From c27dde69a0a250139ecfd521a4230bdf32b36c68 Mon Sep 17 00:00:00 2001 From: Jason Anderson Date: Fri, 31 Mar 2023 16:36:08 -0500 Subject: [PATCH 1/5] Adding an IAM policy to grant the runner access to the KMS key Fixes some issues with accessing the S3 bucket when the bucket has KMS encryption enabled. --- main.tf | 30 ++++++++++++++++++++++++++++++ policies/instance-kms-policy.json | 18 ++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 policies/instance-kms-policy.json diff --git a/main.tf b/main.tf index a15a1ebe1..e30332ae2 100644 --- a/main.tf +++ b/main.tf @@ -370,6 +370,32 @@ resource "aws_iam_role" "instance" { tags = merge(local.tags, var.role_tags) } +################################################################################ +### Policy for the instance to use the KMS key +################################################################################ +resource "aws_iam_policy" "instance_kms_policy" { + count = var.enable_kms ? 1 : 0 + + name = "${local.name_iam_objects}-kms" + path = "/" + description = "Allow runner instance the ability to use the KMS key." + policy = templatefile("${path.module}/policies/instance-kms-policy.json", + { + kms_key_arn = var.enable_kms && var.kms_key_id == "" ? aws_kms_key.default[0].arn : "arn:aws:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:key/${var.kms_key_id}" + } + ) + + tags = local.tags +} + +resource "aws_iam_role_policy_attachment" "instance_kms_policy" { + count = var.enable_kms ? 1 : 0 + + role = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + policy_arn = aws_iam_policy.instance_kms_policy[0].arn +} + + ################################################################################ ### Policies for runner agent instance to create docker machines via spot req. ### @@ -459,6 +485,8 @@ resource "aws_iam_role" "docker_machine" { tags = local.tags } + + resource "aws_iam_instance_profile" "docker_machine" { count = var.runners_executor == "docker+machine" ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" @@ -484,6 +512,8 @@ resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_ma policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" } + + ################################################################################ ### Service linked policy, optional ################################################################################ diff --git a/policies/instance-kms-policy.json b/policies/instance-kms-policy.json new file mode 100644 index 000000000..00554c81d --- /dev/null +++ b/policies/instance-kms-policy.json @@ -0,0 +1,18 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ], + "Effect": "Allow", + "Resource": [ + "${kms_key_arn}" + ] + } + ] +} \ No newline at end of file From fac4ccf08226b0a9b85187046e804b39fd5c9bb3 Mon Sep 17 00:00:00 2001 From: Jason Anderson Date: Mon, 3 Apr 2023 10:37:51 -0500 Subject: [PATCH 2/5] updating KMS policy to only include and --- policies/instance-kms-policy.json | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/policies/instance-kms-policy.json b/policies/instance-kms-policy.json index 00554c81d..ea1c8c245 100644 --- a/policies/instance-kms-policy.json +++ b/policies/instance-kms-policy.json @@ -3,11 +3,8 @@ "Statement": [ { "Action": [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" + "kms:Decrypt", + "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": [ From 23a1ca4abc5c7b8317fbe82800edebe807f57dfc Mon Sep 17 00:00:00 2001 From: Jason Anderson Date: Fri, 7 Apr 2023 13:16:47 -0500 Subject: [PATCH 3/5] Assuming is an ARN --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index e30332ae2..00e76ae6e 100644 --- a/main.tf +++ b/main.tf @@ -381,7 +381,7 @@ resource "aws_iam_policy" "instance_kms_policy" { description = "Allow runner instance the ability to use the KMS key." policy = templatefile("${path.module}/policies/instance-kms-policy.json", { - kms_key_arn = var.enable_kms && var.kms_key_id == "" ? aws_kms_key.default[0].arn : "arn:aws:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:key/${var.kms_key_id}" + kms_key_arn = var.enable_kms && var.kms_key_id == "" ? aws_kms_key.default[0].arn : var.kms_key_id } ) From e3379de29868ef59ddd7434397bafeac1510590e Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 13 Apr 2023 08:45:27 +0200 Subject: [PATCH 4/5] update kms_key_id description --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 3c586597c..377173146 100644 --- a/variables.tf +++ b/variables.tf @@ -740,7 +740,7 @@ variable "runners_docker_services" { } variable "kms_key_id" { - description = "KMS key id to encrypted the resources. Ensure CloudWatch and Runner/Executor have access to the provided KMS key." + description = "KMS key ARN to encrypt the resources." type = string default = "" } From ba39a7dd9ad00ee9862c47c91aaf3d4b71760df3 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 13 Apr 2023 08:54:17 +0200 Subject: [PATCH 5/5] change kms_key_id description and mention the policy document --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 377173146..437af1a01 100644 --- a/variables.tf +++ b/variables.tf @@ -740,7 +740,7 @@ variable "runners_docker_services" { } variable "kms_key_id" { - description = "KMS key ARN to encrypt the resources." + description = "KMS key ARN to encrypt the resources. Ensure CloudWatch has access to the provided KMS key (see policies/kms-policy.json)." type = string default = "" }