Merge pull request #8 from geekcell/ephemeral-storage

feat: Add managed storage encryption

Author: Ic3w0lf

README.md

@@ -45,7 +45,9 @@ performance and health.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_enable_container_insights"></a> [enable\_container\_insights](#input\_enable\_container\_insights) | Enable CloudWatch Container Insights for the cluster. | `bool` | `true` | no |
+| <a name="input_encrypt_ephemeral_storage"></a> [encrypt\_ephemeral\_storage](#input\_encrypt\_ephemeral\_storage) | Encrypt the ECS ephemeral storage for the cluster. | `bool` | `false` | no |
 | <a name="input_encrypt_execute_command_session"></a> [encrypt\_execute\_command\_session](#input\_encrypt\_execute\_command\_session) | Encrypt execute command session for the cluster. | `bool` | `false` | no |
+| <a name="input_encrypt_managed_storage"></a> [encrypt\_managed\_storage](#input\_encrypt\_managed\_storage) | Encrypt the ECS managed storage for the cluster. | `bool` | `false` | no |
 | <a name="input_logging_execute_command_session"></a> [logging\_execute\_command\_session](#input\_logging\_execute\_command\_session) | Log execute command session for the cluster. | `string` | `"DEFAULT"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the ECS cluster. | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to add to the ECS cluster. | `map(any)` | `{}` | no |
@@ -63,13 +65,15 @@ performance and health.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.36 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.59 |
 
 ## Resources
 
-- resource.aws_cloudwatch_log_group.container_insights (main.tf#62)
-- resource.aws_cloudwatch_log_group.main (main.tf#55)
+- resource.aws_cloudwatch_log_group.container_insights (main.tf#80)
+- resource.aws_cloudwatch_log_group.main (main.tf#73)
 - resource.aws_ecs_cluster.main (main.tf#10)
+- data source.aws_caller_identity.current (main.tf#100)
+- data source.aws_iam_policy_document.kms_ephemeral (main.tf#101)
 
 # Examples
 ### Basic Example

main.tf

@@ -20,22 +20,40 @@ resource "aws_ecs_cluster" "main" {
   }
 
   dynamic "configuration" {
-    for_each = var.encrypt_execute_command_session || var.logging_execute_command_session != "DEFAULT" ? [true] : []
+    for_each = (
+      var.encrypt_execute_command_session ||
+      var.logging_execute_command_session != "DEFAULT" ||
+      var.encrypt_ephemeral_storage ||
+      var.encrypt_managed_storage
+    ) ? [true] : []
 
     content {
-      execute_command_configuration {
-        kms_key_id = var.encrypt_execute_command_session ? module.kms[0].key_id : null
-        logging    = var.logging_execute_command_session
+      dynamic "execute_command_configuration" {
+        for_each = var.encrypt_execute_command_session || var.logging_execute_command_session != "DEFAULT" ? [true] : []
 
-        dynamic "log_configuration" {
-          for_each = var.logging_execute_command_session == "OVERRIDE" ? [true] : []
+        content {
+          kms_key_id = var.encrypt_execute_command_session ? module.kms[0].key_id : null
+          logging    = var.logging_execute_command_session
 
-          content {
-            cloud_watch_encryption_enabled = false
-            cloud_watch_log_group_name     = aws_cloudwatch_log_group.main[0].name
+          dynamic "log_configuration" {
+            for_each = var.logging_execute_command_session == "OVERRIDE" ? [true] : []
+
+            content {
+              cloud_watch_encryption_enabled = false
+              cloud_watch_log_group_name     = aws_cloudwatch_log_group.main[0].name
+            }
           }
         }
       }
+
+      dynamic "managed_storage_configuration" {
+        for_each = var.encrypt_ephemeral_storage || var.encrypt_managed_storage ? [true] : []
+
+        content {
+          kms_key_id                           = var.encrypt_managed_storage ? module.kms[0].key_id : null
+          fargate_ephemeral_storage_kms_key_id = var.encrypt_ephemeral_storage ? module.kms_ephemeral[0].key_id : null
+        }
+      }
     }
   }
 
@@ -67,3 +85,87 @@ resource "aws_cloudwatch_log_group" "container_insights" {
 
   tags = var.tags
 }
+
+module "kms_ephemeral" {
+  count = var.encrypt_ephemeral_storage || var.encrypt_managed_storage ? 1 : 0
+
+  source  = "geekcell/kms/aws"
+  version = ">= 1.0.0, < 2.0.0"
+  policy  = data.aws_iam_policy_document.kms_ephemeral[0].json
+
+  alias = "ecs/cluster/${var.name}/managed-storage"
+  tags  = var.tags
+}
+
+data "aws_caller_identity" "current" {}
+data "aws_iam_policy_document" "kms_ephemeral" {
+  count = var.encrypt_ephemeral_storage || var.encrypt_managed_storage ? 1 : 0
+
+  statement {
+    sid       = "Enable IAM User Permissions."
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+
+    principals {
+      identifiers = ["*"]
+      type        = "AWS"
+    }
+  }
+
+  statement {
+    sid     = "Allow generate data key access for Fargate tasks."
+    effect  = "Allow"
+    actions = ["kms:GenerateDataKeyWithoutPlaintext"]
+
+    principals {
+      identifiers = ["fargate.amazonaws.com"]
+      type        = "Service"
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:EncryptionContext:aws:ecs:clusterAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:EncryptionContext:aws:ecs:clusterName"
+      values   = [var.name]
+    }
+
+    resources = ["*"]
+  }
+
+  statement {
+    sid     = "Allow grant creation permission for Fargate tasks."
+    effect  = "Allow"
+    actions = ["kms:CreateGrant"]
+
+    principals {
+      identifiers = ["fargate.amazonaws.com"]
+      type        = "Service"
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:EncryptionContext:aws:ecs:clusterAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:EncryptionContext:aws:ecs:clusterName"
+      values   = [var.name]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "kms:GrantOperations"
+      values   = ["Decrypt"]
+    }
+
+    resources = ["*"]
+  }
+}

variables.tf

@@ -23,6 +23,18 @@ variable "encrypt_execute_command_session" {
   type        = bool
 }
 
+variable "encrypt_ephemeral_storage" {
+  description = "Encrypt the ECS ephemeral storage for the cluster."
+  default     = false
+  type        = bool
+}
+
+variable "encrypt_managed_storage" {
+  description = "Encrypt the ECS managed storage for the cluster."
+  default     = false
+  type        = bool
+}
+
 variable "logging_execute_command_session" {
   description = "Log execute command session for the cluster."
   default     = "DEFAULT"

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.36"
+      version = ">= 5.59"
     }
   }
 }