Merge pull request #7 from jaustinpage/master

Adding s3 encryption
stavxyz · Jan 30, 2019 · 3e6a0f3 · 3e6a0f3
2 parents 6d04c3a + 41b089c
commit 3e6a0f3
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -91,7 +91,7 @@ terraform init -backend=false
 terraform plan -out=backend.plan -target=module.backend
 # Step 4: Apply the infrastructure plan
 terraform apply backend.plan
-# Step 5: Only after applying (building) the backend resources, write our terraform config
+# Step 5: Only after applying (building) the backend resources, write our terraform config.
 # Now we can write the terraform backend configuration into our project
 # Instead of this command, you can write the terraform config block into any of your .tf files
 # Please see "writing your terraform configuration" below for more info
@@ -100,6 +100,7 @@ echo 'terraform { backend "s3" {} }' > conf.tf
 terraform init -reconfigure \
     -backend-config="bucket=terraform-state-bucket" \
     -backend-config="key=states/terraform.tfstate" \
+    -backend-config="encrypt=1" \
     # leave this next line out if you dont want to use a tf lock
     -backend-config="dynamodb_table=terraform-lock"
 ```
@@ -116,6 +117,7 @@ terraform {
     bucket = "terraform-state-bucket"
     key = "states/terraform.tfstate"
     dynamodb_table = "terraform-lock"
+    encrypt = "true"
   }
 }
 ```
@@ -193,6 +195,10 @@ _Defaults to `1` Write Capacity Unit._
 
 More on DynamoDB Capacity Units: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/CapacityUnitCalculations.html
 
+#### `kms_key_id`
+_Defaults to ``._
+
+Encryption key to use for encrypting the terraform remote state s3 bucket. If not specified, then AWS-S3 encryption key management method will be used, which uses keys derived from the account master kms key. If specified, then AWS-KMS encryption key management method will be used. If the kms_key_id is specified, then you must specify the backend config option `kms_key_id`. More on s3 bucket server side encryption: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html and https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
 
 ### terraform-aws-backend terraform variables
 

diff --git a/main.tf b/main.tf
@@ -75,11 +75,71 @@ resource "aws_s3_bucket" "tf_backend_bucket" {
     ManagedByTerraform = "true"
     TerraformModule = "terraform-aws-backend"
   }
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = "${var.kms_key_id}"
+        sse_algorithm     = "${var.kms_key_id == "" ? "AES256" : "aws:kms"}"
+      }
+    }
+  }
   lifecycle {
     prevent_destroy = true
   }
 }
 
+data "aws_iam_policy_document" "tf_backend_bucket_policy" {
+  statement {
+    sid = "RequireEncryptedTransport"
+    effect = "Deny"
+    actions = [
+      "s3:*",
+    ]
+    resources = [
+      "${aws_s3_bucket.tf_backend_bucket.arn}/*"
+    ]
+    condition {
+      test = "Bool"
+      variable = "aws:SecureTransport"
+      values = [
+        false,
+      ]
+    }
+    principals {
+      type = "*"
+      identifiers = ["*"]
+    }
+  }
+
+  statement {
+    sid = "RequireEncryptedStorage"
+    effect = "Deny"
+    actions = [
+      "s3:PutObject",
+    ]
+    resources = [
+      "${aws_s3_bucket.tf_backend_bucket.arn}/*"
+    ]
+    condition {
+      test = "StringNotEquals"
+      variable = "s3:x-amz-server-side-encryption"
+      values = [
+        "${var.kms_key_id == "" ? "AES256" : "aws:kms" }"
+      ]
+    }
+    principals {
+      type = "*"
+      identifiers = ["*"]
+    }
+  }
+}
+
+
+resource "aws_s3_bucket_policy" "tf_backend_bucket_policy" {
+  bucket = "${aws_s3_bucket.tf_backend_bucket.id}"
+  policy = "${data.aws_iam_policy_document.tf_backend_bucket_policy.json}"
+}
+
 resource "aws_s3_bucket" "tf_backend_logs_bucket" {
   bucket = "${var.backend_bucket}-logs"
   acl = "log-delivery-write"
@@ -95,4 +155,3 @@ resource "aws_s3_bucket" "tf_backend_logs_bucket" {
     prevent_destroy = true
   }
 }
-
diff --git a/outputs.tf b/outputs.tf
@@ -7,11 +7,12 @@
  *   - dynamodb_lock_table_arn
  *   - dynamodb_lock_table_stream_arn
  *   - dynamodb_lock_table_stream_label
+ *   - s3_kms_key_id
  *
  */
 
 output "s3_backend_bucket_name" {
-  value = "${aws_s3_bucket.tf_backend_bucket.id}"
+  value = "${ join("", aws_s3_bucket.tf_backend_bucket.*.id, aws_s3_bucket.tf_backend_bucket.*.id)}"
 }
 
 output "dynamodb_lock_table_name" {

diff --git a/variables.tf b/variables.tf
@@ -25,3 +25,9 @@ variable "lock_table_read_capacity" {
 variable "lock_table_write_capacity" {
   default = 1
 }
+
+variable "kms_key_id" {
+  # Default to absent/blank to use the default aws/s3 aws kms master key
+  default = ""
+  description = "The AWS KMS master key ID used for the SSE-KMS encryption on the tf state s3 bucket. If the kms_key_id is specified, the bucket default encryption key management method will be set to aws-kms. If the kms_key_id is not specified (the default), then the default encryption key management method will be set to aes-256 (also known as aws-s3 key management). The default aws/s3 AWS KMS master key is used if this element is absent (the default)."
+}