Adds Backup AMI Key and Separates out DLM Backups from Account Standards

* Backup AMI Key Added to Regional Standards. This is for the encrypted copies of the AMI in the off-site region.
* Backup DLM Policy brought out of account standards and into its own module. This is because it relies on both account standards and the regional account standards to function.

This is going to _overwrite_ tag v2.1.0

base/account_standards_regional/backup_ami_key.tf

@@ -0,0 +1,100 @@
+resource "aws_kms_key" "key" {
+  description = "Key for AMI Backups"
+  enable_key_rotation = true
+  policy = data.aws_iam_policy_document.kms_policy.json
+  tags = merge(
+    var.standard_tags,
+    { "Name" = "ami_backup_key" },
+    var.tags
+  )
+}
+
+resource "aws_kms_alias" "alias" {
+  name          = "alias/ami_backup_key"
+  target_key_id = aws_kms_key.key.key_id
+}
+
+data "aws_iam_policy_document" "kms_policy" {
+  policy_id = "backup-ami-key-policy"
+
+  statement {
+    sid = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [ 
+        # The 'root' account is the entire account, we don't want that
+        #"arn:${var.aws_partition}:iam::${var.aws_account_id}:root" 
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin", # MDRAdmin as a break glass
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" # Terraformer always gets full access
+      ]
+    }
+    actions = [ "kms:*" ]
+    resources = [ "*" ]
+  }
+
+  statement {
+    sid = "Allow access for Key Administrators"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" ]
+    }
+
+    actions = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:TagResource",
+      "kms:UntagResource",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion"
+    ]
+    resources = [ "*" ]
+  }
+
+  statement {
+    sid =  "Allow use of the key"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [ 
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/dlm-lifecycle-role"
+      ]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = [ "*" ]
+  }
+
+  statement {
+    sid = "Allow attachment of persistent resources"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/dlm-lifecycle-role"
+      ]
+    }
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = [ "*" ]
+  }
+}

base/account_standards/ami_backups.tf → base/backups/ami_backups.tf

@@ -28,8 +28,4 @@ resource "null_resource" "create_dlm_policy" {
   provisioner "local-exec" {
     command = "bin/create_dlm_policy ${var.aws_partition} ${var.aws_region} ${var.aws_account_id} ${var.account_name}"
   }
-
-  depends_on = [
-    aws_iam_role.dlm_lifecycle_role
-  ]
 }

base/account_standards/bin/create_dlm_policy → base/backups/bin/create_dlm_policy

@@ -37,7 +37,7 @@ fi
 PROFILE=${PROFILE##afs-}
 
 # Find the target region key ARN, since we can't use aliases here
-KMS_KEY_ID=$(aws --profile ${PROFILE} --region ${TARGET_REGION} kms list-aliases | jq -r '.Aliases[] | select(.AliasName=="alias/aws/ebs") | .TargetKeyId')
+KMS_KEY_ID=$(aws --profile ${PROFILE} --region ${TARGET_REGION} kms list-aliases | jq -r '.Aliases[] | select(.AliasName=="alias/ami_backup_key") | .TargetKeyId')
 KMS_ARN=$(aws --profile ${PROFILE} --region ${TARGET_REGION} kms describe-key --key-id ${KMS_KEY_ID} | jq -r '.KeyMetadata.Arn')
 
 tmpfile=$(mktemp /tmp/create_dlm_policy.XXXXXXX)

base/backups/vars.tf

@@ -0,0 +1,25 @@
+variable "tags" {
+  type = map
+  default = { } 
+}
+
+
+# ----------------------------------
+# Below this line are variables inherited from higher levels, so they
+# do not need to be explicitly passed to this module.
+variable "account_name" { type = string }
+variable "binaries_bucket" { type = string}
+variable "binaries_key" { type = string}
+variable "is_legacy" { type = bool }
+variable "legacy_account" { type = string }
+variable "common_services_account" { type = string }
+variable "standard_tags" { type = map }
+variable "account_list" { type = list }
+variable "aws_account_id" { type = string }
+variable "aws_partition" { type = string }
+variable "aws_region" { type = string }
+variable "environment" { type = string }
+variable "key_pairs" { type = map }
+variable "c2_accounts" { type = map }
+variable "aws_flowlogs_hec_token" { type = string }
+variable "hec_pub_ack" { type = string }