From 96bb77063353acfac2a4665a8e1a0d14a55febac Mon Sep 17 00:00:00 2001
From: Bayron Carranza <bayron.carranza@gmail.com>
Date: Wed, 6 Jul 2022 16:48:36 -0600
Subject: [PATCH] Add kms to eks cloudwatch log group (#360)

---
 terraform-modules/aws/eks/main.tf             |  9 ++
 .../aws/kms/cloudwatch_log_group/README.md    | 36 ++++++++
 .../aws/kms/cloudwatch_log_group/main.tf      | 89 +++++++++++++++++++
 .../aws/kms/cloudwatch_log_group/outputs.tf   |  4 +
 .../aws/kms/cloudwatch_log_group/variables.tf |  9 ++
 5 files changed, 147 insertions(+)
 create mode 100644 terraform-modules/aws/kms/cloudwatch_log_group/README.md
 create mode 100644 terraform-modules/aws/kms/cloudwatch_log_group/main.tf
 create mode 100644 terraform-modules/aws/kms/cloudwatch_log_group/outputs.tf
 create mode 100644 terraform-modules/aws/kms/cloudwatch_log_group/variables.tf

diff --git a/terraform-modules/aws/eks/main.tf b/terraform-modules/aws/eks/main.tf
index e81ce479a..5339e9c1e 100644
--- a/terraform-modules/aws/eks/main.tf
+++ b/terraform-modules/aws/eks/main.tf
@@ -31,6 +31,14 @@ resource "aws_kms_key" "eks" {
   tags        = var.tags
 }
 
+
+module "kms_cloudwatch_log_group" {
+  source                  = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kms/cloudwatch_log_group?ref=v2.0.37"
+  log_group_name          = "/aws/eks/${var.cluster_name}/cluster"
+  tags                    = var.tags
+}
+
+
 module "eks" {
   source           = "terraform-aws-modules/eks/aws"
   version          = "18.23.0"
@@ -57,6 +65,7 @@ module "eks" {
     resources        = ["secrets"]
   }]
 
+  cloudwatch_log_group_kms_key_id = module.kms_cloudwatch_log_group.kms_arn
   cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
   cluster_enabled_log_types     = var.cluster_enabled_log_types
 
diff --git a/terraform-modules/aws/kms/cloudwatch_log_group/README.md b/terraform-modules/aws/kms/cloudwatch_log_group/README.md
new file mode 100644
index 000000000..0d107aa32
--- /dev/null
+++ b/terraform-modules/aws/kms/cloudwatch_log_group/README.md
@@ -0,0 +1,36 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_key.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_log_group_name"></a> [log\_group\_name](#input\_log\_group\_name) | Log group name of cloud watch | `string` | `"log-group-default"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(any)` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_kms_arn"></a> [kms\_arn](#output\_kms\_arn) | Arn of kms for log group of cloudwatch |
diff --git a/terraform-modules/aws/kms/cloudwatch_log_group/main.tf b/terraform-modules/aws/kms/cloudwatch_log_group/main.tf
new file mode 100644
index 000000000..29afbcfce
--- /dev/null
+++ b/terraform-modules/aws/kms/cloudwatch_log_group/main.tf
@@ -0,0 +1,89 @@
+# This is a standard kms that frees any cloud watch log group from vulnerabilities.
+# Docs: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html
+
+locals {
+  arn_format  = "arn:${data.aws_partition.current.partition}"
+}
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# CREATE A KMS 
+# We can attach KMS to CloudWatch Log.
+# ---------------------------------------------------------------------------------------------------------------------
+data "aws_iam_policy_document" "kms" {
+  statement {
+    sid    = "Enable Root User Permissions"
+    effect = "Allow"
+
+    actions = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:Tag*",
+      "kms:Untag*",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion"
+    ]
+
+    #bridgecrew:skip=CKV_AWS_109:This policy applies only to the key it is attached to
+    #bridgecrew:skip=CKV_AWS_111:This policy applies only to the key it is attached to
+    resources = [
+      "*"
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "${local.arn_format}:iam::${data.aws_caller_identity.current.account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "Allow KMS to CloudWatch Log Group ${var.log_group_name}"
+    effect = "Allow"
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*"
+    ]
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "logs.${data.aws_region.current.name}.amazonaws.com"
+      ]
+    }
+    condition {
+      test = "ArnEquals"
+      variable = "kms:EncryptionContext:aws:logs:arn"
+      values = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${var.log_group_name}"]
+    }
+  }
+}
+
+resource "aws_kms_key" "kms" {
+  description             = "KMS key for log-group: ${var.log_group_name}"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+  policy                  = join("", data.aws_iam_policy_document.kms.*.json)
+  tags                    = var.tags
+}
diff --git a/terraform-modules/aws/kms/cloudwatch_log_group/outputs.tf b/terraform-modules/aws/kms/cloudwatch_log_group/outputs.tf
new file mode 100644
index 000000000..aa9305d75
--- /dev/null
+++ b/terraform-modules/aws/kms/cloudwatch_log_group/outputs.tf
@@ -0,0 +1,4 @@
+output "kms_arn" {
+  description = "Arn of kms for log group of cloudwatch"
+  value       = aws_kms_key.kms.arn
+}
\ No newline at end of file
diff --git a/terraform-modules/aws/kms/cloudwatch_log_group/variables.tf b/terraform-modules/aws/kms/cloudwatch_log_group/variables.tf
new file mode 100644
index 000000000..d17d0f944
--- /dev/null
+++ b/terraform-modules/aws/kms/cloudwatch_log_group/variables.tf
@@ -0,0 +1,9 @@
+variable "log_group_name" {
+  type        = string
+  default     = "log-group-default"
+  description = "Log group name of cloud watch"
+}
+
+variable "tags" {
+  type = map(any)
+}
\ No newline at end of file