From b1e9515d137d2b67e7ad5cca785767019a324716 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Mon, 3 Mar 2025 22:15:52 +0100 Subject: [PATCH 1/3] fix policy --- modules/terminate-agent-hook/iam.tf | 25 ++++++++++++++++++++--- modules/terminate-agent-hook/variables.tf | 2 +- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/modules/terminate-agent-hook/iam.tf b/modules/terminate-agent-hook/iam.tf index 83abdb671..f234a3c7f 100644 --- a/modules/terminate-agent-hook/iam.tf +++ b/modules/terminate-agent-hook/iam.tf @@ -32,9 +32,26 @@ resource "aws_iam_role" "lambda" { tags = var.tags } +resource "aws_iam_role_policy_attachment" "lambda_kms" { + count = var.kms_key_id != "" ? 1 : 0 + + role = aws_iam_role.lambda.name + policy_arn = aws_iam_policy.lambda_kms.arn +} + +resource "aws_iam_policy" "lambda_kms" { + count = var.kms_key_id != "" ? 1 : 0 + + name = "${var.name_iam_objects}-${var.name}-lambda-kms" + path = "/" + policy = data.aws_iam_policy_document.kms_key.json + + tags = var.tags +} + +data "aws_iam_policy_document" "kms_key" { + count = var.kms_key_id != "" ? 1 : 0 -# This IAM policy is used by the Lambda function. -data "aws_iam_policy_document" "lambda" { # checkov:skip=CKV_AWS_111:Write access is limited to the resources needed statement { sid = "AllowKmsAccess" @@ -42,9 +59,11 @@ data "aws_iam_policy_document" "lambda" { "kms:Decrypt", # to decrypt the Lambda environment variables ] resources = [var.kms_key_id] - effect = "Allow" + effect = "Allow" } +} +data "aws_iam_policy_document" "lambda" { # Permit the function to get a list of instances statement { sid = "GitLabRunnerLifecycleGetInstances" diff --git a/modules/terminate-agent-hook/variables.tf b/modules/terminate-agent-hook/variables.tf index 583bbdb62..ef6c10f07 100644 --- a/modules/terminate-agent-hook/variables.tf +++ b/modules/terminate-agent-hook/variables.tf @@ -57,7 +57,7 @@ variable "name_docker_machine_runners" { } variable "kms_key_id" { - description = "KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..." + description = "(optional) KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..." type = string } From 0bb6d8341df7e42e34706e52c3e0814024b5cca6 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Mon, 3 Mar 2025 22:21:59 +0100 Subject: [PATCH 2/3] fix policy --- modules/terminate-agent-hook/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/terminate-agent-hook/iam.tf b/modules/terminate-agent-hook/iam.tf index f234a3c7f..a1049a9b3 100644 --- a/modules/terminate-agent-hook/iam.tf +++ b/modules/terminate-agent-hook/iam.tf @@ -36,7 +36,7 @@ resource "aws_iam_role_policy_attachment" "lambda_kms" { count = var.kms_key_id != "" ? 1 : 0 role = aws_iam_role.lambda.name - policy_arn = aws_iam_policy.lambda_kms.arn + policy_arn = aws_iam_policy.lambda_kms[0].arn } resource "aws_iam_policy" "lambda_kms" { @@ -44,7 +44,7 @@ resource "aws_iam_policy" "lambda_kms" { name = "${var.name_iam_objects}-${var.name}-lambda-kms" path = "/" - policy = data.aws_iam_policy_document.kms_key.json + policy = data.aws_iam_policy_document.kms_key[0].json tags = var.tags } From 49a788b0f09b400c53d97b36801c0bbd651adf46 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Mon, 3 Mar 2025 22:24:00 +0100 Subject: [PATCH 3/3] format --- modules/terminate-agent-hook/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/terminate-agent-hook/iam.tf b/modules/terminate-agent-hook/iam.tf index a1049a9b3..96fd02b32 100644 --- a/modules/terminate-agent-hook/iam.tf +++ b/modules/terminate-agent-hook/iam.tf @@ -59,7 +59,7 @@ data "aws_iam_policy_document" "kms_key" { "kms:Decrypt", # to decrypt the Lambda environment variables ] resources = [var.kms_key_id] - effect = "Allow" + effect = "Allow" } }