Merge branch 'main' into aastha/upgrade-eks-module

wandb · Jul 23, 2024 · 3e239fa · 3e239fa
2 parents d0c9f55 + fd4d0e1
commit 3e239fa
Show file tree

Hide file tree

Showing 9 changed files with 178 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,27 @@
 
 All notable changes to this project will be documented in this file.
 
+### [4.21.2](https://github.com/wandb/terraform-aws-wandb/compare/v4.21.1...v4.21.2) (2024-07-18)
+
+
+### Bug Fixes
+
+* Condition to create kms.aws_kms_grant.clickhouse was incorrect ([#245](https://github.com/wandb/terraform-aws-wandb/issues/245)) ([78d9be7](https://github.com/wandb/terraform-aws-wandb/commit/78d9be7c0b1126aada5e5df7539ae47ecc6b3368))
+
+### [4.21.1](https://github.com/wandb/terraform-aws-wandb/compare/v4.21.0...v4.21.1) (2024-07-18)
+
+
+### Bug Fixes
+
+* Don't create KMS key and related resources for CH by default ([#244](https://github.com/wandb/terraform-aws-wandb/issues/244)) ([42d64ba](https://github.com/wandb/terraform-aws-wandb/commit/42d64bae1847a6d26b16bbf46cd341a39389ad0f))
+
+## [4.21.0](https://github.com/wandb/terraform-aws-wandb/compare/v4.20.3...v4.21.0) (2024-07-17)
+
+
+### Features
+
+* Set up KMS key for clickhouse CMEK and endpoint for PL ([#243](https://github.com/wandb/terraform-aws-wandb/issues/243)) ([1d2fb92](https://github.com/wandb/terraform-aws-wandb/commit/1d2fb921792019b6356e0f89b7c117dda168339a))
+
 ### [4.20.3](https://github.com/wandb/terraform-aws-wandb/compare/v4.20.2...v4.20.3) (2024-07-11)
 
 

diff --git a/main.tf b/main.tf
@@ -1,15 +1,20 @@
 module "kms" {
   source = "./modules/kms"
 
-  key_alias           = var.kms_key_alias == null ? "${var.namespace}-kms-alias" : var.kms_key_alias
   key_deletion_window = var.kms_key_deletion_window
 
+  key_alias  = var.kms_key_alias == null ? "${var.namespace}-kms-alias" : var.kms_key_alias
   key_policy = var.kms_key_policy
+
+  create_clickhouse_key = var.enable_clickhouse
+  clickhouse_key_alias  = var.kms_clickhouse_key_alias == null ? "${var.namespace}-kms-clickhouse-alias" : var.kms_clickhouse_key_alias
+  clickhouse_key_policy = var.kms_clickhouse_key_policy
 }
 
 locals {
 
   default_kms_key                           = module.kms.key.arn
+  clickhouse_kms_key                        = var.enable_clickhouse ? module.kms.clickhouse_key.arn : null
   s3_kms_key_arn                            = length(var.bucket_kms_key_arn) > 0 ? var.bucket_kms_key_arn : local.default_kms_key
   database_kms_key_arn                      = length(var.database_kms_key_arn) > 0 ? var.database_kms_key_arn : local.default_kms_key
   database_performance_insights_kms_key_arn = length(var.database_performance_insights_kms_key_arn) > 0 ? var.database_performance_insights_kms_key_arn : local.default_kms_key
@@ -37,12 +42,13 @@ module "networking" {
   namespace  = var.namespace
   create_vpc = var.create_vpc
 
-  cidr                      = var.network_cidr
-  private_subnet_cidrs      = var.network_private_subnet_cidrs
-  public_subnet_cidrs       = var.network_public_subnet_cidrs
-  database_subnet_cidrs     = var.network_database_subnet_cidrs
-  create_elasticache_subnet = var.create_elasticache
-  elasticache_subnet_cidrs  = var.network_elasticache_subnet_cidrs
+  cidr                           = var.network_cidr
+  private_subnet_cidrs           = var.network_private_subnet_cidrs
+  public_subnet_cidrs            = var.network_public_subnet_cidrs
+  database_subnet_cidrs          = var.network_database_subnet_cidrs
+  create_elasticache_subnet      = var.create_elasticache
+  elasticache_subnet_cidrs       = var.network_elasticache_subnet_cidrs
+  clickhouse_endpoint_service_id = var.clickhouse_endpoint_service_id
 }
 
 locals {

diff --git a/modules/kms/main.tf b/modules/kms/main.tf
@@ -89,3 +89,73 @@ resource "aws_kms_grant" "main" {
     "ReEncryptTo",
   ]
 }
+
+resource "aws_kms_key" "clickhouse_key" {
+  count = var.create_clickhouse_key ? 1 : 0
+
+  deletion_window_in_days = var.key_deletion_window
+  description             = "AWS KMS Customer-managed key to encrypt Weave resources in Clickhouse"
+  key_usage               = "ENCRYPT_DECRYPT"
+
+  policy = var.clickhouse_key_policy != "" ? var.clickhouse_key_policy : jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "Allow administration of the key",
+        "Effect" : "Allow",
+        "Principal" : { "AWS" : "${data.aws_caller_identity.current.arn}" },
+        "Action" : "kms:*",
+        "Resource" : "*"
+      },
+      {
+        "Sid" : "Allow ClickHouse Access",
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : "arn:aws:iam::576599896960:role/prod-kms-request-role"
+        },
+        "Action" : [
+          "kms:GetPublicKey",
+          "kms:Decrypt",
+          "kms:GenerateDataKeyPair",
+          "kms:Encrypt",
+          "kms:GetKeyRotationStatus",
+          "kms:GenerateDataKey",
+          "kms:DescribeKey"
+        ],
+        "Resource" : "*"
+      },
+    ]
+  })
+
+  tags = {
+    Name = "wandb-kms-clickhouse-key"
+  }
+}
+
+
+
+resource "aws_kms_alias" "clickhouse_key" {
+  count = var.create_clickhouse_key ? 1 : 0
+
+  name          = "alias/${var.clickhouse_key_alias}"
+  target_key_id = aws_kms_key.clickhouse_key[0].key_id
+}
+
+
+resource "aws_kms_grant" "clickhouse" {
+  count = var.create_clickhouse_key && (var.iam_principal_arn != "") ? 1 : 0
+
+  grantee_principal = var.iam_principal_arn
+  key_id            = aws_kms_key.clickhouse_key[0].key_id
+  operations = [
+    "Decrypt",
+    "DescribeKey",
+    "Encrypt",
+    "GenerateDataKey",
+    "GenerateDataKeyPair",
+    "GenerateDataKeyPairWithoutPlaintext",
+    "GenerateDataKeyPairWithoutPlaintext",
+    "ReEncryptFrom",
+    "ReEncryptTo",
+  ]
+}
diff --git a/modules/kms/outputs.tf b/modules/kms/outputs.tf
@@ -1,4 +1,10 @@
 output "key" {
   value       = aws_kms_key.key
-  description = "The KMS key used to encrypt data."
-}
+  description = "The KMS key used to encrypt Models data."
+}
+
+
+output "clickhouse_key" {
+  value       = var.create_clickhouse_key ? aws_kms_key.clickhouse_key[0] : null
+  description = "The KMS key used to encrypt Weave data in Clickhouse."
+}
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
@@ -18,4 +18,22 @@ variable "key_policy" {
   description = "The policy that will define the permissions for the kms key."
   type        = string
   default     = ""
-}
+}
+
+variable "create_clickhouse_key" {
+  description = "Whether to create a KMS key for Clickhouse CMEK."
+  type        = bool
+  default     = false
+}
+
+variable "clickhouse_key_alias" {
+  description = "The key alias for AWS KMS Customer managed key."
+  type        = string
+  default     = "wandb-kms-clickhouse-key"
+}
+
+variable "clickhouse_key_policy" {
+  description = "The policy that will define the permissions for the kms clickhouse key."
+  type        = string
+  default     = ""
+}
diff --git a/modules/networking/main.tf b/modules/networking/main.tf
@@ -37,3 +37,13 @@ module "vpc" {
     "kubernetes.io/role/elb" = "1"
   }
 }
+
+resource "aws_vpc_endpoint" "clickhouse" {
+  count = var.create_vpc && var.clickhouse_endpoint_service_id != "" ? 1 : 0
+
+  vpc_id              = module.vpc.vpc_id
+  service_name        = var.clickhouse_endpoint_service_id
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = module.vpc.private_subnets
+  private_dns_enabled = true
+}
diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf
@@ -61,4 +61,10 @@ variable "amazon_side_asn" {
   description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN."
   type        = string
   default     = "64512"
-}
+}
+
+variable "clickhouse_endpoint_service_id" {
+  description = "The ID of the Clickhouse service endpoint"
+  type        = string
+  default     = ""
+}
diff --git a/outputs.tf b/outputs.tf
@@ -52,6 +52,12 @@ output "kms_key_arn" {
   description = "The Amazon Resource Name of the KMS key used to encrypt data at rest."
 }
 
+output "kms_clickhouse_key_arn" {
+  value       = local.clickhouse_kms_key
+  description = "The Amazon Resource Name of the KMS key used to encrypt Weave data at rest in Clickhouse."
+
+}
+
 output "network_id" {
   value       = local.network_id
   description = "The identity of the VPC in which resources are deployed."

diff --git a/variables.tf b/variables.tf
@@ -199,6 +199,18 @@ variable "kms_key_policy" {
   default     = ""
 }
 
+variable "kms_clickhouse_key_alias" {
+  type        = string
+  description = "KMS key alias for AWS KMS Customer managed key used by Clickhouse CMEK."
+  default     = null
+}
+
+variable "kms_clickhouse_key_policy" {
+  type        = string
+  description = "The policy that will define the permissions for the clickhouse kms key."
+  default     = ""
+}
+
 ##########################################
 # Network                                #
 ##########################################
@@ -474,3 +486,15 @@ variable "yace_sa_name" {
   type    = string
   default = "wandb-yace"
 }
+
+variable "enable_clickhouse" {
+  type        = bool
+  description = "Provision clickhouse resources"
+  default     = false
+}
+
+variable "clickhouse_endpoint_service_id" {
+  type        = string
+  description = "The service ID of the VPC endpoint service for Clickhouse"
+  default     = ""
+}