5 лет назад · c0a2a15fdd
--- a/base/account_standards/ebs-kms-key.tf
+++ b/base/account_standards/ebs-kms-key.tf
@@ -3,14 +3,15 @@ module "ebs_root_encrypt_decrypt" {
 
				 
			
 
				   name = "ebs_root_encrypt_decrypt"
			
 
				   alias = "alias/ebs_root_encrypt_decrypt"
			
 
				-  description = "Default key for encrypting and decryption EBS volumes."
			
 
				+  description = "encrypt and decrypt root volume" # updated to match legacy
			
 
				   tags = merge(var.standard_tags, var.tags)
			
 
				-  key_admin_arns = [ ]
			
 
				-  key_user_arns = [ ]
			
 
				-  key_attacher_arns =  [ ]
			
 
				+  key_admin_arns = var.extra_ebs_key_admins
			
 
				+  key_user_arns = var.extra_ebs_key_users
			
 
				+  key_attacher_arns = var.extra_ebs_key_attachers
			
 
				   standard_tags = var.standard_tags
			
 
				   aws_account_id = var.aws_account_id
			
 
				   aws_partition = var.aws_partition
			
 
				+  is_legacy = var.is_legacy
			
 
				 }
			
 
				 
			
 
				 # Note: The following wasn't configured in tf11
			
--- a/base/account_standards/vars.tf
+++ b/base/account_standards/vars.tf
@@ -8,9 +8,29 @@ variable "cloudtrail_key_arn" {
 
				   type = string
			
 
				 }
			
 
				 
			
 
				+variable extra_ebs_key_admins {
			
 
				+  description = "Extra EBS encryption key admins."
			
 
				+  type = list
			
 
				+  default = [ ]
			
 
				+}
			
 
				+
			
 
				+variable extra_ebs_key_users {
			
 
				+  description = "Extra EBS encryption key users."
			
 
				+  type = list
			
 
				+  default = [ ]
			
 
				+}
			
 
				+
			
 
				+variable extra_ebs_key_attachers {
			
 
				+  description = "Extra EBS encryption key attachers."
			
 
				+  type = list
			
 
				+  default = [ ]
			
 
				+}
			
 
				+
			
 
				+
			
 
				 # ----------------------------------
			
 
				 # Below this line are variables inherited from higher levels, so they
			
 
				 # do not need to be explicitly passed to this module.
			
 
				+variable "is_legacy" { type = bool }
			
 
				 variable "standard_tags" { type = map }
			
 
				 variable "account_list" { type = list }
			
 
				 variable "aws_account_id" { type = string }
			
--- a/base/account_standards_c2/config_bucket.tf
+++ b/base/account_standards_c2/config_bucket.tf
@@ -89,6 +89,9 @@ data "aws_iam_policy_document" "awsconfig_bucket_policy" {
 
				 resource "aws_s3_bucket_policy" "awsconfig_bucket_policy" {
			
 
				   bucket = aws_s3_bucket.xdr_config_bucket.id
			
 
				   policy = data.aws_iam_policy_document.awsconfig_bucket_policy.json
			
 
				+
			
 
				+  # Ordering bug, see https://github.com/terraform-providers/terraform-provider-aws/issues/7628
			
 
				+  depends_on = [ aws_s3_bucket_public_access_block.awsconfig_bucket_block_public_access ]
			
 
				 }
			
 
				 
			
 
				 resource "aws_kms_key" "config_encryption" {
			
--- a/base/palo_alto/security_vpc/ebs-kms-key.tf
+++ b/base/palo_alto/security_vpc/ebs-kms-key.tf
@@ -1,29 +0,0 @@
 
				-module "kms_security" {
			
 
				-  source = "../../../submodules/kms/ebs-key"
			
 
				-
			
 
				-  name = "kms_security"
			
 
				-  alias = "alias/kms_security"
			
 
				-  description = "Used for encrypting security things such as the interconnects ebs drives."
			
 
				-  tags = merge(var.standard_tags, var.tags)
			
 
				-  key_admin_arns = [ ]
			
 
				-  key_user_arns = [ ]
			
 
				-  key_attacher_arns =  [ ]
			
 
				-  standard_tags = var.standard_tags
			
 
				-  aws_account_id = var.aws_account_id
			
 
				-  aws_partition = var.aws_partition
			
 
				-}
			
 
				-
			
 
				-module "kms_palo" {
			
 
				-  source = "../../../submodules/kms/ebs-key"
			
 
				-
			
 
				-  name = "palo_alto_ebs"
			
 
				-  alias = "alias/palo_alto_ebs"
			
 
				-  description = "Used for encrypting palo alto and panorama images."
			
 
				-  tags = merge(var.standard_tags, var.tags)
			
 
				-  key_admin_arns = [ ]
			
 
				-  key_user_arns = [ ]
			
 
				-  key_attacher_arns =  [ ]
			
 
				-  standard_tags = var.standard_tags
			
 
				-  aws_account_id = var.aws_account_id
			
 
				-  aws_partition = var.aws_partition
			
 
				-}
			
--- a/base/palo_alto/security_vpc/README.md
+++ b/base/palo_alto/security_vpc/README.md
--- a/base/security_vpc/ebs-kms-key.tf
+++ b/base/security_vpc/ebs-kms-key.tf
@@ -0,0 +1,30 @@
 
				+module "kms_security" {
			
 
				+  source = "../../submodules/kms/ebs-key"
			
 
				+
			
 
				+  name = "kms_security"
			
 
				+  alias = "alias/kms_security"
			
 
				+  description = "Used for encrypting security things such as the interconnects ebs drives."
			
 
				+  tags = merge(var.standard_tags, var.tags)
			
 
				+  key_admin_arns = [ ]
			
 
				+  key_user_arns = [ ]
			
 
				+  key_attacher_arns =  [ ]
			
 
				+  standard_tags = var.standard_tags
			
 
				+  aws_account_id = var.aws_account_id
			
 
				+  aws_partition = var.aws_partition
			
 
				+  is_legacy = var.is_legacy
			
 
				+}
			
 
				+
			
 
				+#module "kms_palo" {
			
 
				+#  source = "../../../submodules/kms/ebs-key"
			
 
				+#
			
 
				+#  name = "palo_alto_ebs"
			
 
				+#  alias = "alias/palo_alto_ebs"
			
 
				+#  description = "Used for encrypting palo alto and panorama images."
			
 
				+#  tags = merge(var.standard_tags, var.tags)
			
 
				+#  key_admin_arns = [ ]
			
 
				+#  key_user_arns = [ ]
			
 
				+#  key_attacher_arns =  [ ]
			
 
				+#  standard_tags = var.standard_tags
			
 
				+#  aws_account_id = var.aws_account_id
			
 
				+#  aws_partition = var.aws_partition
			
 
				+#}
			
--- a/base/palo_alto/security_vpc/main.tf
+++ b/base/palo_alto/security_vpc/main.tf
--- a/base/palo_alto/security_vpc/outputs.tf
+++ b/base/palo_alto/security_vpc/outputs.tf
@@ -59,6 +59,6 @@ output kms_security_arn {
 
				   value = module.kms_security.key_arn
			
 
				 }
			
 
				 
			
 
				-output kms_palo_key_arn {
			
 
				-  value = module.kms_palo.key_arn
			
 
				-}
			
 
				+#output kms_palo_key_arn {
			
 
				+#  value = module.kms_palo.key_arn
			
 
				+#}
			
--- a/base/palo_alto/security_vpc/security-groups.tf
+++ b/base/palo_alto/security_vpc/security-groups.tf
--- a/base/palo_alto/security_vpc/vars.tf
+++ b/base/palo_alto/security_vpc/vars.tf
@@ -15,6 +15,7 @@ variable "tags" {
 
				 # ----------------------------------
			
 
				 # Below this line are variables inherited from higher levels, so they
			
 
				 # do not need to be explicitly passed to this module.
			
 
				+variable "is_legacy" { type = bool }
			
 
				 variable "standard_tags" { type = map }
			
 
				 variable "inside_domain" { type = string }
			
 
				 variable "aws_account_id" { type = string }
			
--- a/base/palo_alto/security_vpc/version.tf
+++ b/base/palo_alto/security_vpc/version.tf
--- a/submodules/kms/ebs-key/main.tf
+++ b/submodules/kms/ebs-key/main.tf
@@ -19,6 +19,14 @@ resource "aws_kms_alias" "alias" {
 
				   target_key_id = aws_kms_key.key.key_id
			
 
				 }
			
 
				 
			
 
				+locals {
			
 
				+  iam_admins_legacy = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" ]
			
 
				+  iam_admins_tf12   = [ 
			
 
				+    "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin", # MDRAdmin as a break glass
			
 
				+    "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" # Terraformer always gets full access
			
 
				+  ]
			
 
				+}
			
 
				+
			
 
				 data "aws_iam_policy_document" "kms_policy" {
			
 
				   policy_id = "${var.name}-policy"
			
 
				 
			
@@ -27,12 +35,7 @@ data "aws_iam_policy_document" "kms_policy" {
 
				       effect = "Allow"
			
 
				       principals {
			
 
				         type = "AWS"
			
 
				-        identifiers = [ 
			
 
				-          # The 'root' account is the entire account, we don't want that
			
 
				-          #"arn:${var.aws_partition}:iam::${var.aws_account_id}:root" 
			
 
				-          "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin", # MDRAdmin as a break glass
			
 
				-          "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" # Terraformer always gets full access
			
 
				-        ]
			
 
				+        identifiers = var.is_legacy ? local.iam_admins_legacy : local.iam_admins_tf12
			
 
				       }
			
 
				       actions = [ "kms:*" ]
			
 
				       resources = [ "*" ]
			
--- a/submodules/kms/ebs-key/vars.tf
+++ b/submodules/kms/ebs-key/vars.tf
@@ -9,3 +9,4 @@ variable "key_attacher_arns" { type = list }
 
				 variable "standard_tags" { type = map }
			
 
				 variable "aws_account_id" { type = string }
			
 
				 variable "aws_partition" { type = string }
			
 
				+variable "is_legacy" { type = bool }