diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d2cdff6..464247b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -51,7 +51,7 @@ jobs: name: Minimum version check runs-on: ubuntu-latest container: - image: hashicorp/terraform:0.12.0 + image: hashicorp/terraform:0.12.31 steps: - uses: actions/checkout@master - name: Validate Code diff --git a/README.md b/README.md index 72a9054..9dad3ac 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ The following resources will be created: | Name | Version | |------|---------| -| terraform | >= 0.12.0 | +| terraform | >= 0.12.31 | ## Providers @@ -34,6 +34,7 @@ The following resources will be created: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| ecr\_cmk\_encryption | Enabled KMS CMK encryption for ECR repository | `bool` | `false` | no | | name | Name for ECR repository | `any` | n/a | yes | | trust\_accounts | Accounts to trust and allow ECR fetch | `list(string)` | n/a | yes | diff --git a/_data.tf b/_data.tf index 8fc4b38..2e0d300 100644 --- a/_data.tf +++ b/_data.tf @@ -1 +1,3 @@ data "aws_caller_identity" "current" {} + +data "aws_region" "current" {} \ No newline at end of file diff --git a/_variables.tf b/_variables.tf index abcf10f..7a37fdf 100644 --- a/_variables.tf +++ b/_variables.tf @@ -6,3 +6,9 @@ variable "trust_accounts" { type = list(string) description = "Accounts to trust and allow ECR fetch" } + +variable "ecr_cmk_encryption" { + type = bool + description = "Enabled KMS CMK encryption for ECR repository" + default = false +} \ No newline at end of file diff --git a/ecr-policies.tf b/ecr-policies.tf index a4ae081..261f958 100644 --- a/ecr-policies.tf +++ b/ecr-policies.tf @@ -41,4 +41,6 @@ resource "aws_ecr_repository_policy" "default" { ] } EOF + + depends_on = [aws_ecr_repository.default] } diff --git a/ecr-repositories.tf b/ecr-repositories.tf index d165253..151ea47 100644 --- a/ecr-repositories.tf +++ b/ecr-repositories.tf @@ -4,4 +4,11 @@ resource "aws_ecr_repository" "default" { image_scanning_configuration { scan_on_push = true } + + encryption_configuration { + encryption_type = "KMS" + kms_key = try(aws_kms_key.ecr[0].arn, false) ? aws_kms_key.ecr[0].arn : null + } + + depends_on = [aws_kms_alias.ecr] } diff --git a/kms.tf b/kms.tf new file mode 100644 index 0000000..2c2c07e --- /dev/null +++ b/kms.tf @@ -0,0 +1,57 @@ +data "aws_iam_policy_document" "kms_policy_ecr" { + count = var.ecr_cmk_encryption ? 1 : 0 + statement { + sid = "Allow direct access to key metadata to the account" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = [ + "kms:*" + ] + resources = ["*"] + } + statement { + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + "kms:CreateGrant", + "kms:RetireGrant" + ] + principals { + type = "AWS" + identifiers = ["*"] + } + resources = ["*"] + condition { + test = "StringEquals" + variable = "kms:CallerAccount" + values = [join(",", var.trust_accounts)] + } + condition { + test = "StringEquals" + variable = "kms:ViaService" + values = ["ecr.${data.aws_region.current.name}.amazonaws.com"] + } + sid = "Allow access through Amazon ECR for all principals in the account that are authorized to use Amazon ECR" + } +} + + +resource "aws_kms_key" "ecr" { + count = var.ecr_cmk_encryption ? 1 : 0 + deletion_window_in_days = 30 + description = "Customer-managed key that protects ECR data" + enable_key_rotation = true + policy = data.aws_iam_policy_document.kms_policy_ecr[0].json +} + +resource "aws_kms_alias" "ecr" { + count = var.ecr_cmk_encryption ? 1 : 0 + name = "alias/cmk/ecr" + target_key_id = aws_kms_key.ecr[0].key_id +} \ No newline at end of file diff --git a/versions.tf b/versions.tf index cd0f691..a630b21 100644 --- a/versions.tf +++ b/versions.tf @@ -1,3 +1,3 @@ terraform { - required_version = ">= 0.12.0" + required_version = ">= 0.12.31" } \ No newline at end of file