From 380bcaf68447fb05be6c888392b46449cf5d409d Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Tue, 29 Oct 2024 20:30:10 +0100 Subject: [PATCH] fix(webhook): grant KMS permission to decrypt wehn using EventBridge (#4220) ## Description This PR grants the webhook (for EventBridge) access to the provided KMS key. In case no key is provided a dummy policy will be created. This to avoid terraform conditon is throwing errors when a KMS key is created in the same Terraform deploy as runner module ## Tested - [x] default example with KMS no eventbridge - [x] default example with KMS and eventbridge - [x] default example without KMS and eventbridge - [x] default example without KMS no eventbridge fix: #4218 --------- Co-authored-by: philips-labs-pr|bot --- modules/webhook/direct/README.md | 1 + modules/webhook/direct/webhook.tf | 11 +++++++++-- modules/webhook/eventbridge/README.md | 2 ++ modules/webhook/eventbridge/dispatcher.tf | 10 +++++++++- modules/webhook/eventbridge/webhook.tf | 9 +++++++++ modules/webhook/policies/lambda-kms.json | 13 +++++++++++++ .../webhook/policies/lambda-publish-sqs-policy.json | 10 ---------- 7 files changed, 43 insertions(+), 13 deletions(-) create mode 100644 modules/webhook/policies/lambda-kms.json diff --git a/modules/webhook/direct/README.md b/modules/webhook/direct/README.md index be9390c3dc..a07567bb0f 100644 --- a/modules/webhook/direct/README.md +++ b/modules/webhook/direct/README.md @@ -24,6 +24,7 @@ No modules. |------|------| | [aws_cloudwatch_log_group.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_iam_role.webhook_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.webhook_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.webhook_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | diff --git a/modules/webhook/direct/webhook.tf b/modules/webhook/direct/webhook.tf index 9fd24e3d30..77ecbb8d44 100644 --- a/modules/webhook/direct/webhook.tf +++ b/modules/webhook/direct/webhook.tf @@ -117,7 +117,15 @@ resource "aws_iam_role_policy" "webhook_sqs" { policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", { sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns) - kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "" + }) +} + +resource "aws_iam_role_policy" "webhook_kms" { + name = "kms-policy" + role = aws_iam_role.webhook_lambda.name + + policy = templatefile("${path.module}/../policies/lambda-kms.json", { + kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE" }) } @@ -128,7 +136,6 @@ resource "aws_iam_role_policy" "webhook_workflow_job_sqs" { policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", { sqs_resource_arns = jsonencode([var.config.sqs_workflow_job_queue.arn]) - kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "" }) } diff --git a/modules/webhook/eventbridge/README.md b/modules/webhook/eventbridge/README.md index 6426772d3d..c47a8863ae 100644 --- a/modules/webhook/eventbridge/README.md +++ b/modules/webhook/eventbridge/README.md @@ -30,11 +30,13 @@ No modules. | [aws_cloudwatch_log_group.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_iam_role.dispatcher_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.webhook_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.dispatcher_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.dispatcher_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.dispatcher_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.dispatcher_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.dispatcher_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.webhook_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.webhook_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | diff --git a/modules/webhook/eventbridge/dispatcher.tf b/modules/webhook/eventbridge/dispatcher.tf index 93d9af84e1..19016091e3 100644 --- a/modules/webhook/eventbridge/dispatcher.tf +++ b/modules/webhook/eventbridge/dispatcher.tf @@ -116,7 +116,15 @@ resource "aws_iam_role_policy" "dispatcher_sqs" { policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", { sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns) - kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "" + }) +} + +resource "aws_iam_role_policy" "dispatcher_kms" { + name = "kms-policy" + role = aws_iam_role.webhook_lambda.name + + policy = templatefile("${path.module}/../policies/lambda-kms.json", { + kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE" }) } diff --git a/modules/webhook/eventbridge/webhook.tf b/modules/webhook/eventbridge/webhook.tf index 7c47a5d19b..e914dd4ac7 100644 --- a/modules/webhook/eventbridge/webhook.tf +++ b/modules/webhook/eventbridge/webhook.tf @@ -127,6 +127,15 @@ resource "aws_iam_role_policy" "webhook_ssm" { }) } +resource "aws_iam_role_policy" "webhook_kms" { + name = "kms-policy" + role = aws_iam_role.webhook_lambda.name + + policy = templatefile("${path.module}/../policies/lambda-kms.json", { + kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE" + }) +} + resource "aws_iam_role_policy" "xray" { count = var.config.tracing_config.mode != null ? 1 : 0 name = "xray-policy" diff --git a/modules/webhook/policies/lambda-kms.json b/modules/webhook/policies/lambda-kms.json new file mode 100644 index 0000000000..65c0d3aaa9 --- /dev/null +++ b/modules/webhook/policies/lambda-kms.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "${kms_key_arn}" + } + ] +} diff --git a/modules/webhook/policies/lambda-publish-sqs-policy.json b/modules/webhook/policies/lambda-publish-sqs-policy.json index 6878ea125d..031560874b 100644 --- a/modules/webhook/policies/lambda-publish-sqs-policy.json +++ b/modules/webhook/policies/lambda-publish-sqs-policy.json @@ -5,16 +5,6 @@ "Effect": "Allow", "Action": ["sqs:SendMessage", "sqs:GetQueueAttributes"], "Resource": ${sqs_resource_arns} - %{ if kms_key_arn != "" ~} - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "${kms_key_arn}" - %{ endif ~} } ] }