From a68ae29c9c0a53dc2802292ab41f101a95a48063 Mon Sep 17 00:00:00 2001
From: George Angel <github-7574494a@infosecproject.org>
Date: Tue, 22 Oct 2019 14:36:02 +0100
Subject: [PATCH] sys: enable encrypted storageClass using KMS key

---
 masters.tf   | 51 ++++++++++++++++++++++++++++++---------------------
 variables.tf |  6 ++++++
 2 files changed, 36 insertions(+), 21 deletions(-)

diff --git a/masters.tf b/masters.tf
index a6fc97e..04ee813 100644
--- a/masters.tf
+++ b/masters.tf
@@ -24,31 +24,40 @@ resource "aws_iam_instance_profile" "master" {
   path = var.iam_path
 }
 
+data "aws_iam_policy_document" "master" {
+  statement {
+    actions = [
+      "ec2:*"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "elasticloadbalancing:DescribeLoadBalancers"
+    ]
+    resources = ["*"]
+  }
+
+  # https://github.com/kubernetes/kops/blob/master/pkg/model/iam/tests/iam_builder_master_strict.json#L158
+  statement {
+    actions = [
+      "kms:CreateGrant",
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*",
+      "kms:ReEncrypt*"
+    ]
+    resources = var.master_kms_ebs_key_arns
+  }
+}
+
 resource "aws_iam_role_policy" "master" {
   name = "${local.iam_prefix}${var.cluster_name}-master"
   role = aws_iam_role.master.id
 
-  policy = <<EOS
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "ec2:*"
-      ],
-      "Effect": "Allow",
-      "Resource": [ "*" ]
-    },
-    {
-      "Action": [
-        "elasticloadbalancing:DescribeLoadBalancers"
-      ],
-      "Effect": "Allow",
-      "Resource": [ "*" ]
-    }
-  ]
-}
-EOS
+  policy = data.aws_iam_policy_document.master.json
 }
 
 // EC2 AutoScaling Group
diff --git a/variables.tf b/variables.tf
index 639619f..6a38e8d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -159,6 +159,12 @@ variable "worker_target_group_arns" {
   type        = list(string)
 }
 
+variable "master_kms_ebs_key_arns" {
+  default     = []
+  description = "KMS keys used by masters to manage EBS volumes. This should be the same value as `kmsKeyId` in the storageClass (https://kubernetes.io/docs/concepts/storage/storage-classes/#aws-ebs)"
+  type        = list(string)
+}
+
 locals {
   iam_prefix = "${var.iam_prefix}${var.iam_prefix == "" ? "" : "-"}"
 }