adds support for injection of secrets from ssm parameter store (#34)

jritsema · web-flow · commit 116942d13017 · 2019-09-30T13:36:23.000-04:00
diff --git a/README.md b/README.md
@@ -39,7 +39,8 @@ that is needed.
 | [autoscale-perf.tf][edap] | Performance-based auto scaling | Yes |
 | [autoscale-time.tf][edat] | Time-based auto scaling | Yes |
 | [logs-logzio.tf][edll] | Ship container logs to logz.io | Yes |
-| [secretsmanager.tf][edsm] | Add a base secret to Secretsmanager | Yes |
+| [secretsmanager.tf][edsm] | Add a Secrets Manager secret with a CMK KMS key. Also gives app role and ECS task definition role access to read secrets from Secrets Manager | Yes |
+| [ssm-parameters.tf][ssm] | Add a CMK KMS key for use with SSM Parameter Store. Also gives ECS task definition role access to read secrets from parameter store. | Yes |
 | [ecs-event-stream.tf][ees] | Add an ECS event log dashboard | Yes |
 
 
@@ -136,6 +137,7 @@ $ fargate-create -f terraform.tfvars
 [edat]: ./env/dev/autoscale-time.tf
 [edll]: ./env/dev/logs-logzio.tf
 [edsm]: ./env/dev/secretsmanager.tf
+[ssm]: ./env/dev/ssm-parameters.tf
 [ees]: ./env/dev/ecs-event-stream.tf
 [base]: ./base/README.md
 [env-dev]: ./env/dev/README.md
diff --git a/env/dev/README.md b/env/dev/README.md
@@ -20,7 +20,9 @@ The optional components can be removed by simply deleting the `.tf` file.
 | [autoscale-perf.tf][edap] | Performance-based auto scaling | Yes |
 | [autoscale-time.tf][edat] | Time-based auto scaling | Yes |
 | [logs-logzio.tf][edll] | Ship container logs to logz.io | Yes |
-| [secretsmanager.tf][edsm] | Add a base secret to Secretsmanager | Yes |
+| [secretsmanager.tf][edsm] | Add a Secrets Manager secret with a CMK KMS key. Also gives app role and ECS task definition role access to read secrets from Secrets Manager | Yes |
+| [ssm-parameters.tf][ssm] | Add a CMK KMS key for use with SSM Parameter Store. Also gives ECS task definition role access to read secrets from parameter store. | Yes |
+
 
 
 ## Usage
@@ -103,3 +105,4 @@ $ terraform apply
 [edsm]: secretsmanager.tf
 [alb-docs]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html
 [up]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html
+[ssm]: ssm-parameters.tf
diff --git a/env/dev/fargate-create.yml b/env/dev/fargate-create.yml
@@ -30,11 +30,16 @@ prompts:
       - "logs-logzio.tf"      
       - "logs-logzio.zip"
 
-  - question: "Would you like an integrated Secrets Manager secret?"
+  - question: "Would you like to use Secrets Manager for secrets?"
     default: "no"
     filesToDeleteIfNo:
       - "secretsmanager.tf"
 
+  - question: "Would you like to use SSM Parameter Store for secrets?"
+    default: "no"
+    filesToDeleteIfNo:
+      - "ssm-parameters.tf"
+
   - question: "Would you like an ECS event log dashboard?"
     default: "yes"
     filesToDeleteIfNo:
diff --git a/env/dev/ssm-parameters.tf b/env/dev/ssm-parameters.tf
@@ -0,0 +1,201 @@
+locals {
+  # KMS write actions
+  kms_write_actions = [
+    "kms:CancelKeyDeletion",
+    "kms:CreateAlias",
+    "kms:CreateGrant",
+    "kms:CreateKey",
+    "kms:DeleteAlias",
+    "kms:DeleteImportedKeyMaterial",
+    "kms:DisableKey",
+    "kms:DisableKeyRotation",
+    "kms:EnableKey",
+    "kms:EnableKeyRotation",
+    "kms:Encrypt",
+    "kms:GenerateDataKey",
+    "kms:GenerateDataKeyWithoutPlaintext",
+    "kms:GenerateRandom",
+    "kms:GetKeyPolicy",
+    "kms:GetKeyRotationStatus",
+    "kms:GetParametersForImport",
+    "kms:ImportKeyMaterial",
+    "kms:PutKeyPolicy",
+    "kms:ReEncryptFrom",
+    "kms:ReEncryptTo",
+    "kms:RetireGrant",
+    "kms:RevokeGrant",
+    "kms:ScheduleKeyDeletion",
+    "kms:TagResource",
+    "kms:UntagResource",
+    "kms:UpdateAlias",
+    "kms:UpdateKeyDescription",
+  ]
+
+  # KMS read actions
+  kms_read_actions = [
+    "kms:Decrypt",
+    "kms:DescribeKey",
+    "kms:List*",
+  ]
+
+  # list of saml users for policies
+  saml_user_ids = flatten([
+    data.aws_caller_identity.current.user_id,
+    data.aws_caller_identity.current.account_id,
+    formatlist(
+      "%s:%s",
+      data.aws_iam_role.saml_role_ssm.unique_id,
+      var.secrets_saml_users,
+    ),
+  ])
+
+  # list of role users and saml users for policies
+  role_and_saml_ids = flatten([
+    "${aws_iam_role.ecsTaskExecutionRole.unique_id}:*",
+    local.saml_user_ids,
+  ])
+
+  sm_arn = "arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:${var.app}-${var.environment}-??????"
+}
+
+# get the saml user info so we can get the unique_id
+data "aws_iam_role" "saml_role_ssm" {
+  name = var.saml_role
+}
+
+# The users (email addresses) from the saml role to give access
+# case sensitive
+variable "secrets_saml_users" {
+  type = list(string)
+}
+
+# kms key used to encrypt ssm parameters
+resource "aws_kms_key" "ssm" {
+  description             = "ssm parameters key for ${var.app}-${var.environment}"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  tags                    = var.tags
+  policy                  = data.aws_iam_policy_document.ssm.json
+}
+
+resource "aws_kms_alias" "ssm" {
+  name          = "alias/${var.app}-${var.environment}"
+  target_key_id = "${aws_kms_key.ssm.id}"
+}
+
+data "aws_iam_policy_document" "ssm" {
+  statement {
+    sid    = "DenyWriteToAllExceptSAMLUsers"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_write_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:userId"
+      values   = local.saml_user_ids
+    }
+  }
+
+  statement {
+    sid    = "DenyReadToAllExceptRoleAndSAMLUsers"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_read_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:userId"
+      values   = local.role_and_saml_ids
+    }
+  }
+
+  statement {
+    sid    = "AllowWriteToSAMLUsers"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_write_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:userId"
+      values   = local.saml_user_ids
+    }
+  }
+
+  statement {
+    sid    = "AllowReadRoleAndSAMLUsers"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_read_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:userId"
+      values   = local.role_and_saml_ids
+    }
+  }
+}
+
+# allow ecs task execution role to read this app's parameters
+resource "aws_iam_policy" "ecsTaskExecutionRole_ssm" {
+  name        = "${var.app}-${var.environment}-ecs-ssm"
+  path        = "/"
+  description = "allow ecs task execution role to read this app's parameters"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameters"
+      ],
+      "Resource": "arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/${var.app}/${var.environment}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_ssm" {
+  role       = aws_iam_role.ecsTaskExecutionRole.name
+  policy_arn = aws_iam_policy.ecsTaskExecutionRole_ssm.arn
+}
+
+output "ssm_add_secret" {
+  value = "aws ssm put-parameter --overwrite --type \"SecureString\" --key-id \"${aws_kms_alias.ssm.name}\" --name \"/${var.app}/${var.environment}/PASSWORD\" --value \"password\""
+}
+
+output "ssm_add_secret_ref" {
+  value = "fargate service env set --secret PASSWORD=/${var.app}/${var.environment}/PASSWORD"
+}
+
+output "ssm_key_id" {
+  value = aws_kms_key.ssm.key_id
+}
