fix(webhook): grant KMS permission to decrypt wehn using EventBridge (#4220)

npalm · philips-labs-pr|bot · web-flow · commit 380bcaf68447 · 2024-10-29T20:30:10.000+01:00
## Description

This PR grants the webhook (for EventBridge) access to the provided KMS
key. In case no key is provided a dummy policy will be created. This to
avoid terraform conditon is throwing errors when a KMS key is created in
the same Terraform deploy as runner module

## Tested

- [x] default example with KMS no eventbridge
- [x] default example with KMS and eventbridge
- [x] default example without KMS and eventbridge
- [x] default example without KMS no eventbridge

fix: #4218

---------

Co-authored-by: philips-labs-pr|bot &lt;philips-labs-pr[bot]@users.noreply.github.com&gt;
diff --git a/modules/webhook/direct/README.md b/modules/webhook/direct/README.md
@@ -24,6 +24,7 @@ No modules.
 |------|------|
 | [aws_cloudwatch_log_group.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_iam_role.webhook_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.webhook_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
diff --git a/modules/webhook/direct/webhook.tf b/modules/webhook/direct/webhook.tf
@@ -117,7 +117,15 @@ resource "aws_iam_role_policy" "webhook_sqs" {
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns)
-    kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
+  })
+}
+
+resource "aws_iam_role_policy" "webhook_kms" {
+  name = "kms-policy"
+  role = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-kms.json", {
+    kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE"
   })
 }
 
@@ -128,7 +136,6 @@ resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode([var.config.sqs_workflow_job_queue.arn])
-    kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
   })
 }
 
diff --git a/modules/webhook/eventbridge/README.md b/modules/webhook/eventbridge/README.md
@@ -30,11 +30,13 @@ No modules.
 | [aws_cloudwatch_log_group.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_iam_role.dispatcher_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.webhook_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.dispatcher_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.webhook_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
diff --git a/modules/webhook/eventbridge/dispatcher.tf b/modules/webhook/eventbridge/dispatcher.tf
@@ -116,7 +116,15 @@ resource "aws_iam_role_policy" "dispatcher_sqs" {
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns)
-    kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
+  })
+}
+
+resource "aws_iam_role_policy" "dispatcher_kms" {
+  name = "kms-policy"
+  role = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-kms.json", {
+    kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE"
   })
 }
 
diff --git a/modules/webhook/eventbridge/webhook.tf b/modules/webhook/eventbridge/webhook.tf
@@ -127,6 +127,15 @@ resource "aws_iam_role_policy" "webhook_ssm" {
   })
 }
 
+resource "aws_iam_role_policy" "webhook_kms" {
+  name = "kms-policy"
+  role = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-kms.json", {
+    kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE"
+  })
+}
+
 resource "aws_iam_role_policy" "xray" {
   count  = var.config.tracing_config.mode != null ? 1 : 0
   name   = "xray-policy"
diff --git a/modules/webhook/policies/lambda-kms.json b/modules/webhook/policies/lambda-kms.json
@@ -0,0 +1,13 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+        "Effect": "Allow",
+        "Action": [
+            "kms:Decrypt",
+            "kms:GenerateDataKey"
+        ],
+        "Resource": "${kms_key_arn}"
+    }
+  ]
+}
diff --git a/modules/webhook/policies/lambda-publish-sqs-policy.json b/modules/webhook/policies/lambda-publish-sqs-policy.json
@@ -5,16 +5,6 @@
       "Effect": "Allow",
       "Action": ["sqs:SendMessage", "sqs:GetQueueAttributes"],
       "Resource": ${sqs_resource_arns}
-      %{ if kms_key_arn != "" ~}
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-            "kms:Decrypt",
-            "kms:GenerateDataKey"
-        ],
-        "Resource": "${kms_key_arn}"
-    %{ endif ~}
     }
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -5,16 +5,6 @@`
`5`	`5`	`"Effect": "Allow",`
`6`	`6`	`"Action": ["sqs:SendMessage", "sqs:GetQueueAttributes"],`
`7`	`7`	`"Resource": ${sqs_resource_arns}`
`8`		`- %{ if kms_key_arn != "" ~}`
`9`		`- },`
`10`		`- {`
`11`		`- "Effect": "Allow",`
`12`		`- "Action": [`
`13`		`- "kms:Decrypt",`
`14`		`- "kms:GenerateDataKey"`
`15`		`- ],`
`16`		`- "Resource": "${kms_key_arn}"`
`17`		`- %{ endif ~}`
`18`	`8`	`}`
`19`	`9`	`]`
`20`	`10`	`}`