feat: Improve syncer s3 kms encryption

npalm · Julius Adamek · npalm · commit 38ed5be5db8a · 2022-05-05T16:28:31.000+02:00
manual merge of https://github.com/philips-labs/terraform-aws-github-runner/pull/1915 Co-authored-by: Julius Adamek <julius.adamek@adesso.de>
diff --git a/.gitignore b/.gitignore
@@ -8,6 +8,7 @@
 *id_rsa*
 
 # other
+node_modules/
 .idea
 .DS_Store
 *.out
diff --git a/modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/src/syncer/syncer.ts b/modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/src/syncer/syncer.ts
@@ -78,6 +78,8 @@ async function uploadToS3(s3: S3, cacheObject: CacheObject, actionRunnerReleaseA
       Key: cacheObject.key,
       Tagging: versionKey + '=' + actionRunnerReleaseAsset.name,
       Body: writeStream,
+      ServerSideEncryption: process.env.S3_SSE_ALGORITHM,
+      SSEKMSKeyId: process.env.S3_SSE_KMS_KEY_ID,
     })
     .promise();
 
diff --git a/modules/runner-binaries-syncer/main.tf b/modules/runner-binaries-syncer/main.tf
@@ -35,7 +35,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "action_dist" {
   bucket = aws_s3_bucket.action_dist.id
-  count  = length(keys(lookup(var.server_side_encryption_configuration, "rule", {}))) == 0 ? 0 : 1
+  count  = try(var.server_side_encryption_configuration, null) != null ? 1 : 0
 
   dynamic "rule" {
     for_each = [lookup(var.server_side_encryption_configuration, "rule", {})]
@@ -63,3 +63,41 @@ resource "aws_s3_bucket_public_access_block" "action_dist" {
   ignore_public_acls      = true
   restrict_public_buckets = true
 }
+
+
+
+data "aws_iam_policy_document" "action_dist_sse_policy" {
+  count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
+
+  statement {
+    effect = "Deny"
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "${aws_s3_bucket.action_dist.arn}/*",
+    ]
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "s3:x-amz-server-side-encryption"
+      values   = [var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "action_dist_sse_policy" {
+  count  = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
+  bucket = aws_s3_bucket.action_dist.id
+  policy = data.aws_iam_policy_document.action_dist_sse_policy[0].json
+}
diff --git a/modules/runner-binaries-syncer/policies/lambda-kms.json b/modules/runner-binaries-syncer/policies/lambda-kms.json
@@ -0,0 +1,10 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": ["kms:GenerateDataKey", "kms:Decrypt"],
+        "Resource": "${kms_key_arn}"
+      }
+    ]
+  }
diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
@@ -29,8 +29,11 @@ resource "aws_lambda_function" "syncer" {
       LOG_TYPE                                = var.log_type
       S3_BUCKET_NAME                          = aws_s3_bucket.action_dist.id
       S3_OBJECT_KEY                           = local.action_runner_distribution_object_key
+      S3_SSE_ALGORITHM                        = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm, null)
+      S3_SSE_KMS_KEY_ID                       = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null)
     }
   }
+
   dynamic "vpc_config" {
     for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
     content {
@@ -42,6 +45,16 @@ resource "aws_lambda_function" "syncer" {
   tags = var.tags
 }
 
+resource "aws_iam_role_policy" "lambda_kms" {
+  count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null) != null ? 1 : 0
+  name  = "${var.environment}-lambda-kms-policy-syncer"
+  role  = aws_iam_role.syncer_lambda.id
+
+  policy = templatefile("${path.module}/policies/lambda-kms.json", {
+    kms_key_arn = var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id
+  })
+}
+
 resource "aws_cloudwatch_log_group" "syncer" {
   name              = "/aws/lambda/${aws_lambda_function.syncer.function_name}"
   retention_in_days = var.logging_retention_in_days
