resource "aws_kms_key" "ghe_backup_data" { description = "EFS for Github Backup Server" policy = data.aws_iam_policy_document.ghe_backup_data_policy.json enable_key_rotation = true } resource "aws_kms_alias" "ghe_backup_data" { name = "alias/ghe_backup_data" target_key_id = aws_kms_key.ghe_backup_data.key_id } data "aws_iam_policy_document" "ghe_backup_data_policy" { policy_id = "ghe_backup_policy" statement { sid = "Enable IAM User Permissions" effect = "Allow" principals { type = "AWS" identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"] } actions = ["kms:*"] resources = ["*"] } statement { sid = "Allow access for Key Administrators" effect = "Allow" principals { type = "AWS" identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer", ] } actions = [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", ] resources = ["*"] } statement { sid = "Allow use of the key" effect = "Allow" principals { type = "AWS" identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer", "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/msoc-default-instance-role", # Portal was in legacy, but doesn't make sense. Removing, but leaving commented for now in case we need to re-add it. # "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/portal-instance-role", "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", ] } actions = [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", ] resources = ["*"] } statement { sid = "Allow attachment of persistent resources" effect = "Allow" principals { type = "AWS" identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer", "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/msoc-default-instance-role", # Portal was in legacy, but doesn't make sense. Removing, but leaving commented for now in case we need to re-add it. #"arn:${var.aws_partition}:iam::${var.aws_account_id}:role/portal-instance-role", "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", ] } actions = [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant", ] resources = ["*"] condition { test = "Bool" variable = "kms:GrantIsForAWSResource" values = ["true"] } } # Basically copied from the default key AWS makes, hopefully improved to # make it work in multiple AWS regions with a single policy statement { sid = "elasticfilesystem" effect = "Allow" principals { type = "AWS" identifiers = ["*"] } actions = [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey", ] resources = ["*"] # https://docs.aws.amazon.com/efs/latest/ug/logging-using-cloudtrail.html#efs-encryption-cloudtrail condition { test = "StringEquals" variable = "kms:CallerAccount" values = [ "055650462987", # US East (N. Virginia) "771736226457", # US East (Ohio) "208867197265", # US West (N. California) "736298361104", # US West (Oregon) "167972735943", # US GovCloud (East) "174619389399", # US GovCloud (West) ] } # https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service condition { test = "StringEquals" variable = "kms:ViaService" values = [ "elasticfilesystem.us-east-1.amazonaws.com", "elasticfilesystem.us-east-2.amazonaws.com", "elasticfilesystem.us-west-1.amazonaws.com", "elasticfilesystem.us-west-2.amazonaws.com", "elasticfilesystem.us-gov-east-1.amazonaws.com", "elasticfilesystem.us-gov-west-1.amazonaws.com", ] } } }