-log-key"
+  count         = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null ? 1 : 0
+  name          = format("alias/%s-flow-log-key", module.labels.id)
   target_key_id = aws_kms_key.kms[0].key_id
 }
 
+resource "aws_kms_key_policy" "example" {
+  count  = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "cloud-watch-logs" ? 1 : 0
+  key_id = aws_kms_key.kms[0].id
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Id" : "key-default-1",
+    "Statement" : [{
+      "Sid" : "Enable IAM User Permissions",
+      "Effect" : "Allow",
+      "Principal" : {
+        "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+      },
+      "Action" : "kms:*",
+      "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Principal" : { "Service" : "logs.${data.aws_region.current.name}.amazonaws.com" },
+        "Action" : [
+          "kms:Encrypt*",
+          "kms:Decrypt*",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:Describe*"
+        ],
+        "Resource" : "*"
+      }
+    ]
+  })
+
+}
 ##-----------------------------------------------------------------------------
 ## Resource    : s3 bucket
 ## Description : Provides a S3 bucket resource.
@@ -239,7 +274,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
   rule {
     apply_server_side_encryption_by_default {
       kms_master_key_id = aws_kms_key.kms[0].arn
-      sse_algorithm     = "aws:kms"
+      sse_algorithm     = var.s3_sse_algorithm //"aws:kms"
     }
   }
 }
@@ -251,7 +286,7 @@ resource "aws_cloudwatch_log_group" "flow_log" {
   count             = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "cloud-watch-logs" ? 1 : 0
   name              = format("%s-vpc-flow-log-cloudwatch_log_group", module.labels.id)
   retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days
-  kms_key_id        = "arn:aws:kms:us-west-1:924144197303:key/ad4c441f-5c30-474d-8655-0ab1a24c99fa" //aws_kms_key.kms[0].arn
+  kms_key_id        = aws_kms_key.kms[0].arn
   tags              = module.labels.tags
 }
 

diff --git a/variables.tf b/variables.tf
@@ -342,4 +342,10 @@ variable "flow_log_destination_arn" {
   type        = string
   default     = null
   description = "ARN of destination where vpc flow logs are to stored. Can be of existing s3 or existing cloudwatch log group."
+}
+
+variable "s3_sse_algorithm" {
+  type        = string
+  default     = "aws:kms"
+  description = "Server-side encryption algorithm to use. Valid values are AES256 and aws:kms"
 }