# # Codebuild artifacts by rule must be encrypted by a KMS key # # using the default aws/s3 key doesn't work with cross-account access # resource "aws_kms_key" "s3_codebuild_artifacts" { # description = "Codebuild Artifacts S3 bucket" # enable_key_rotation = true # policy = data.aws_iam_policy_document.codebuild_kms_key_encryption_policy.json # } # resource "aws_kms_alias" "codebuilt-artifacts" { # name = "alias/codebuild-artifacts" # target_key_id = aws_kms_key.s3_codebuild_artifacts.key_id # } # data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" { # #policy_id = "key-consolepolicy-3" # statement { # sid = "Enable IAM User Permissions" # effect = "Allow" # principals { # type = "AWS" # identifiers = [ # "arn:aws-us-gov:iam::${var.aws_account_id}:role/user/mdr_terraformer", # "arn:aws-us-gov:iam::${var.aws_account_id}:user/MDRAdmin" # ] # } # actions = [ "kms:*" ] # resources = [ "*" ] # } # statement { # sid = "Allow access for Key Administrators" # effect = "Allow" # principals { # type = "AWS" # identifiers = [ # "arn:aws-us-gov:iam::${var.aws_account_id}:role/user/mdr_terraformer", # ] # } # actions = [ # "kms:Create*", # "kms:Describe*", # "kms:Enable*", # "kms:List*", # "kms:Put*", # "kms:Update*", # "kms:Revoke*", # "kms:Disable*", # "kms:Get*", # "kms:Delete*", # "kms:TagResource", # "kms:UntagResource", # "kms:ScheduleKeyDeletion", # "kms:CancelKeyDeletion" # ] # resources = [ "*" ] # } # statement { # sid = "Allow use of the key" # effect = "Allow" # principals { # type = "AWS" # identifiers = [ # "arn:aws-us-gov:iam::${var.aws_account_id}:role/msoc-default-instance-role" # ] # } # actions = [ # "kms:Encrypt", # "kms:Decrypt", # "kms:ReEncrypt*", # "kms:GenerateDataKey*", # "kms:DescribeKey" # ] # resources = [ "*" ] # } # statement { # sid = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3" # effect = "Allow" # principals { # type = "AWS" # identifiers = [ "*" ] # } # actions = [ # "kms:Encrypt", # "kms:Decrypt", # "kms:ReEncrypt*", # "kms:GenerateDataKey*", # "kms:DescribeKey" # ] # resources = [ "*" ] # condition { # test = "StringEquals" # variable = "kms.ViaService" # values = [ "s3.us-gov-east-1.amazonaws.com" ] # } # condition { # test = "StringEquals" # variable = "kms.CallerAccount" # values = [ var.aws_account_id ] # } # } # statement { # sid = "Allow access from the codebuild role" # effect = "Allow" # principals { # type = "AWS" # # FIXME this needs to be a better role by far # identifiers = [ aws_iam_role.codebuild_role.arn ] # } # actions = [ # "kms:Encrypt", # "kms:Decrypt", # "kms:ReEncrypt*", # "kms:GenerateDataKey*", # "kms:DescribeKey" # ] # resources = [ "*" ] # } # statement { # sid = "Allow attachment of persistent resources" # effect = "Allow" # principals { # type = "AWS" # identifiers = [ # "arn:aws-us-gov:iam::${var.aws_account_id}:role/msoc-default-instance-role" # ] # } # actions = [ # "kms:CreateGrant", # "kms:ListGrants", # "kms:RevokeGrant" # ] # resources = [ "*" ] # condition { # test = "Bool" # variable = "kms:GrantIsForAWSResource" # values = [ "true" ] # } # } # }