xdr-terraform-modules/base/codebuild_ecr_project/kms.tf

# # Codebuild artifacts by rule must be encrypted by a KMS key
# # using the default aws/s3 key doesn't work with cross-account access
# resource "aws_kms_key" "s3_codebuild_artifacts" {
#     description             = "Codebuild Artifacts S3 bucket"
#     enable_key_rotation     = true
#     policy                  = data.aws_iam_policy_document.codebuild_kms_key_encryption_policy.json
# }

# resource "aws_kms_alias" "codebuilt-artifacts" {
#   name          = "alias/codebuild-artifacts"
#   target_key_id = aws_kms_key.s3_codebuild_artifacts.key_id
# }


# data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {

#   #policy_id = "key-consolepolicy-3"
#   statement {
#       sid = "Enable IAM User Permissions"
#       effect = "Allow"
#       principals {
#         type = "AWS"
#         identifiers = [ 
#           "arn:aws-us-gov:iam::${var.aws_account_id}:role/user/mdr_terraformer",
#           "arn:aws-us-gov:iam::${var.aws_account_id}:user/MDRAdmin"
#           ]
#       }
#       actions = [ "kms:*" ]
#       resources = [ "*" ]
#   }

#   statement {
#       sid = "Allow access for Key Administrators"
#       effect = "Allow"
#       principals {
#         type = "AWS"
#         identifiers = [
#           "arn:aws-us-gov:iam::${var.aws_account_id}:role/user/mdr_terraformer",
#         ]
#       }

#       actions = [
#         "kms:Create*",
#         "kms:Describe*",
#         "kms:Enable*",
#         "kms:List*",
#         "kms:Put*",
#         "kms:Update*",
#         "kms:Revoke*",
#         "kms:Disable*",
#         "kms:Get*",
#         "kms:Delete*",
#         "kms:TagResource",
#         "kms:UntagResource",
#         "kms:ScheduleKeyDeletion",
#         "kms:CancelKeyDeletion"
#       ]
#       resources = [ "*" ]
#   }

#   statement {
#       sid =  "Allow use of the key"
#       effect = "Allow"
#       principals {
#         type = "AWS"
#         identifiers = [
#           "arn:aws-us-gov:iam::${var.aws_account_id}:role/msoc-default-instance-role"
#         ]
#       }
#       actions = [
#         "kms:Encrypt",
#         "kms:Decrypt",
#         "kms:ReEncrypt*",
#         "kms:GenerateDataKey*",
#         "kms:DescribeKey"
#       ]
#       resources = [ "*" ]
#   }

#   statement  {
#     sid = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
#     effect = "Allow"
#     principals {
#       type = "AWS"
#       identifiers = [ "*" ]
# 		}
# 		actions = [
#         "kms:Encrypt",
#         "kms:Decrypt",
#         "kms:ReEncrypt*",
#         "kms:GenerateDataKey*",
#         "kms:DescribeKey"
# 		]
# 		resources = [ "*" ]

#     condition {
# 			test = "StringEquals"
#       variable = "kms.ViaService"
#       values = [ "s3.us-gov-east-1.amazonaws.com" ]
# 		}

# 		condition {
# 			test = "StringEquals"
# 			variable = "kms.CallerAccount"
# 			values = [ var.aws_account_id ]
# 		}
# 	}

#   statement  {
#     sid = "Allow access from the codebuild role"
#     effect = "Allow"
#     principals {
#       type = "AWS"
		
# 			# FIXME this needs to be a better role by far
#       identifiers = [ aws_iam_role.codebuild_role.arn ]
# 		}
# 		actions = [
#         "kms:Encrypt",
#         "kms:Decrypt",
#         "kms:ReEncrypt*",
#         "kms:GenerateDataKey*",
#         "kms:DescribeKey"
# 		]
# 		resources = [ "*" ]
# 	}
  
#  statement {
#      sid = "Allow attachment of persistent resources"
#      effect = "Allow"
#      principals {
#        type = "AWS"
#        identifiers = [
#          "arn:aws-us-gov:iam::${var.aws_account_id}:role/msoc-default-instance-role"
#        ]
#      }
#      actions = [
#        "kms:CreateGrant",
#        "kms:ListGrants",
#        "kms:RevokeGrant"
#      ]
#      resources = [ "*" ]
#      condition {
#        test = "Bool"
#        variable =  "kms:GrantIsForAWSResource"
#        values = [ "true" ]
#        }
#      }
# }