Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lambda-kms module #19

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

lambda-kms module #19

wants to merge 1 commit into from

Conversation

miguelgrinberg
Copy link

No description provided.

ryandub
ryandub suggested changes Nov 28, 2017
View reviewed changes
Copy link
Contributor

@ryandub ryandub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry it took me a while to get to this. Thanks for the PR - can you take a look at the comments and make some small changes?

modules/lambda-kms/main.tf Outdated
@@ -0,0 +1,18 @@
data "template_file" "kms_policy" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The template_file data resource for IAM policies is an older way of doing this. Can you switch this to use the newer iam_policy_document data resource? There are a few examples in this repo of how to use it such as this one.

modules/lambda-kms/templates/kms_key_policy.tpl Outdated
]
},
"Action": [
"kms:*"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it might be worthwhile to allow root and the deployment user access to kms:*, but also add a deny on decrypt (and possibly any other sensitive functions). This will allow the user to administer the key for deployment purposes, but not open up encrypted data to a wider audience than necessary.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Decrypt is needed for fleece config.

@miguelgrinberg miguelgrinberg force-pushed the lambda-kms-module branch 5 times, most recently from aebba4d to 7505e0a Compare December 1, 2017 02:01
@miguelgrinberg
Copy link
Author

@ryandub per our discussion, I added a admin_can_decrypt variable. Here is the example invocation of this module that I'm using:

module "helloworld_key" {
  source      = "github.com/miguelgrinberg/xplat-terraform-modules?ref=lambda-kms-module//modules/lambda-kms"

  lambda_role = "${module.helloworld_lambda_authorizer.lambda_role_name}"
  key_alias   = "${var.stage}-${var.service_name}-config-key"
  key_autorotate = "true"
  admin_can_decrypt = "true"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryandub ryandub ryandub requested changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@miguelgrinberg @ryandub