AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
							resource "aws_kms_key" "ghe_backup_data" {
  description = "EFS for Github Backup Server"
  policy      = data.aws_iam_policy_document.ghe_backup_data_policy.json
  enable_key_rotation = true
}

resource "aws_kms_alias" "ghe_backup_data" {
  name          = "alias/ghe_backup_data"
  target_key_id = aws_kms_key.ghe_backup_data.key_id
}

data "aws_iam_policy_document" "ghe_backup_data_policy" {
  policy_id = "ghe_backup_policy"

  statement {
    sid    = "Enable IAM User Permissions"
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
    }

    actions   = ["kms:*"]
    resources = ["*"]
  }

  statement {
    sid    = "Allow access for Key Administrators"
    effect = "Allow"

    principals {
      type = "AWS"

      identifiers = [
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
      ]
    }

    actions = [
      "kms:Create*",
      "kms:Describe*",
      "kms:Enable*",
      "kms:List*",
      "kms:Put*",
      "kms:Update*",
      "kms:Revoke*",
      "kms:Disable*",
      "kms:Get*",
      "kms:Delete*",
      "kms:TagResource",
      "kms:UntagResource",
      "kms:ScheduleKeyDeletion",
      "kms:CancelKeyDeletion",
    ]

    resources = ["*"]
  }

  statement {
    sid    = "Allow use of the key"
    effect = "Allow"

    principals {
      type = "AWS"

      identifiers = [
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/msoc-default-instance-role",
        # Portal was in legacy, but doesn't make sense. Removing, but leaving commented for now in case we need to re-add it.
        # "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/portal-instance-role",
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
      ]
    }

    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey",
    ]

    resources = ["*"]
  }

  statement {
    sid    = "Allow attachment of persistent resources"
    effect = "Allow"

    principals {
      type = "AWS"

      identifiers = [
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/msoc-default-instance-role",
        # Portal was in legacy, but doesn't make sense. Removing, but leaving commented for now in case we need to re-add it.
        #"arn:${var.aws_partition}:iam::${var.aws_account_id}:role/portal-instance-role",
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
      ]
    }

    actions = [
      "kms:CreateGrant",
      "kms:ListGrants",
      "kms:RevokeGrant",
    ]

    resources = ["*"]

    condition {
      test     = "Bool"
      variable = "kms:GrantIsForAWSResource"
      values   = ["true"]
    }
  }

  # Basically copied from the default key AWS makes, hopefully improved to
  # make it work in multiple AWS regions with a single policy
  statement {
    sid    = "elasticfilesystem"
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:CreateGrant",
      "kms:DescribeKey",
    ]

    resources = ["*"]

    # https://docs.aws.amazon.com/efs/latest/ug/logging-using-cloudtrail.html#efs-encryption-cloudtrail
    condition {
      test     = "StringEquals"
      variable = "kms:CallerAccount"

      values = [
        "055650462987", # US East (N. Virginia)
        "771736226457", # US East (Ohio) 
        "208867197265", # US West (N. California)
        "736298361104", # US West (Oregon)
        "167972735943", # US GovCloud (East)
        "174619389399", # US GovCloud (West)
      ]
    }

    # https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service
    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"

      values = [
        "elasticfilesystem.us-east-1.amazonaws.com",
        "elasticfilesystem.us-east-2.amazonaws.com",
        "elasticfilesystem.us-west-1.amazonaws.com",
        "elasticfilesystem.us-west-2.amazonaws.com",
        "elasticfilesystem.us-gov-east-1.amazonaws.com",
        "elasticfilesystem.us-gov-west-1.amazonaws.com",
      ]
    }
  }
}