diff --git a/infrastructure/environments/dev/main.tf b/infrastructure/environments/dev/main.tf index c45a5b1..99c4850 100644 --- a/infrastructure/environments/dev/main.tf +++ b/infrastructure/environments/dev/main.tf @@ -13,7 +13,7 @@ module "glue" { # ===================================================================================== # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. # ===================================================================================== - # s3_encryption_key_arn = module.core.s3_encryption_key_arn + # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn glue_assets_bucket_name = var.glue_assets_bucket_name glue_scripts_bucket_name = var.glue_scripts_bucket_name } @@ -26,7 +26,7 @@ module "athena" { # ===================================================================================== # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. # ===================================================================================== - s3_encryption_key_arn = module.core.s3_encryption_key_arn - data_bucket_id = module.core.data_bucket_id - silver_database_name = module.glue.silver_database_name + # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn + data_bucket_id = module.core.data_bucket_id + silver_database_name = module.glue.silver_database_name } diff --git a/infrastructure/environments/prod/main.tf b/infrastructure/environments/prod/main.tf index 2542699..99c4850 100644 --- a/infrastructure/environments/prod/main.tf +++ b/infrastructure/environments/prod/main.tf @@ -13,7 +13,7 @@ module "glue" { # ===================================================================================== # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. # ===================================================================================== - # s3_encryption_key_arn = module.core.s3_encryption_key_arn + # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn glue_assets_bucket_name = var.glue_assets_bucket_name glue_scripts_bucket_name = var.glue_scripts_bucket_name } @@ -23,6 +23,10 @@ module "athena" { environment = var.environment athena_query_results_bucket_name = var.athena_query_results_bucket_name - data_bucket_id = module.core.data_bucket_id - silver_database_name = module.glue.silver_database_name + # ===================================================================================== + # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. + # ===================================================================================== + # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn + data_bucket_id = module.core.data_bucket_id + silver_database_name = module.glue.silver_database_name } diff --git a/infrastructure/environments/qa/main.tf b/infrastructure/environments/qa/main.tf index 2542699..99c4850 100644 --- a/infrastructure/environments/qa/main.tf +++ b/infrastructure/environments/qa/main.tf @@ -13,7 +13,7 @@ module "glue" { # ===================================================================================== # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. # ===================================================================================== - # s3_encryption_key_arn = module.core.s3_encryption_key_arn + # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn glue_assets_bucket_name = var.glue_assets_bucket_name glue_scripts_bucket_name = var.glue_scripts_bucket_name } @@ -23,6 +23,10 @@ module "athena" { environment = var.environment athena_query_results_bucket_name = var.athena_query_results_bucket_name - data_bucket_id = module.core.data_bucket_id - silver_database_name = module.glue.silver_database_name + # ===================================================================================== + # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. + # ===================================================================================== + # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn + data_bucket_id = module.core.data_bucket_id + silver_database_name = module.glue.silver_database_name } diff --git a/infrastructure/environments/staging/main.tf b/infrastructure/environments/staging/main.tf index 2542699..99c4850 100644 --- a/infrastructure/environments/staging/main.tf +++ b/infrastructure/environments/staging/main.tf @@ -13,7 +13,7 @@ module "glue" { # ===================================================================================== # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. # ===================================================================================== - # s3_encryption_key_arn = module.core.s3_encryption_key_arn + # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn glue_assets_bucket_name = var.glue_assets_bucket_name glue_scripts_bucket_name = var.glue_scripts_bucket_name } @@ -23,6 +23,10 @@ module "athena" { environment = var.environment athena_query_results_bucket_name = var.athena_query_results_bucket_name - data_bucket_id = module.core.data_bucket_id - silver_database_name = module.glue.silver_database_name + # ===================================================================================== + # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3. + # ===================================================================================== + # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn + data_bucket_id = module.core.data_bucket_id + silver_database_name = module.glue.silver_database_name } diff --git a/infrastructure/modules/athena/data.tf b/infrastructure/modules/athena/data.tf index 8b092e9..2ef69e9 100644 --- a/infrastructure/modules/athena/data.tf +++ b/infrastructure/modules/athena/data.tf @@ -21,6 +21,21 @@ data "aws_iam_policy_document" "athena_query_results_management" { "*" ] } + # ===================================================================================== + # DELETE THIS AND UNCOMMENT THE FOLLOWING STATEMENT TO ENABLE SSE-KMS ENCRYPTION IN + # ATHENA AND S3. + # ===================================================================================== + # statement { + # effect = "Allow" + # actions = [ + # "kms:Decrypt", + # "kms:GenerateDataKey" + # ] + # resources = [ + # aws_kms_key.athena_query_results.arn, + # var.s3_data_encryption_key_arn + # ] + # } statement { effect = "Allow" actions = [ diff --git a/infrastructure/modules/athena/kms.tf b/infrastructure/modules/athena/kms.tf new file mode 100644 index 0000000..8533a93 --- /dev/null +++ b/infrastructure/modules/athena/kms.tf @@ -0,0 +1,18 @@ +# This KMS key is used to implement SSE-KMS for Athena query results, improving the +# encryption at rest standards (https://docs.aws.amazon.com/athena/latest/ug/encryption.html +# for details). It is intended to be manually configured for the `primary` Athena +# Workgroup for now given we are not yet managing Workgroups through Terraform. +# ======================================================================================= +# KMS KEYS ARE NOT CREATED BY DEFAULT TO AVOID EXTRA COSTS IN THE BLUEPRINT VALIDATION +# ACCOUNTS. DELETE THE LINES DELIMITED BY `# =...=` AND UNCOMMENT THE FOLLOWING RESOURCES +# TO CREATE/ENABLE THEM. +# ======================================================================================= +# resource "aws_kms_key" "athena_query_results" { +# description = "Protects Athena query results tackled by the AWS Glue CI/CD Blueprint" +# enable_key_rotation = true +# } + +# resource "aws_kms_alias" "athena_query_results" { +# name = "alias/glue-ci-cd-blueprint/athena-query-results-${var.environment}" +# target_key_id = aws_kms_key.athena_query_results.key_id +# } diff --git a/infrastructure/modules/athena/s3.tf b/infrastructure/modules/athena/s3.tf index 6e9cb16..e8070ae 100644 --- a/infrastructure/modules/athena/s3.tf +++ b/infrastructure/modules/athena/s3.tf @@ -2,19 +2,6 @@ resource "aws_s3_bucket" "athena_query_results" { bucket = "${var.athena_query_results_bucket_name}-${var.environment}" } -# ======================================================================================= -# THE KMS KEY IS NOT CREATED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS. -# ======================================================================================= -resource "aws_s3_bucket_server_side_encryption_configuration" "data" { - bucket = aws_s3_bucket.athena_query_results.id - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = var.s3_encryption_key_arn - sse_algorithm = "aws:kms" - } - } -} - resource "aws_s3_bucket_lifecycle_configuration" "athena_query_results" { bucket = aws_s3_bucket.athena_query_results.id rule { @@ -25,3 +12,17 @@ resource "aws_s3_bucket_lifecycle_configuration" "athena_query_results" { } } } + +# ======================================================================================= +# DELETE THIS AND UNCOMMENT THE FOLLOWING RESOURCE TO ENABLE SSE-KMS ENCRYPTION IN S3. +# ======================================================================================= +# resource "aws_s3_bucket_server_side_encryption_configuration" "athena_query_results" { +# bucket = aws_s3_bucket.athena_query_results.id + +# rule { +# apply_server_side_encryption_by_default { +# kms_master_key_id = var.s3_data_encryption_key_arn +# sse_algorithm = "aws:kms" +# } +# } +# } diff --git a/infrastructure/modules/athena/variables.tf b/infrastructure/modules/athena/variables.tf index c556352..0ddf3d4 100644 --- a/infrastructure/modules/athena/variables.tf +++ b/infrastructure/modules/athena/variables.tf @@ -13,11 +13,11 @@ variable "athena_query_results_bucket_name" { # ======================================================================================= # DELETE THIS AND UNCOMMENT THE FOLLOWING VARIABLE TO ENABLE SSE-KMS ENCRYPTION IN S3. # ======================================================================================= -variable "s3_encryption_key_arn" { - description = "ARN of the KMS key that protects S3 objects tackled by the AWS Glue CI/CD Blueprint." - type = string - default = "" -} +# variable "s3_data_encryption_key_arn" { +# description = "ARN of the KMS key that protects data tackled by the AWS Glue CI/CD Blueprint and stored in S3." +# type = string +# default = "" +# } variable "data_bucket_id" { description = "ID of the S3 bucket used to store data." diff --git a/infrastructure/modules/core/kms.tf b/infrastructure/modules/core/kms.tf index 87f3289..d5cb3cc 100644 --- a/infrastructure/modules/core/kms.tf +++ b/infrastructure/modules/core/kms.tf @@ -1,22 +1,21 @@ -# This KMS key is used to implement SSE-KMS encryption in S3. +# This KMS key is used to implement SSE-KMS in S3. # -# Since January, 2023, AWS applies server-side encryption with Amazon S3 managed keys -# (SSE-S3) as the base level of encryption for every bucket in S3. However, users can -# choose to configure buckets to use server-side encryption with AWS Key Management +# Since January, 2023, AWS applies server-side encryption (SSE) with Amazon S3 managed +# keys (SSE-S3) as the base level of encryption for every bucket in S3. However, users +# can choose to configure buckets to use server-side encryption with AWS Key Management # Service keys (SSE-KMS) instead. Please refer to -# https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html for further -# details. +# https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html for details. # ======================================================================================= -# THE KMS KEY IS NOT CREATED BY DEFAULT TO AVOID EXTRA COSTS IN THE BLUEPRINT VALIDATION +# KMS KEYS ARE NOT CREATED BY DEFAULT TO AVOID EXTRA COSTS IN THE BLUEPRINT VALIDATION # ACCOUNTS. DELETE THE LINES DELIMITED BY `# =...=` AND UNCOMMENT THE FOLLOWING RESOURCES -# TO CREATE/ENABLE IT. +# TO CREATE/ENABLE THEM. # ======================================================================================= -resource "aws_kms_key" "s3" { - description = "This key protects S3 objects tackled by the AWS Glue CI/CD Blueprint" - enable_key_rotation = true -} +# resource "aws_kms_key" "s3_data" { +# description = "Protects data tackled by the AWS Glue CI/CD Blueprint and stored in S3" +# enable_key_rotation = true +# } -resource "aws_kms_alias" "s3" { - name = "alias/glue-ci-cd-blueprint/s3-${var.environment}" - target_key_id = aws_kms_key.s3.key_id -} +# resource "aws_kms_alias" "s3_data" { +# name = "alias/glue-ci-cd-blueprint/s3-data-${var.environment}" +# target_key_id = aws_kms_key.s3_data.key_id +# } diff --git a/infrastructure/modules/core/outputs.tf b/infrastructure/modules/core/outputs.tf index 980ef49..f166f54 100644 --- a/infrastructure/modules/core/outputs.tf +++ b/infrastructure/modules/core/outputs.tf @@ -3,8 +3,8 @@ output "data_bucket_id" { } # ======================================================================================= -# THE KMS KEY IS NOT CREATED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS. +# KMS KEYS ARE NOT CREATED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS. # ======================================================================================= -output "s3_encryption_key_arn" { - value = aws_kms_key.s3.arn -} +# output "s3_data_encryption_key_arn" { +# value = aws_kms_key.s3_data.arn +# } diff --git a/infrastructure/modules/core/s3.tf b/infrastructure/modules/core/s3.tf index d0f5e37..df6f9c2 100644 --- a/infrastructure/modules/core/s3.tf +++ b/infrastructure/modules/core/s3.tf @@ -3,14 +3,14 @@ resource "aws_s3_bucket" "data" { } # ======================================================================================= -# THE KMS KEY IS NOT CREATED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS. +# KMS KEYS ARE NOT CREATED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS. # ======================================================================================= # resource "aws_s3_bucket_server_side_encryption_configuration" "data" { # bucket = aws_s3_bucket.data.id -# + # rule { # apply_server_side_encryption_by_default { -# kms_master_key_id = aws_kms_key.s3.arn +# kms_master_key_id = aws_kms_key.s3_data.arn # sse_algorithm = "aws:kms" # } # } diff --git a/infrastructure/modules/glue/data.tf b/infrastructure/modules/glue/data.tf index ca92c69..0d9aca7 100644 --- a/infrastructure/modules/glue/data.tf +++ b/infrastructure/modules/glue/data.tf @@ -13,7 +13,7 @@ data "aws_iam_policy_document" "glue_service_custom" { # "kms:GenerateDataKey" # ] # resources = [ - # var.s3_encryption_key_arn + # var.s3_data_encryption_key_arn # ] # } statement { diff --git a/infrastructure/modules/glue/variables.tf b/infrastructure/modules/glue/variables.tf index d202e61..86b9ad0 100644 --- a/infrastructure/modules/glue/variables.tf +++ b/infrastructure/modules/glue/variables.tf @@ -13,8 +13,8 @@ variable "data_bucket_id" { # ======================================================================================= # DELETE THIS AND UNCOMMENT THE FOLLOWING VARIABLE TO ENABLE SSE-KMS ENCRYPTION IN S3. # ======================================================================================= -# variable "s3_encryption_key_arn" { -# description = "ARN of the KMS key that protects S3 objects tackled by the AWS Glue CI/CD Blueprint." +# variable "s3_data_encryption_key_arn" { +# description = "ARN of the KMS key that protects data tackled by the AWS Glue CI/CD Blueprint and stored in S3." # type = string # default = "" # }