Upates KMS keys to allow for use by ASGs

* Ensure the AWS Service Role for autoscaling exists
* EBS encryption key now usable by the autoscaling service
* Shared AMI key now allows terraformer to create grants to additional
  things (especially, in this case, the aws autoscaling service)
* Creates grants to the autoscaling service to allow use of both the
  shared AMI key and the EBS key.

To be tagged *v0.9.8*

base/account_standards/ebs-kms-key.tf

@@ -17,6 +17,8 @@ module "ebs_root_encrypt_decrypt" {
   aws_account_id = var.aws_account_id
   aws_partition = var.aws_partition
   is_legacy = var.is_legacy
+
+  depends_on = [ aws_iam_service_linked_role.AWSServiceRoleForAutoScaling ]
 }
 
 # Note: The following wasn't configured in tf11
@@ -27,3 +29,22 @@ resource "aws_ebs_default_kms_key" "ebs_root_encrypt_decrypt" {
 resource "aws_ebs_encryption_by_default" "encryptbydefault" {
   enabled = true
 }
+
+resource "aws_kms_grant" "ASG_access_to_EBS_Default_CMK" {
+  name              = "ASG_access_to_EBS_Default_CMK"
+  key_id            = module.ebs_root_encrypt_decrypt.key_arn
+  grantee_principal = aws_iam_service_linked_role.AWSServiceRoleForAutoScaling.arn
+  operations        = [
+    "Decrypt",
+    "Encrypt",
+    "GenerateDataKey",
+    "GenerateDataKeyWithoutPlaintext",
+    "ReEncryptFrom",
+    "ReEncryptTo",
+    "CreateGrant",
+    "RetireGrant",
+    "DescribeKey",
+  ]
+
+  depends_on = [ aws_iam_service_linked_role.AWSServiceRoleForAutoScaling ]
+}

base/account_standards/shared_ami_key.tf

@@ -0,0 +1,27 @@
+data "aws_kms_key" "shared_ami_key" {
+  key_id = "alias/shared_ami_key"
+  provider = aws.common
+}
+
+resource "aws_iam_service_linked_role" "AWSServiceRoleForAutoScaling" {
+  aws_service_name = "autoscaling.amazonaws.com"
+}
+
+resource "aws_kms_grant" "ASG_access_to_Shared_AMI" {
+  name              = "ASG_access_to_Shared_AMI"
+  key_id            = data.aws_kms_key.shared_ami_key.arn
+  grantee_principal = aws_iam_service_linked_role.AWSServiceRoleForAutoScaling.arn
+  operations        = [
+    "Decrypt",
+    "Encrypt",
+    "GenerateDataKey",
+    "GenerateDataKeyWithoutPlaintext",
+    "ReEncryptFrom",
+    "ReEncryptTo",
+    "CreateGrant",
+    "RetireGrant",
+    "DescribeKey",
+  ]
+
+  depends_on = [ aws_iam_service_linked_role.AWSServiceRoleForAutoScaling ]
+}

base/account_standards/vars.tf

@@ -38,6 +38,7 @@ variable "log_group_name" {
 # do not need to be explicitly passed to this module.
 variable "is_legacy" { type = bool }
 variable "legacy_account" { type = string }
+variable "common_services_account" { type = string }
 variable "standard_tags" { type = map }
 variable "account_list" { type = list }
 variable "aws_account_id" { type = string }

base/shared_ami_key/main.tf

@@ -3,6 +3,10 @@ locals {
     for account in var.account_list:
       "arn:${var.aws_partition}:iam::${account}:root"
   ]
+  terraformer_arns = [
+    for account in var.account_list:
+      "arn:${var.aws_partition}:iam::${account}:role/user/mdr_terraformer"
+  ]
 
   all_keys = concat([ "${module.shared_ami_key.key_arn}" ], var.vmimport_extra_keys)
 
@@ -31,7 +35,8 @@ module "shared_ami_key" {
   key_admin_arns = [ ]
   key_user_arns = [ ]
   #key_attacher_arns = local.account_arns
-  key_attacher_arns = [ ]
+  key_attacher_arns = local.terraformer_arns
+  #key_attacher_arns = [ ]
   standard_tags = var.standard_tags
   aws_account_id = var.aws_account_id
   aws_partition = var.aws_partition

submodules/kms/ami-key/main.tf

@@ -38,7 +38,7 @@ data "aws_iam_policy_document" "kms_policy" {
     effect = "Allow"
     principals {
       type = "AWS"
-       identifiers = concat(var.key_admin_arns, [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" ])
+      identifiers = concat(var.key_admin_arns, [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" ])
     }
 
     actions = [
@@ -90,11 +90,12 @@ data "aws_iam_policy_document" "kms_policy" {
       "kms:RevokeGrant"
     ]
     resources = [ "*" ]
-    condition {
-      test = "Bool"
-      variable =  "kms:GrantIsForAWSResource"
-      values = [ "true" ]
-    }
+    # This condition is great, but means terraformer can't grant to the asg service
+    #    condition {
+    #  test = "Bool"
+    #  variable =  "kms:GrantIsForAWSResource"
+    #  values = [ "true" ]
+    #}
   }
 
   #statement {

submodules/kms/ebs-key/main.tf

@@ -74,7 +74,12 @@ data "aws_iam_policy_document" "kms_policy" {
       effect = "Allow"
       principals {
         type = "AWS"
-        identifiers = concat(var.key_user_arns, [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" ] )
+        identifiers = concat(
+          var.key_user_arns, 
+          [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
+            "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
+          ] 
+        )
       }
       actions = [
         "kms:Encrypt",
@@ -91,7 +96,13 @@ data "aws_iam_policy_document" "kms_policy" {
       effect = "Allow"
       principals {
         type = "AWS"
-        identifiers = concat(var.key_attacher_arns, ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer"])
+        identifiers = concat(
+          var.key_attacher_arns, 
+          [  
+            "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
+            "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
+          ]
+        )
       }
       actions = [
         "kms:CreateGrant",