Packer & EBS KMS IAM Updates

[herman-wong-cf]

Packer

• Added outputs "packer_iam_role_arn" and "packer_iam_role_nam" in case there are additional changes or attachments that need to occur outside of this pak itself.
  • Example use-case: I want to attach a "Base IAM Policy" that might have different settings depending on the deployment (permissions to get "svc_dj" secret, which might not exist in a non-AD deployment, or to retrieve and install a Private ACM Root CA certificate in a Packer AMI).
• Added optional variable list(string) "packer_additional_iam_principal_arns", which is a list of ARNs of principals allowed to assume the Packer role.
  • Example use-case: An unprivileged "packer" iam user is created to run Packer in automation (CI/CD). The automation uses this IAM user who can only assume this one role, rather than my own user credentials that has AdministratorAccess privileges.
• Added IAM permissions to use Packer's native "Spot" instance arguments. (this doesn't force you to use it, it only allows Packer to use Spot instances if desired)

EBS KMS Key Policy

• Existing policy on the key is not appropriate for use in Auto-Scaling Groups. If you attempt to launch ASG EC2 instances with this key, it will state "Termination Reason: Client.InvalidKMSKey,InvalidState: The KMS key provided is in an incorrect state"
• Updated the policy to reflect the latest AWS documentation: https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html

[github-actions[bot]]

Checkov Scan Results 📖:

File	Check ID	Description	Resource	Checkov Result
/kms.tf	CKV_AWS_356	Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions	aws_iam_policy_document.dynamo_key	FAILED
/kms.tf	CKV_AWS_356	Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions	aws_iam_policy_document.ebs_key	FAILED
/kms.tf	CKV_AWS_356	Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions	aws_iam_policy_document.s3_key	FAILED
/kms.tf	CKV_AWS_356	Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions	aws_iam_policy_document.sns_key	FAILED
/kms.tf	CKV_AWS_356	Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions	aws_iam_policy_document.secrets_manager_key	FAILED
/kms.tf	CKV_AWS_356	Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions	aws_iam_policy_document.cloudwatch_key	FAILED
/kms.tf	CKV_AWS_356	Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions	aws_iam_policy_document.config_key	FAILED

Please review the above report. ⚠️