Browse Source

fix: creates a KMS grant when KMS and ASG is used, to allow ASG to use the key for decrypting volumes

tags/11.0.0
Guillaume Donval 2 months ago
parent
commit
71dddef748
Signed by: guillaume.donval <guillaume.donval@fxinnovation.com> GPG Key ID: 172AC3F9180CD64E
4 changed files with 66 additions and 34 deletions
  1. +1
    -0
      CHANGELOG.md
  2. +21
    -0
      autoscaling_groups.tf
  3. +44
    -0
      kms.tf
  4. +0
    -34
      volumes.tf

+ 1
- 0
CHANGELOG.md View File

@@ -23,6 +23,7 @@
* maintenance: pins pre-commit dependencies to latest versions
* fix: fix the ability to inject external primary network interface for EC2
* fix: also use `var.prefix` for IAM Role and Instance Profile
* fix: creates a KMS grant when KMS and ASG is used, to allow ASG to use the key for decrypting volumes

10.0.0
=====


+ 21
- 0
autoscaling_groups.tf View File

@@ -147,6 +147,23 @@ resource "aws_launch_template" "this" {
local.tags,
)
}

// This hack is necessary as for Terraform 0.13.2+ and AWS Provider 3.7.0+
// Because aws_iam_service_linked_role resource returns a result before it's actually available, making ASG creation fail.
provisioner "local-exec" {
command = "sleep 15"
}
}

####
# AutoScaling Group
####

resource "aws_iam_service_linked_role" "asg" {
count = var.use_autoscaling_group ? 1 : 0

aws_service_name = "autoscaling.amazonaws.com"
custom_suffix = format("%s%s", var.prefix, var.autoscaling_group_name)
}

####
@@ -186,6 +203,8 @@ resource "aws_autoscaling_group" "this" {

placement_group = var.placement_group

service_linked_role_arn = aws_iam_service_linked_role.asg.*.arn[0]

dynamic "tag" {
for_each = merge(var.tags, var.instance_tags, local.tags)

@@ -213,6 +232,8 @@ resource "aws_autoscaling_group" "this" {
lifecycle {
ignore_changes = [target_group_arns]
}

depends_on = [aws_iam_service_linked_role.asg]
}

resource "aws_autoscaling_attachment" "this" {


+ 44
- 0
kms.tf View File

@@ -0,0 +1,44 @@
####
# KMS
####

locals {
should_create_kms_key = var.volume_kms_key_create && (var.root_block_device_encrypted || var.extra_volume_count > 0)
should_grant_asg_to_access_key = var.root_block_device_encrypted && var.use_autoscaling_group

volume_kms_key_arn = local.should_create_kms_key ? aws_kms_key.this_volume.*.arn[0] : var.volume_kms_key_arn
}

resource "aws_kms_key" "this_volume" {
count = local.should_create_kms_key ? 1 : 0

description = "KMS key for ${format("%s%s", var.prefix, var.name)} instance(s) volume(s)."
customer_master_key_spec = var.volume_kms_key_customer_master_key_spec
policy = var.volume_kms_key_policy


tags = merge(
{
"Name" = format("%s%s", var.prefix, var.volume_kms_key_name)
},
var.tags,
var.volume_kms_key_tags,
local.tags,
)
}

resource "aws_kms_alias" "this_volume" {
count = local.should_create_kms_key ? 1 : 0

name = format("alias/%s%s", var.prefix, var.volume_kms_key_alias)
target_key_id = aws_kms_key.this_volume[0].key_id
}

resource "aws_kms_grant" "this_volume" {
count = local.should_grant_asg_to_access_key ? 1 : 0

name = "AllowASGToAccessKMS"
key_id = local.volume_kms_key_arn
grantee_principal = aws_iam_service_linked_role.asg.*.arn[0]
operations = ["Encrypt", "Decrypt", "GenerateDataKey", "DescribeKey", "CreateGrant", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "RetireGrant"]
}

+ 0
- 34
volumes.tf View File

@@ -1,37 +1,3 @@
####
# KMS
####

locals {
should_create_kms_key = var.volume_kms_key_create && (var.root_block_device_encrypted || var.extra_volume_count > 0)

volume_kms_key_arn = local.should_create_kms_key ? aws_kms_key.this_volume.*.arn[0] : var.volume_kms_key_arn
}

resource "aws_kms_key" "this_volume" {
count = local.should_create_kms_key ? 1 : 0

description = "KMS key for ${format("%s%s", var.prefix, var.name)} instance(s) volume(s)."
customer_master_key_spec = var.volume_kms_key_customer_master_key_spec
policy = var.volume_kms_key_policy

tags = merge(
{
"Name" = format("%s%s", var.prefix, var.volume_kms_key_name)
},
var.tags,
var.volume_kms_key_tags,
local.tags,
)
}

resource "aws_kms_alias" "this_extra_volume" {
count = local.should_create_kms_key ? 1 : 0

name = format("alias/%s%s", var.prefix, var.volume_kms_key_alias)
target_key_id = aws_kms_key.this_volume[0].key_id
}

####
# Extra EBS
####


Loading…
Cancel
Save