Enable KMS encryption and capability of using customer-managed key (#10)

* Enable KMS encryption

* Add capability of encrypting ECR repo with CMK

Co-authored-by: lzrocha <[email protected]>

.github/workflows/lint.yml

@@ -51,7 +51,7 @@ jobs:
     name: Minimum version check
     runs-on: ubuntu-latest
     container:
-      image: hashicorp/terraform:0.12.0
+      image: hashicorp/terraform:0.12.31
     steps:
       - uses: actions/checkout@master
       - name: Validate Code

README.md

@@ -22,7 +22,7 @@ The following resources will be created:
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.0 |
+| terraform | >= 0.12.31 |
 
 ## Providers
 
@@ -34,6 +34,7 @@ The following resources will be created:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| ecr\_cmk\_encryption | Enabled KMS CMK encryption for ECR repository | `bool` | `false` | no |
 | name | Name for ECR repository | `any` | n/a | yes |
 | trust\_accounts | Accounts to trust and allow ECR fetch | `list(string)` | n/a | yes |
 

_data.tf

@@ -1 +1,3 @@
 data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}

_variables.tf

@@ -6,3 +6,9 @@ variable "trust_accounts" {
   type        = list(string)
   description = "Accounts to trust and allow ECR fetch"
 }
+
+variable "ecr_cmk_encryption" {
+  type        = bool
+  description = "Enabled KMS CMK encryption for ECR repository"
+  default     = false
+}

ecr-policies.tf

@@ -41,4 +41,6 @@ resource "aws_ecr_repository_policy" "default" {
   ]
 }
 EOF
+
+  depends_on = [aws_ecr_repository.default]
 }

ecr-repositories.tf

@@ -4,4 +4,11 @@ resource "aws_ecr_repository" "default" {
   image_scanning_configuration {
     scan_on_push = true
   }
+
+  encryption_configuration {
+    encryption_type = "KMS"
+    kms_key         = try(aws_kms_key.ecr[0].arn, false) ? aws_kms_key.ecr[0].arn : null
+  }
+
+  depends_on = [aws_kms_alias.ecr]
 }

kms.tf

@@ -0,0 +1,57 @@
+data "aws_iam_policy_document" "kms_policy_ecr" {
+  count = var.ecr_cmk_encryption ? 1 : 0
+  statement {
+    sid    = "Allow direct access to key metadata to the account"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions = [
+      "kms:*"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+      "kms:CreateGrant",
+      "kms:RetireGrant"
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = [join(",", var.trust_accounts)]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "kms:ViaService"
+      values   = ["ecr.${data.aws_region.current.name}.amazonaws.com"]
+    }
+    sid = "Allow access through Amazon ECR for all principals in the account that are authorized to use Amazon ECR"
+  }
+}
+
+
+resource "aws_kms_key" "ecr" {
+  count                   = var.ecr_cmk_encryption ? 1 : 0
+  deletion_window_in_days = 30
+  description             = "Customer-managed key that protects ECR data"
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.kms_policy_ecr[0].json
+}
+
+resource "aws_kms_alias" "ecr" {
+  count         = var.ecr_cmk_encryption ? 1 : 0
+  name          = "alias/cmk/ecr"
+  target_key_id = aws_kms_key.ecr[0].key_id
+}

versions.tf

@@ -1,3 +1,3 @@
 terraform {
-  required_version = ">= 0.12.0"
+  required_version = ">= 0.12.31"
 }