search

nozaq / terraform-aws-secure-baseline

Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.
MIT License
1.13k stars 369 forks source link

Policy errors during terraform apply of partially enabled baseline #282

Closed richardj-bsquare closed 2 years ago

richardj-bsquare commented 2 years ago

Describe the bug

Policy errors during terraform apply using module with some features enabled and some disabled.

Versions

Reproduction

An initial deploy with the following configuration, as I'm trying to introduce baseline feature by feature.

module "secure_baseline" {
  source = "nozaq/secure-baseline/aws"

  version = "1.0.1"

  audit_log_bucket_name = var.audit_log_bucket_name
  aws_account_id        = var.account_id

  region         = var.region
  target_regions = [var.region]

  # Note that it might be inappropriate for highly secured environment.
  support_iam_role_principal_arns = [aws_iam_user.compliance.arn]

  providers = {
    aws                = aws
    aws.ap-northeast-1 = aws.ap-northeast-1
    aws.ap-northeast-2 = aws.ap-northeast-2
    aws.ap-south-1     = aws.ap-south-1
    aws.ap-northeast-3 = aws.ap-northeast-3
    aws.ap-southeast-2 = aws.ap-southeast-2
    aws.ap-southeast-1 = aws.ap-southeast-1
    aws.ca-central-1   = aws.ca-central-1
    aws.eu-central-1   = aws.eu-central-1
    aws.eu-north-1     = aws.eu-north-1
    aws.eu-west-1      = aws.eu-west-1
    aws.eu-west-2      = aws.eu-west-2
    aws.eu-west-3      = aws.eu-west-3
    aws.sa-east-1      = aws.sa-east-1
    aws.us-east-1      = aws.us-east-1
    aws.us-east-2      = aws.us-east-2
    aws.us-west-1      = aws.us-west-1
    aws.us-west-2      = aws.us-west-2
  }

  alarm_baseline_enabled = false
  analyzer_baseline_enabled = false
  cloudtrail_baseline_enabled = true
  config_baseline_enabled = true
  iam_baseline_enabled = false
  s3_baseline_enabled = false
  securityhub_enabled = true

  vpc_enable = false #Boolean whether the VPC baseline module should be enabled

Expected behavior

Creation without errors...

Actual behavior

Error: error creating KMS Key: MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future.
│ 
│   with module.companion.module.compliance.module.secure_baseline.module.cloudtrail_baseline[0].aws_kms_key.cloudtrail,
│   on .terraform/modules/companion.compliance.secure_baseline/modules/cloudtrail-baseline/main.tf line 184, in resource "aws_kms_key" "cloudtrail":
│  184: resource "aws_kms_key" "cloudtrail" {
│ 
╵
╷
│ Error: Creating Delivery Channel failed: InsufficientDeliveryPolicyException: Insufficient delivery policy to s3 bucket: com.bsquare.squareone.047741630719.us-east-1.audit, unable to write to bucket, provided s3 key prefix is 'config', provided kms key is 'null'.
│ 
│   with module.companion.module.compliance.module.secure_baseline.module.config_baseline_us-east-1[0].aws_config_delivery_channel.bucket,
│   on .terraform/modules/companion.compliance.secure_baseline/modules/config-baseline/main.tf line 48, in resource "aws_config_delivery_channel" "bucket":
│   48: resource "aws_config_delivery_channel" "bucket" {

Additional context

I'm wondering if certain enabled flags are dependent on others to function correctly?

I'm wondering if the latter of the errors is related to: https://github.com/nozaq/terraform-aws-secure-baseline/issues/98, i.e. the same needs to be done for config baseline as has been done for cloudtrail baseline?

richardj-bsquare commented 2 years ago

Re-running the apply does not fix the issue, i.e. the same error re-occurs.

richardj-bsquare commented 2 years ago

I'm beginning to wonder whether this is an aspect of us using an IAM role to apply our terraform rather than a user account. Looking at some of the policies it looks like they only offer user access and not IAM role access.

richardj-bsquare commented 2 years ago

Short description AWS KMS performs safety checks when a key policy is created. One safety check confirms that the principal in the key policy has the required permissions to make the CreateKey API and PutKeyPolicy API. This check eliminates the possibility of the KMS key becoming unmanageable, which means that you can't change the key policy or delete the key.

Important: Be sure that the key policy that you create allows the current user to administer the KMS key.

richardj-bsquare commented 2 years ago

I'm pretty sure it's the fact that I'm using a role to do the terraform... I think this policy:

https://github.com/nozaq/terraform-aws-secure-baseline/blob/main/modules/cloudtrail-baseline/main.tf#L62

Needs a role_arn option equivalent to the root account one to allow full control of the key from the role.

richardj-bsquare commented 2 years ago

Nevermind, noticed that the regionally specified providers were all pointing to a different account, so I basically needed to wrap this module in another module that sets the default AWS provider to one with the correct assume role. Then the KMS key roles, etc. were in the correct specified account.