From b5f96747b2a24ad4be938c06507ea214bd172eeb Mon Sep 17 00:00:00 2001 From: Oscar Mendoza <139177627+oscarmendoza123@users.noreply.github.com> Date: Wed, 23 Aug 2023 11:45:27 -0500 Subject: [PATCH 1/6] KMS policy to accept customer managed KMS keys Currently the policy doesn't not work with customer managed KMS keys even through the module accepts them. This ill be a no-op for existing users but will allow users with their own KMS keys to be able to use this module. --- data.tf | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/data.tf b/data.tf index 8d0e323..bbfb9c0 100644 --- a/data.tf +++ b/data.tf @@ -129,6 +129,54 @@ data "aws_iam_policy_document" "mwaa" { } } + dynamic "statement" { + for_each = var.kms_key != null ? [] : [1] + content { + effect = "Allow" + actions = [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:GenerateDataKey*", + "kms:Encrypt" + ] + not_resources = [ + "arn:${data.aws_partition.current.id}:kms:*:${data.aws_caller_identity.current.account_id}:key/*" + ] + condition { + test = "StringLike" + variable = "kms:ViaService" + + values = [ + "sqs.${data.aws_region.current.name}.amazonaws.com" + ] + } + } + } + + dynamic "statement" { + for_each = var.kms_key != null ? [1] : [] + content { + effect = "Allow" + actions = [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:GenerateDataKey*", + "kms:Encrypt" + ] + resources = [ + var.var.kms_key + ] + condition { + test = "StringLike" + variable = "kms:ViaService" + + values = [ + "sqs.${data.aws_region.current.name}.amazonaws.com" + ] + } + } + } + statement { effect = "Allow" actions = [ From 33c3ba3474b713698d502f622fca8c00ac4e84ca Mon Sep 17 00:00:00 2001 From: Oscar Mendoza <139177627+oscarmendoza123@users.noreply.github.com> Date: Wed, 23 Aug 2023 11:59:32 -0500 Subject: [PATCH 2/6] Update data.tf --- data.tf | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/data.tf b/data.tf index bbfb9c0..e1773f2 100644 --- a/data.tf +++ b/data.tf @@ -108,27 +108,6 @@ data "aws_iam_policy_document" "mwaa" { ] } - statement { - effect = "Allow" - actions = [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:GenerateDataKey*", - "kms:Encrypt" - ] - not_resources = [ - "arn:${data.aws_partition.current.id}:kms:*:${data.aws_caller_identity.current.account_id}:key/*" - ] - condition { - test = "StringLike" - variable = "kms:ViaService" - - values = [ - "sqs.${data.aws_region.current.name}.amazonaws.com" - ] - } - } - dynamic "statement" { for_each = var.kms_key != null ? [] : [1] content { From e4c45abbfb2a548bc7f982838f43cbe185c9f96f Mon Sep 17 00:00:00 2001 From: Oscar Mendoza <139177627+oscarmendoza123@users.noreply.github.com> Date: Wed, 23 Aug 2023 12:06:22 -0500 Subject: [PATCH 3/6] Update data.tf --- data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data.tf b/data.tf index e1773f2..2d6b858 100644 --- a/data.tf +++ b/data.tf @@ -143,7 +143,7 @@ data "aws_iam_policy_document" "mwaa" { "kms:Encrypt" ] resources = [ - var.var.kms_key + var.kms_key ] condition { test = "StringLike" From 9978c4b062c23142add3556fb96383a5f66e5916 Mon Sep 17 00:00:00 2001 From: Oscar Mendoza Date: Wed, 23 Aug 2023 17:13:19 +0000 Subject: [PATCH 4/6] pre-commity --- README.md | 3 +-- data.tf | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 98914af..97afcb8 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,6 @@ No modules. | [aws_iam_role_policy_attachment.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_mwaa_environment.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mwaa_environment) | resource | | [aws_s3_bucket.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_acl.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_public_access_block.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | @@ -139,7 +138,7 @@ No modules. | [environment\_class](#input\_environment\_class) | (Optional) Environment class for the cluster. Possible options are mw1.small, mw1.medium, mw1.large.
Will be set by default to mw1.small. Please check the AWS Pricing for more information about the environment classes. | `string` | `"mw1.small"` | no | | [execution\_role\_arn](#input\_execution\_role\_arn) | (Required) The Amazon Resource Name (ARN) of the task execution role that the Amazon MWAA and its environment can assume
Mandatory if `create_iam_role=false` | `string` | `null` | no | | [force\_detach\_policies](#input\_force\_detach\_policies) | IAM role Force detach policies | `bool` | `false` | no | -| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | A map of additional policy ARNs to be added to the IAM role, with an arbitary key name | `map(string)` | `{}` | no | +| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no | | [iam\_role\_name](#input\_iam\_role\_name) | IAM Role Name to be created if execution\_role\_arn is null | `string` | `null` | no | | [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `"/"` | no | | [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | IAM role Permission boundary | `string` | `null` | no | diff --git a/data.tf b/data.tf index 2d6b858..52d6662 100644 --- a/data.tf +++ b/data.tf @@ -124,7 +124,7 @@ data "aws_iam_policy_document" "mwaa" { condition { test = "StringLike" variable = "kms:ViaService" - + values = [ "sqs.${data.aws_region.current.name}.amazonaws.com" ] @@ -148,7 +148,7 @@ data "aws_iam_policy_document" "mwaa" { condition { test = "StringLike" variable = "kms:ViaService" - + values = [ "sqs.${data.aws_region.current.name}.amazonaws.com" ] From febf309e3fff929c8e4014299de51e9ab29c7441 Mon Sep 17 00:00:00 2001 From: Victor Zinchenko Date: Wed, 22 Nov 2023 16:18:07 +0100 Subject: [PATCH 5/6] Fix s3 bucket object ownership in example --- examples/basic/main.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 2038c8e..a0c8c66 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -25,7 +25,16 @@ resource "aws_s3_bucket" "this" { tags = var.tags } +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } From 8a67dcfff13fa6a20b9004e457275d00a7883aea Mon Sep 17 00:00:00 2001 From: harsh-at-huspy <156096614+harshvardhan-j@users.noreply.github.com> Date: Mon, 29 Jan 2024 12:56:39 +0400 Subject: [PATCH 6/6] Ignore changes made to MWAA Startup script version --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 1d650b5..f989653 100644 --- a/main.tf +++ b/main.tf @@ -61,7 +61,8 @@ resource "aws_mwaa_environment" "mwaa" { lifecycle { ignore_changes = [ plugins_s3_object_version, - requirements_s3_object_version + requirements_s3_object_version, + startup_script_s3_object_version ] } }