feat: add an IAM policy to grant the runner access to the KMS key (#778)

## Description

Fixes some issues with accessing the S3 bucket when the bucket has KMS
encryption enabled.

Allowing the runner role the ability to use the KMS key. We mainly ran
into issue with this around access to the caching S3 bucket. Without
access to the KMS key, the runners can't pull from or push to the S3
bucket created by this project.

In case `var.enable_kms` is set to `true`, the module automatically adds
a policy to access the KMS key.

## Migrations required

No

## Verification
Custom:
```
module "runner" {
  source      = "github.com/jasonjanderson/terraform-aws-gitlab-runner?ref=kms"
  aws_region  = data.aws_region.current.name
  environment = "terraform"

  #   ssh_public_key = local_file.public_ssh_key.content

  vpc_id                   = module.vpc.vpc_id
  subnet_ids_gitlab_runner = module.vpc.private_subnets
  subnet_id_runners        = element(module.vpc.private_subnets, 0)

  runners_name       = "terraform"
  runners_gitlab_url = "https://gitlab.com"

  gitlab_runner_registration_config = {
    registration_token = data.gitlab_project.init-register.runners_token
    tag_list           = "terraform"
    description        = data.gitlab_project.init-register.name
    locked_to_project  = "true"
    run_untagged       = "false"
    maximum_timeout    = "3600"
  }


  docker_machine_spot_price_bid = "on-demand-price"
  docker_machine_instance_type  = "t3.large"

  enable_kms     = true
  enable_cloudwatch_logging            = true
  cloudwatch_logging_retention_in_days = 14
  agent_tags                           = local.terraform_runner_tags
  runner_tags                          = local.terraform_runner_tags
  docker_machine_iam_policy_arns       = [aws_iam_policy.terraform_runner.arn]
  runners_add_dind_volumes             = true
  runners_executor                     = "docker+machine"
  runners_monitoring                   = true
  runners_request_concurrency          = 10
  runners_machine_autoscaling = [{
    periods    = ["\"* * 8-19 * * mon-fri *\""]
    idle_count = 1
    idle_time  = 1800
    timezone   = "America/Chicago"
  }]
}
```

---------

Co-authored-by: kayma <[email protected]>
Co-authored-by: Matthias Kay <[email protected]>

Author: jasonjanderson

main.tf

@@ -370,6 +370,32 @@ resource "aws_iam_role" "instance" {
   tags = merge(local.tags, var.role_tags)
 }
 
+################################################################################
+### Policy for the instance to use the KMS key
+################################################################################
+resource "aws_iam_policy" "instance_kms_policy" {
+  count = var.enable_kms ? 1 : 0
+
+  name        = "${local.name_iam_objects}-kms"
+  path        = "/"
+  description = "Allow runner instance the ability to use the KMS key."
+  policy = templatefile("${path.module}/policies/instance-kms-policy.json",
+    {
+      kms_key_arn = var.enable_kms && var.kms_key_id == "" ? aws_kms_key.default[0].arn : var.kms_key_id
+    }
+  )
+
+  tags = local.tags
+}
+
+resource "aws_iam_role_policy_attachment" "instance_kms_policy" {
+  count = var.enable_kms ? 1 : 0
+
+  role       = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name
+  policy_arn = aws_iam_policy.instance_kms_policy[0].arn
+}
+
+
 ################################################################################
 ### Policies for runner agent instance to create docker machines via spot req.
 ###
@@ -459,6 +485,8 @@ resource "aws_iam_role" "docker_machine" {
   tags = local.tags
 }
 
+
+
 resource "aws_iam_instance_profile" "docker_machine" {
   count = var.runners_executor == "docker+machine" ? 1 : 0
   name  = "${local.name_iam_objects}-docker-machine"
@@ -484,6 +512,8 @@ resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_ma
   policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
 
+
+
 ################################################################################
 ### Service linked policy, optional
 ################################################################################

policies/instance-kms-policy.json

@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "kms:Decrypt",
+                "kms:GenerateDataKey"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+                "${kms_key_arn}"
+            ]
+        }
+    ]
+}

variables.tf

@@ -740,7 +740,7 @@ variable "runners_docker_services" {
 }
 
 variable "kms_key_id" {
-  description = "KMS key id to encrypted the resources. Ensure CloudWatch and Runner/Executor have access to the provided KMS key."
+  description = "KMS key ARN to encrypt the resources. Ensure CloudWatch has access to the provided KMS key (see policies/kms-policy.json)."
   type        = string
   default     = ""
 }