Allow Custom KMS Key - Githubissues

expel-io / terraform-aws-cloudtrail

Terraform module for configuring AWS CloudTrail to integrate with Expel

MIT License

2 stars 4 forks source link

Allow Custom KMS Key #50

Closed xomgc3 closed 11 months ago

xomgc3 commented 1 year ago

I see a variable for existing_cloudtrail_kms_key_arn. However, it's not used if a new S3 bucket will be provisioned. Additionally, the permissions for the key are not appropriate.

Please allow a custom Key ARN to take priority over a new key. Adding a variable for a custom key policy could also be helpful.

xomgc3 commented 1 year ago

When attempting to move forward with a custom S3 bucket, I run into the following error. I'm using the stock S3 module for the bucket.

module "commercial" {
  source  = "expel-io/cloudtrail/aws"
  version = "~> 2.0"

  providers = {
    aws.log_bucket = aws.security_com
    aws = aws.commercial
  }

  expel_customer_aws_account_id    = data.aws_caller_identity.commercial.account_id
  existing_cloudtrail_bucket_name  = module.s3_commerical.s3.cloudtrail
  existing_cloudtrail_kms_key_arn  = module.s3_commerical.kms
  expel_customer_organization_guid = var.expel_guid

  stackset_target_organizational_units = local.ou_ids_com

  stackset_max_concurrent_count  = 5
  stackset_fault_tolerance_count = 5
}

bachu20 commented 1 year ago

I see a variable for existing_cloudtrail_kms_key_arn. However, it's not used if a new S3 bucket will be provisioned. Additionally, the permissions for the key are not appropriate.

Please allow a custom Key ARN to take priority over a new key. Adding a variable for a custom key policy could also be helpful.

Hey @xomgc3, had a few clarifying questions just to make sure I understand the use-case here.

Do you just need a way to pass in a CMK key for use with the newly created SNS topic and/or SQS?
If you can designate a custom key would that be sufficient for your use-case? Would you still need a way to override the policy of a key we create on your behalf otherwise?

sarjumulmi commented 1 year ago

I see a variable for existing_cloudtrail_kms_key_arn. However, it's not used if a new S3 bucket will be provisioned. Additionally, the permissions for the key are not appropriate.

Please allow a custom Key ARN to take priority over a new key. Adding a variable for a custom key policy could also be helpful.

Hey @xomgc3, had a few clarifying questions just to make sure I understand the use-case here.

Do you just need a way to pass in a CMK key for use with the newly created SNS topic and/or SQS?

If you can designate a custom key would that be sufficient for your use-case? Would you still need a way to override the policy of a key we create on your behalf otherwise?

@xomgc3 following up on @bachu20 Qs for some clarifications on our side.

xomgc3 commented 11 months ago

I see a variable for existing_cloudtrail_kms_key_arn. However, it's not used if a new S3 bucket will be provisioned. Additionally, the permissions for the key are not appropriate.

Please allow a custom Key ARN to take priority over a new key. Adding a variable for a custom key policy could also be helpful.

Hey @xomgc3, had a few clarifying questions just to make sure I understand the use-case here.

Do you just need a way to pass in a CMK key for use with the newly created SNS topic and/or SQS?

If you can designate a custom key would that be sufficient for your use-case? Would you still need a way to override the policy of a key we create on your behalf otherwise?

Yes, we just need to pass in a custom KMS Key ARN. Being able to customize (override) the key policy generated by this module would also be helpful.