Merge pull request #18 from clouddrove/bridgecrew

Sohan Yadav · web-flow · commit 584995885d0e · 2021-05-21T15:49:23.000+05:30
security fixes added
diff --git a/_example/basic_example/example.tf b/_example/basic_example/example.tf
@@ -71,6 +71,36 @@ module "iam-role" {
   policy         = data.aws_iam_policy_document.iam-policy.json
 }
 
+module "kms_key" {
+  source                  = "clouddrove/kms/aws"
+  version                 = "0.14.0"
+  name                    = "kms"
+  environment             = "test"
+  label_order             = ["environment", "name"]
+  enabled                 = true
+  description             = "KMS key for ec2"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  alias                   = "alias/ec2"
+  policy                  = data.aws_iam_policy_document.kms.json
+}
+
+
+data "aws_iam_policy_document" "kms" {
+  version = "2012-10-17"
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+
+}
+
 data "aws_iam_policy_document" "default" {
   statement {
     effect  = "Allow"
@@ -108,7 +138,6 @@ module "ec2" {
   ami                         = "ami-08d658f84a6d84a80"
   instance_type               = "t2.nano"
   monitoring                  = false
-  encrypted                   = false
   tenancy                     = "default"
   vpc_security_group_ids_list = [module.ssh.security_group_ids, module.http-https.security_group_ids]
   subnet_ids                  = tolist(module.public_subnets.public_subnet_id)
@@ -128,4 +157,5 @@ module "ec2" {
   instance_tags = { "snapshot" = true }
   dns_zone_id   = "Z1XJD7SSBKXLC1"
   hostname      = "ec2"
+  kms_key_id    = module.kms_key.key_arn
 }
diff --git a/_example/secure_example/.terraform.lock.hcl b/_example/secure_example/.terraform.lock.hcl
diff --git a/_example/secure_example/example.tf b/_example/secure_example/example.tf
@@ -160,7 +160,6 @@ module "ec2" {
   ebs_volume_enabled = true
   ebs_volume_type    = "gp2"
   ebs_volume_size    = 30
-  encrypted          = true
   kms_key_id         = module.kms_key.key_arn
   instance_tags      = { "snapshot" = true }
   dns_zone_id        = "Z1XJD7SSBKXLC1"
diff --git a/main.tf b/main.tf
@@ -50,7 +50,7 @@ resource "aws_instance" "default" {
   root_block_device {
     volume_size           = var.disk_size
     delete_on_termination = true
-    encrypted             = var.encrypted
+    encrypted             = true
     kms_key_id            = var.kms_key_id
   }
 
@@ -111,7 +111,7 @@ resource "aws_ebs_volume" "default" {
   size              = var.ebs_volume_size
   iops              = local.ebs_iops
   type              = var.ebs_volume_type
-  encrypted         = var.encrypted
+  encrypted         = true
   kms_key_id        = var.kms_key_id
   tags = merge(
     module.labels.tags,
diff --git a/variables.tf b/variables.tf
@@ -323,9 +323,3 @@ variable "kms_key_id" {
   description = "The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true."
   sensitive   = true
 }
-
-variable "encrypted" {
-  type        = bool
-  default     = true
-  description = "If true, the disk will be encrypted."
-}
