Corrected AWS KMS Key policy to attach the AWS CloudWatch log group #33

kunduso · 2023-11-18T14:11:49Z

The changes in this PR closes #32 and #30
These are the changes:
-correct the KMS key attached to the AWS CloudWatch log group logs
-attach a KMS key policy to the KMS key
-correct the KMS key names

kms.tf

+resource "aws_kms_key" "encryption_rest" {
+  enable_key_rotation     = true
+  description             = "Key to encrypt cache at rest."
+  deletion_window_in_days = 7
+  #checkov:skip=CKV2_AWS_64: Not including a KMS Key policy
+}


kms.tf

+resource "aws_kms_key" "encryption_secret" {
+  enable_key_rotation     = true
+  description             = "Key to encrypt secret"
+  deletion_window_in_days = 7
+  #checkov:skip=CKV2_AWS_64: Not including a KMS Key policy
+}


github-actions · 2023-11-18T14:12:17Z

Infracost report

💰 Monthly cost will increase by $223 📈

Project	Cost change	New monthly cost
kunduso/amazon-elasticache-redis-tf/TFplan.JSON	+$223 (+9,308%)	$226

Cost details

──────────────────────────────────
Project: kunduso/amazon-elasticache-redis-tf/TFplan.JSON

+ aws_elasticache_replication_group.app4
  +$223

    + ElastiCache (on-demand, cache.t2.small)
      +$223

+ aws_kms_key.encryption_secret
  +$1

    + Customer master key
      +$1

    + Requests
      Monthly cost depends on usage
        +$0.03 per 10k requests

    + ECC GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

    + RSA GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

- aws_kms_key.encrytion_secret
  -$1

    - Customer master key
      -$1

    - Requests
      Monthly cost depends on usage
        -$0.03 per 10k requests

    - ECC GenerateDataKeyPair requests
      Monthly cost depends on usage
        -$0.10 per 10k requests

    - RSA GenerateDataKeyPair requests
      Monthly cost depends on usage
        -$0.10 per 10k requests

Monthly cost change for kunduso/amazon-elasticache-redis-tf/TFplan.JSON
Amount:  +$223 ($2 → $226)
Percent: +9,308%

──────────────────────────────────
Key: ~ changed, + added, - removed

30 cloud resources were detected:
∙ 6 were estimated, 4 of which include usage-based costs, see https://infracost.io/usage-file
∙ 23 were free:
  ∙ 4 x aws_route_table
  ∙ 4 x aws_route_table_association
  ∙ 4 x aws_subnet
  ∙ 2 x aws_iam_policy
  ∙ 2 x aws_kms_alias
  ∙ 2 x aws_ssm_parameter
  ∙ 1 x aws_default_security_group
  ∙ 1 x aws_elasticache_subnet_group
  ∙ 1 x aws_secretsmanager_secret_version
  ∙ 1 x aws_security_group
  ∙ 1 x aws_vpc
∙ 1 is not supported yet, see https://infracost.io/requested-resources:
  ∙ 1 x aws_kms_key_policy

Infracost estimate: Monthly cost will increase by $223 ↑
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Project                                            ┃ Cost change     ┃ New monthly cost ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━┫
┃ kunduso/amazon-elasticache-redis-tf/TFplan.JSON    ┃ +$223 (+9,308%) ┃ $226             ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━┛

_{This comment will be updated when code changes.}

github-actions · 2023-11-18T14:12:18Z

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Plan 📖`success`

Terraform Validation 🤖`success`

Show Plan


terraform
random_password.auth: Refreshing state... [id=none]
data.aws_availability_zones.available: Reading...
aws_kms_alias.encrytion_secret: Refreshing state... [id=alias/elasticache-app-4-in-transit]
aws_kms_key.encrytion_secret: Refreshing state... [id=81399b62-95e3-45e4-af9f-159145fe5260]
aws_kms_key.encryption_rest: Refreshing state... [id=624af10a-9d39-4f81-ad00-09dd8d439885]
data.aws_caller_identity.current: Reading...
aws_vpc.this: Refreshing state... [id=vpc-01de06becdba1d3e3]
aws_secretsmanager_secret.elasticache_auth: Refreshing state... [id=arn:aws:secretsmanager:us-east-2:743794601996:secret:app-4-elasticache-auth-wx4d1f]
data.aws_caller_identity.current: Read complete after 1s [id=743794601996]
aws_secretsmanager_secret_version.auth: Refreshing state... [id=arn:aws:secretsmanager:us-east-2:743794601996:secret:app-4-elasticache-auth-wx4d1f|84D33659-CAB0-42CE-8BDF-263E487A161A]
data.aws_availability_zones.available: Read complete after 1s [id=us-east-2]
aws_kms_key_policy.encryption_rest_policy: Refreshing state... [id=624af10a-9d39-4f81-ad00-09dd8d439885]
aws_kms_alias.encryption_rest: Refreshing state... [id=alias/elasticache-app-4-at-rest]
aws_cloudwatch_log_group.slow_log: Refreshing state... [id=/elasticache/app-4-redis-cluster/slow-log]
aws_cloudwatch_log_group.engine_log: Refreshing state... [id=/elasticache/app-4-redis-cluster/engine-log]
aws_subnet.private[0]: Refreshing state... [id=subnet-084342d3ba201bfe9]
aws_subnet.private[1]: Refreshing state... [id=subnet-0759d81f1c345a0dd]
aws_default_security_group.default: Refreshing state... [id=sg-00c03a331f28bdf4b]
aws_route_table.private[1]: Refreshing state... [id=rtb-0c66cf1b03f5a174e]
aws_route_table.private[2]: Refreshing state... [id=rtb-06b80b26b777a5f0a]
aws_route_table.public: Refreshing state... [id=rtb-0a9a56bbaa9f1abf8]
aws_subnet.private[2]: Refreshing state... [id=subnet-0de88a416123a72f0]
aws_subnet.public[0]: Refreshing state... [id=subnet-0c3049a8821bcc98c]
aws_route_table.private[0]: Refreshing state... [id=rtb-05fb632dd9719cf47]
aws_security_group.elasticache: Refreshing state... [id=sg-0ebe81ff83e813eb8]
aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0e68440089e90f44b]
aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-0e696b9622482b55e]
aws_elasticache_subnet_group.elasticache_subnet: Refreshing state... [id=app-4-cache-subnet]
aws_route_table_association.private[2]: Refreshing state... [id=rtbassoc-0e8da7db97d33f32a]
aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-05a15917877c2e011]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_elasticache_replication_group.app4 will be created
  + resource "aws_elasticache_replication_group" "app4" {
      + apply_immediately              = true
      + arn                            = (known after apply)
      + at_rest_encryption_enabled     = true
      + auth_token                     = (sensitive value)
      + auto_minor_version_upgrade     = (known after apply)
      + automatic_failover_enabled     = true
      + cluster_enabled                = (known after apply)
      + configuration_endpoint_address = (known after apply)
      + data_tiering_enabled           = (known after apply)
      + description                    = "ElastiCache cluster for app4"
      + engine                         = "redis"
      + engine_version                 = (known after apply)
      + engine_version_actual          = (known after apply)
      + global_replication_group_id    = (known after apply)
      + id                             = (known after apply)
      + kms_key_id                     = "624af10a-9d39-4f81-ad00-09dd8d439885"
      + maintenance_window             = (known after apply)
      + member_clusters                = (known after apply)
      + multi_az_enabled               = true
      + node_type                      = "cache.t2.small"
      + num_cache_clusters             = (known after apply)
      + num_node_groups                = 3
      + parameter_group_name           = "default.redis7.cluster.on"
      + port                           = 6379
      + primary_endpoint_address       = (known after apply)
      + reader_endpoint_address        = (known after apply)
      + replicas_per_node_group        = 2
      + replication_group_id           = "app-4-redis-cluster"
      + security_group_ids             = [
          + "sg-0ebe81ff83e813eb8",
        ]
      + security_group_names           = (known after apply)
      + snapshot_window                = (known after apply)
      + subnet_group_name              = "app-4-cache-subnet"
      + tags_all                       = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
      + transit_encryption_enabled     = true

      + log_delivery_configuration {
          + destination      = "/elasticache/app-4-redis-cluster/engine-log"
          + destination_type = "cloudwatch-logs"
          + log_format       = "json"
          + log_type         = "engine-log"
        }
      + log_delivery_configuration {
          + destination      = "/elasticache/app-4-redis-cluster/slow-log"
          + destination_type = "cloudwatch-logs"
          + log_format       = "json"
          + log_type         = "slow-log"
        }
    }

  # aws_iam_policy.secret_manager_policy will be created
  + resource "aws_iam_policy" "secret_manager_policy" {
      + arn         = (known after apply)
      + description = "Policy to read the ElastiCache AUTH Token stored in AWS Secrets Manager secret."
      + id          = (known after apply)
      + name        = "app-4-secret-read-policy"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
    }

  # aws_iam_policy.ssm_parameter_policy will be created
  + resource "aws_iam_policy" "ssm_parameter_policy" {
      + arn         = (known after apply)
      + description = "Policy to read the ElastiCache endpoint and port number stored in the SSM Parameter Store."
      + id          = (known after apply)
      + name        = "app-4-ssm-parameter-read-policy"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
    }

  # aws_kms_alias.encryption_secret will be created
  + resource "aws_kms_alias" "encryption_secret" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/elasticache-app-4-in-transit"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # aws_kms_alias.encrytion_secret will be destroyed
  # (because aws_kms_alias.encrytion_secret is not in configuration)
  - resource "aws_kms_alias" "encrytion_secret" {
      - arn            = "arn:aws:kms:us-east-2:743794601996:alias/elasticache-app-4-in-transit" -> null
      - id             = "alias/elasticache-app-4-in-transit" -> null
      - name           = "alias/elasticache-app-4-in-transit" -> null
      - target_key_arn = "arn:aws:kms:us-east-2:743794601996:key/81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - target_key_id  = "81399b62-95e3-45e4-af9f-159145fe5260" -> null
    }

  # aws_kms_key.encryption_secret will be created
  + resource "aws_kms_key" "encryption_secret" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "Key to encrypt secret"
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + tags_all                           = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
    }

  # aws_kms_key.encrytion_secret will be destroyed
  # (because aws_kms_key.encrytion_secret is not in configuration)
  - resource "aws_kms_key" "encrytion_secret" {
      - arn                                = "arn:aws:kms:us-east-2:743794601996:key/81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 7 -> null
      - description                        = "Key to encrypt secret" -> null
      - enable_key_rotation                = true -> null
      - id                                 = "81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - is_enabled                         = true -> null
      - key_id                             = "81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Id        = "key-default-1"
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "*"
                      - Sid       = "Enable IAM User Permissions"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        } -> null
    }

  # aws_secretsmanager_secret.elasticache_auth will be updated in-place
  ~ resource "aws_secretsmanager_secret" "elasticache_auth" {
        id                             = "arn:aws:secretsmanager:us-east-2:743794601996:secret:app-4-elasticache-auth-wx4d1f"
      ~ kms_key_id                     = "624af10a-9d39-4f81-ad00-09dd8d439885" -> (known after apply)
        name                           = "app-4-elasticache-auth"
        tags                           = {}
        # (4 unchanged attributes hidden)
    }

  # aws_security_group.elasticache will be updated in-place
  ~ resource "aws_security_group" "elasticache" {
      ~ egress                 = [
          + {
              + cidr_blocks      = [
                  + "0.0.0.0/0",
                ]
              + description      = "Enable access to the ElastiCache cluster."
              + from_port        = 0
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "-1"
              + security_groups  = []
              + self             = false
              + to_port          = 0
            },
        ]
        id                     = "sg-0ebe81ff83e813eb8"
      ~ ingress                = [
          - {
              - cidr_blocks      = [
                  - "10.20.32.0/25",
                ]
              - description      = "Enable communication to the Amazon ElastiCache for Redis cluster. "
              - from_port        = 6379
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = []
              - self             = false
              - to_port          = 6379
            },
          + {
              + cidr_blocks      = [
                  + "10.20.32.0/25",
                ]
              + description      = "Enable access from an Amazon EC2 instance in the VPC"
              + from_port        = 6379
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = false
              + to_port          = 6379
            },
        ]
        name                   = "app-4-elasticache-sg"
        tags                   = {}
        # (6 unchanged attributes hidden)
    }

  # aws_ssm_parameter.elasticache_ep will be created
  + resource "aws_ssm_parameter" "elasticache_ep" {
      + arn            = (known after apply)
      + data_type      = (known after apply)
      + id             = (known after apply)
      + insecure_value = (known after apply)
      + key_id         = (known after apply)
      + name           = "/elasticache/app-4/app-4-redis-cluster/endpoint"
      + tags_all       = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
      + tier           = (known after apply)
      + type           = "SecureString"
      + value          = (sensitive value)
      + version        = (known after apply)
    }

  # aws_ssm_parameter.elasticache_port will be created
  + resource "aws_ssm_parameter" "elasticache_port" {
      + arn            = (known after apply)
      + data_type      = (known after apply)
      + id             = (known after apply)
      + insecure_value = (known after apply)
      + key_id         = (known after apply)
      + name           = "/elasticache/app-4/app-4-redis-cluster/port"
      + tags_all       = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
      + tier           = (known after apply)
      + type           = "SecureString"
      + value          = (sensitive value)
      + version        = (known after apply)
    }

Plan: 7 to add, 2 to change, 2 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: TFplan.JSON

To perform exactly these actions, run the following command to apply:
    terraform apply "TFplan.JSON"

Pushed by: @kunduso, Action: pull_request

github-actions · 2023-11-18T14:19:18Z

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Plan 📖`success`

Terraform Validation 🤖`success`

Show Plan


terraform
random_password.auth: Refreshing state... [id=none]
data.aws_availability_zones.available: Reading...
aws_kms_key.encrytion_secret: Refreshing state... [id=81399b62-95e3-45e4-af9f-159145fe5260]
data.aws_caller_identity.current: Reading...
aws_kms_key.encryption_rest: Refreshing state... [id=624af10a-9d39-4f81-ad00-09dd8d439885]
aws_kms_alias.encrytion_secret: Refreshing state... [id=alias/elasticache-app-4-in-transit]
aws_vpc.this: Refreshing state... [id=vpc-01de06becdba1d3e3]
aws_secretsmanager_secret.elasticache_auth: Refreshing state... [id=arn:aws:secretsmanager:us-east-2:743794601996:secret:app-4-elasticache-auth-wx4d1f]
data.aws_caller_identity.current: Read complete after 0s [id=743794601996]
data.aws_availability_zones.available: Read complete after 0s [id=us-east-2]
aws_secretsmanager_secret_version.auth: Refreshing state... [id=arn:aws:secretsmanager:us-east-2:743794601996:secret:app-4-elasticache-auth-wx4d1f|84D33659-CAB0-42CE-8BDF-263E487A161A]
aws_kms_alias.encryption_rest: Refreshing state... [id=alias/elasticache-app-4-at-rest]
aws_kms_key_policy.encryption_rest_policy: Refreshing state... [id=624af10a-9d39-4f81-ad00-09dd8d439885]
aws_cloudwatch_log_group.engine_log: Refreshing state... [id=/elasticache/app-4-redis-cluster/engine-log]
aws_cloudwatch_log_group.slow_log: Refreshing state... [id=/elasticache/app-4-redis-cluster/slow-log]
aws_default_security_group.default: Refreshing state... [id=sg-00c03a331f28bdf4b]
aws_route_table.public: Refreshing state... [id=rtb-0a9a56bbaa9f1abf8]
aws_route_table.private[1]: Refreshing state... [id=rtb-0c66cf1b03f5a174e]
aws_subnet.public[0]: Refreshing state... [id=subnet-0c3049a8821bcc98c]
aws_subnet.private[1]: Refreshing state... [id=subnet-0759d81f1c345a0dd]
aws_security_group.elasticache: Refreshing state... [id=sg-0ebe81ff83e813eb8]
aws_route_table.private[2]: Refreshing state... [id=rtb-06b80b26b777a5f0a]
aws_subnet.private[0]: Refreshing state... [id=subnet-084342d3ba201bfe9]
aws_route_table.private[0]: Refreshing state... [id=rtb-05fb632dd9719cf47]
aws_subnet.private[2]: Refreshing state... [id=subnet-0de88a416123a72f0]
aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0e68440089e90f44b]
aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-05a15917877c2e011]
aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-0e696b9622482b55e]
aws_elasticache_subnet_group.elasticache_subnet: Refreshing state... [id=app-4-cache-subnet]
aws_route_table_association.private[2]: Refreshing state... [id=rtbassoc-0e8da7db97d33f32a]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_elasticache_replication_group.app4 will be created
  + resource "aws_elasticache_replication_group" "app4" {
      + apply_immediately              = true
      + arn                            = (known after apply)
      + at_rest_encryption_enabled     = true
      + auth_token                     = (sensitive value)
      + auto_minor_version_upgrade     = (known after apply)
      + automatic_failover_enabled     = true
      + cluster_enabled                = (known after apply)
      + configuration_endpoint_address = (known after apply)
      + data_tiering_enabled           = (known after apply)
      + description                    = "ElastiCache cluster for app4"
      + engine                         = "redis"
      + engine_version                 = (known after apply)
      + engine_version_actual          = (known after apply)
      + global_replication_group_id    = (known after apply)
      + id                             = (known after apply)
      + kms_key_id                     = "624af10a-9d39-4f81-ad00-09dd8d439885"
      + maintenance_window             = (known after apply)
      + member_clusters                = (known after apply)
      + multi_az_enabled               = true
      + node_type                      = "cache.t2.small"
      + num_cache_clusters             = (known after apply)
      + num_node_groups                = 3
      + parameter_group_name           = "default.redis7.cluster.on"
      + port                           = 6379
      + primary_endpoint_address       = (known after apply)
      + reader_endpoint_address        = (known after apply)
      + replicas_per_node_group        = 2
      + replication_group_id           = "app-4-redis-cluster"
      + security_group_ids             = [
          + "sg-0ebe81ff83e813eb8",
        ]
      + security_group_names           = (known after apply)
      + snapshot_window                = (known after apply)
      + subnet_group_name              = "app-4-cache-subnet"
      + tags_all                       = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
      + transit_encryption_enabled     = true

      + log_delivery_configuration {
          + destination      = "/elasticache/app-4-redis-cluster/engine-log"
          + destination_type = "cloudwatch-logs"
          + log_format       = "json"
          + log_type         = "engine-log"
        }
      + log_delivery_configuration {
          + destination      = "/elasticache/app-4-redis-cluster/slow-log"
          + destination_type = "cloudwatch-logs"
          + log_format       = "json"
          + log_type         = "slow-log"
        }
    }

  # aws_iam_policy.secret_manager_policy will be created
  + resource "aws_iam_policy" "secret_manager_policy" {
      + arn         = (known after apply)
      + description = "Policy to read the ElastiCache AUTH Token stored in AWS Secrets Manager secret."
      + id          = (known after apply)
      + name        = "app-4-secret-read-policy"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
    }

  # aws_iam_policy.ssm_parameter_policy will be created
  + resource "aws_iam_policy" "ssm_parameter_policy" {
      + arn         = (known after apply)
      + description = "Policy to read the ElastiCache endpoint and port number stored in the SSM Parameter Store."
      + id          = (known after apply)
      + name        = "app-4-ssm-parameter-read-policy"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
    }

  # aws_kms_alias.encryption_secret will be created
  + resource "aws_kms_alias" "encryption_secret" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/elasticache-app-4-in-transit"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # aws_kms_alias.encrytion_secret will be destroyed
  # (because aws_kms_alias.encrytion_secret is not in configuration)
  - resource "aws_kms_alias" "encrytion_secret" {
      - arn            = "arn:aws:kms:us-east-2:743794601996:alias/elasticache-app-4-in-transit" -> null
      - id             = "alias/elasticache-app-4-in-transit" -> null
      - name           = "alias/elasticache-app-4-in-transit" -> null
      - target_key_arn = "arn:aws:kms:us-east-2:743794601996:key/81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - target_key_id  = "81399b62-95e3-45e4-af9f-159145fe5260" -> null
    }

  # aws_kms_key.encryption_secret will be created
  + resource "aws_kms_key" "encryption_secret" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "Key to encrypt secret"
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + tags_all                           = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
    }

  # aws_kms_key.encrytion_secret will be destroyed
  # (because aws_kms_key.encrytion_secret is not in configuration)
  - resource "aws_kms_key" "encrytion_secret" {
      - arn                                = "arn:aws:kms:us-east-2:743794601996:key/81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 7 -> null
      - description                        = "Key to encrypt secret" -> null
      - enable_key_rotation                = true -> null
      - id                                 = "81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - is_enabled                         = true -> null
      - key_id                             = "81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Id        = "key-default-1"
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "*"
                      - Sid       = "Enable IAM User Permissions"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        } -> null
    }

  # aws_secretsmanager_secret.elasticache_auth will be updated in-place
  ~ resource "aws_secretsmanager_secret" "elasticache_auth" {
        id                             = "arn:aws:secretsmanager:us-east-2:743794601996:secret:app-4-elasticache-auth-wx4d1f"
      ~ kms_key_id                     = "624af10a-9d39-4f81-ad00-09dd8d439885" -> (known after apply)
        name                           = "app-4-elasticache-auth"
        tags                           = {}
        # (4 unchanged attributes hidden)
    }

  # aws_security_group.elasticache will be updated in-place
  ~ resource "aws_security_group" "elasticache" {
      ~ egress                 = [
          + {
              + cidr_blocks      = [
                  + "0.0.0.0/0",
                ]
              + description      = "Enable access to the ElastiCache cluster."
              + from_port        = 0
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "-1"
              + security_groups  = []
              + self             = false
              + to_port          = 0
            },
        ]
        id                     = "sg-0ebe81ff83e813eb8"
      ~ ingress                = [
          - {
              - cidr_blocks      = [
                  - "10.20.32.0/25",
                ]
              - description      = "Enable communication to the Amazon ElastiCache for Redis cluster. "
              - from_port        = 6379
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = []
              - self             = false
              - to_port          = 6379
            },
          + {
              + cidr_blocks      = [
                  + "10.20.32.0/25",
                ]
              + description      = "Enable access from an Amazon EC2 instance in the VPC"
              + from_port        = 6379
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = false
              + to_port          = 6379
            },
        ]
        name                   = "app-4-elasticache-sg"
        tags                   = {}
        # (6 unchanged attributes hidden)
    }

  # aws_ssm_parameter.elasticache_ep will be created
  + resource "aws_ssm_parameter" "elasticache_ep" {
      + arn            = (known after apply)
      + data_type      = (known after apply)
      + id             = (known after apply)
      + insecure_value = (known after apply)
      + key_id         = "624af10a-9d39-4f81-ad00-09dd8d439885"
      + name           = "/elasticache/app-4/app-4-redis-cluster/endpoint"
      + tags_all       = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
      + tier           = (known after apply)
      + type           = "SecureString"
      + value          = (sensitive value)
      + version        = (known after apply)
    }

  # aws_ssm_parameter.elasticache_port will be created
  + resource "aws_ssm_parameter" "elasticache_port" {
      + arn            = (known after apply)
      + data_type      = (known after apply)
      + id             = (known after apply)
      + insecure_value = (known after apply)
      + key_id         = "624af10a-9d39-4f81-ad00-09dd8d439885"
      + name           = "/elasticache/app-4/app-4-redis-cluster/port"
      + tags_all       = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
      + tier           = (known after apply)
      + type           = "SecureString"
      + value          = (sensitive value)
      + version        = (known after apply)
    }

Plan: 7 to add, 2 to change, 2 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: TFplan.JSON

To perform exactly these actions, run the following command to apply:
    terraform apply "TFplan.JSON"

Pushed by: @kunduso, Action: pull_request

github-actions · 2023-11-18T14:20:51Z

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Plan 📖`success`

Terraform Validation 🤖`success`

Show Plan


terraform
random_password.auth: Refreshing state... [id=none]
data.aws_availability_zones.available: Reading...
aws_kms_alias.encrytion_secret: Refreshing state... [id=alias/elasticache-app-4-in-transit]
aws_kms_key.encryption_rest: Refreshing state... [id=624af10a-9d39-4f81-ad00-09dd8d439885]
data.aws_caller_identity.current: Reading...
aws_kms_key.encrytion_secret: Refreshing state... [id=81399b62-95e3-45e4-af9f-159145fe5260]
aws_vpc.this: Refreshing state... [id=vpc-01de06becdba1d3e3]
aws_secretsmanager_secret.elasticache_auth: Refreshing state... [id=arn:aws:secretsmanager:us-east-2:743794601996:secret:app-4-elasticache-auth-wx4d1f]
data.aws_caller_identity.current: Read complete after 0s [id=743794601996]
data.aws_availability_zones.available: Read complete after 0s [id=us-east-2]
aws_secretsmanager_secret_version.auth: Refreshing state... [id=arn:aws:secretsmanager:us-east-2:743794601996:secret:app-4-elasticache-auth-wx4d1f|84D33659-CAB0-42CE-8BDF-263E487A161A]
aws_kms_key_policy.encryption_rest_policy: Refreshing state... [id=624af10a-9d39-4f81-ad00-09dd8d439885]
aws_kms_alias.encryption_rest: Refreshing state... [id=alias/elasticache-app-4-at-rest]
aws_cloudwatch_log_group.slow_log: Refreshing state... [id=/elasticache/app-4-redis-cluster/slow-log]
aws_cloudwatch_log_group.engine_log: Refreshing state... [id=/elasticache/app-4-redis-cluster/engine-log]
aws_route_table.public: Refreshing state... [id=rtb-0a9a56bbaa9f1abf8]
aws_default_security_group.default: Refreshing state... [id=sg-00c03a331f28bdf4b]
aws_subnet.private[2]: Refreshing state... [id=subnet-0de88a416123a72f0]
aws_subnet.private[0]: Refreshing state... [id=subnet-084342d3ba201bfe9]
aws_subnet.private[1]: Refreshing state... [id=subnet-0759d81f1c345a0dd]
aws_route_table.private[2]: Refreshing state... [id=rtb-06b80b26b777a5f0a]
aws_route_table.private[1]: Refreshing state... [id=rtb-0c66cf1b03f5a174e]
aws_subnet.public[0]: Refreshing state... [id=subnet-0c3049a8821bcc98c]
aws_security_group.elasticache: Refreshing state... [id=sg-0ebe81ff83e813eb8]
aws_route_table.private[0]: Refreshing state... [id=rtb-05fb632dd9719cf47]
aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0e68440089e90f44b]
aws_elasticache_subnet_group.elasticache_subnet: Refreshing state... [id=app-4-cache-subnet]
aws_route_table_association.private[2]: Refreshing state... [id=rtbassoc-0e8da7db97d33f32a]
aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-05a15917877c2e011]
aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-0e696b9622482b55e]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_elasticache_replication_group.app4 will be created
  + resource "aws_elasticache_replication_group" "app4" {
      + apply_immediately              = true
      + arn                            = (known after apply)
      + at_rest_encryption_enabled     = true
      + auth_token                     = (sensitive value)
      + auto_minor_version_upgrade     = (known after apply)
      + automatic_failover_enabled     = true
      + cluster_enabled                = (known after apply)
      + configuration_endpoint_address = (known after apply)
      + data_tiering_enabled           = (known after apply)
      + description                    = "ElastiCache cluster for app4"
      + engine                         = "redis"
      + engine_version                 = (known after apply)
      + engine_version_actual          = (known after apply)
      + global_replication_group_id    = (known after apply)
      + id                             = (known after apply)
      + kms_key_id                     = "624af10a-9d39-4f81-ad00-09dd8d439885"
      + maintenance_window             = (known after apply)
      + member_clusters                = (known after apply)
      + multi_az_enabled               = true
      + node_type                      = "cache.t2.small"
      + num_cache_clusters             = (known after apply)
      + num_node_groups                = 3
      + parameter_group_name           = "default.redis7.cluster.on"
      + port                           = 6379
      + primary_endpoint_address       = (known after apply)
      + reader_endpoint_address        = (known after apply)
      + replicas_per_node_group        = 2
      + replication_group_id           = "app-4-redis-cluster"
      + security_group_ids             = [
          + "sg-0ebe81ff83e813eb8",
        ]
      + security_group_names           = (known after apply)
      + snapshot_window                = (known after apply)
      + subnet_group_name              = "app-4-cache-subnet"
      + tags_all                       = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
      + transit_encryption_enabled     = true

      + log_delivery_configuration {
          + destination      = "/elasticache/app-4-redis-cluster/engine-log"
          + destination_type = "cloudwatch-logs"
          + log_format       = "json"
          + log_type         = "engine-log"
        }
      + log_delivery_configuration {
          + destination      = "/elasticache/app-4-redis-cluster/slow-log"
          + destination_type = "cloudwatch-logs"
          + log_format       = "json"
          + log_type         = "slow-log"
        }
    }

  # aws_iam_policy.secret_manager_policy will be created
  + resource "aws_iam_policy" "secret_manager_policy" {
      + arn         = (known after apply)
      + description = "Policy to read the ElastiCache AUTH Token stored in AWS Secrets Manager secret."
      + id          = (known after apply)
      + name        = "app-4-secret-read-policy"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
    }

  # aws_iam_policy.ssm_parameter_policy will be created
  + resource "aws_iam_policy" "ssm_parameter_policy" {
      + arn         = (known after apply)
      + description = "Policy to read the ElastiCache endpoint and port number stored in the SSM Parameter Store."
      + id          = (known after apply)
      + name        = "app-4-ssm-parameter-read-policy"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
    }

  # aws_kms_alias.encryption_secret will be created
  + resource "aws_kms_alias" "encryption_secret" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/elasticache-app-4-in-transit"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # aws_kms_alias.encrytion_secret will be destroyed
  # (because aws_kms_alias.encrytion_secret is not in configuration)
  - resource "aws_kms_alias" "encrytion_secret" {
      - arn            = "arn:aws:kms:us-east-2:743794601996:alias/elasticache-app-4-in-transit" -> null
      - id             = "alias/elasticache-app-4-in-transit" -> null
      - name           = "alias/elasticache-app-4-in-transit" -> null
      - target_key_arn = "arn:aws:kms:us-east-2:743794601996:key/81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - target_key_id  = "81399b62-95e3-45e4-af9f-159145fe5260" -> null
    }

  # aws_kms_key.encryption_secret will be created
  + resource "aws_kms_key" "encryption_secret" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "Key to encrypt secret"
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + tags_all                           = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
    }

  # aws_kms_key.encrytion_secret will be destroyed
  # (because aws_kms_key.encrytion_secret is not in configuration)
  - resource "aws_kms_key" "encrytion_secret" {
      - arn                                = "arn:aws:kms:us-east-2:743794601996:key/81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 7 -> null
      - description                        = "Key to encrypt secret" -> null
      - enable_key_rotation                = true -> null
      - id                                 = "81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - is_enabled                         = true -> null
      - key_id                             = "81399b62-95e3-45e4-af9f-159145fe5260" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Id        = "key-default-1"
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "*"
                      - Sid       = "Enable IAM User Permissions"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        } -> null
    }

  # aws_secretsmanager_secret.elasticache_auth will be updated in-place
  ~ resource "aws_secretsmanager_secret" "elasticache_auth" {
        id                             = "arn:aws:secretsmanager:us-east-2:743794601996:secret:app-4-elasticache-auth-wx4d1f"
      ~ kms_key_id                     = "624af10a-9d39-4f81-ad00-09dd8d439885" -> (known after apply)
        name                           = "app-4-elasticache-auth"
        tags                           = {}
        # (4 unchanged attributes hidden)
    }

  # aws_security_group.elasticache will be updated in-place
  ~ resource "aws_security_group" "elasticache" {
      ~ egress                 = [
          + {
              + cidr_blocks      = [
                  + "0.0.0.0/0",
                ]
              + description      = "Enable access to the ElastiCache cluster."
              + from_port        = 0
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "-1"
              + security_groups  = []
              + self             = false
              + to_port          = 0
            },
        ]
        id                     = "sg-0ebe81ff83e813eb8"
      ~ ingress                = [
          - {
              - cidr_blocks      = [
                  - "10.20.32.0/25",
                ]
              - description      = "Enable communication to the Amazon ElastiCache for Redis cluster. "
              - from_port        = 6379
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = []
              - self             = false
              - to_port          = 6379
            },
          + {
              + cidr_blocks      = [
                  + "10.20.32.0/25",
                ]
              + description      = "Enable access from an Amazon EC2 instance in the VPC"
              + from_port        = 6379
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = false
              + to_port          = 6379
            },
        ]
        name                   = "app-4-elasticache-sg"
        tags                   = {}
        # (6 unchanged attributes hidden)
    }

  # aws_ssm_parameter.elasticache_ep will be created
  + resource "aws_ssm_parameter" "elasticache_ep" {
      + arn            = (known after apply)
      + data_type      = (known after apply)
      + id             = (known after apply)
      + insecure_value = (known after apply)
      + key_id         = "624af10a-9d39-4f81-ad00-09dd8d439885"
      + name           = "/elasticache/app-4/app-4-redis-cluster/endpoint"
      + tags_all       = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
      + tier           = (known after apply)
      + type           = "SecureString"
      + value          = (sensitive value)
      + version        = (known after apply)
    }

  # aws_ssm_parameter.elasticache_port will be created
  + resource "aws_ssm_parameter" "elasticache_port" {
      + arn            = (known after apply)
      + data_type      = (known after apply)
      + id             = (known after apply)
      + insecure_value = (known after apply)
      + key_id         = "624af10a-9d39-4f81-ad00-09dd8d439885"
      + name           = "/elasticache/app-4/app-4-redis-cluster/port"
      + tags_all       = {
          + "Source" = "https://github.com/kunduso/amazon-elasticache-redis-tf"
        }
      + tier           = (known after apply)
      + type           = "SecureString"
      + value          = (sensitive value)
      + version        = (known after apply)
    }

Plan: 7 to add, 2 to change, 2 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: TFplan.JSON

To perform exactly these actions, run the following command to apply:
    terraform apply "TFplan.JSON"

Pushed by: @kunduso, Action: pull_request

kunduso added 8 commits November 18, 2023 07:49

corrected kms key resource name and moved to separate file

37413c7

corrected kms key name

bd9a359

aded data block for resource naming

564180b

corrected kms key name

cf1146a

corrected ksm key id

ac43b0c

format

157f310

corrected key name

697cf06

updated key to encrypt secret

5cd2123

kunduso self-assigned this Nov 18, 2023

github-advanced-security bot found potential problems Nov 18, 2023

View reviewed changes

kunduso temporarily deployed to production November 18, 2023 14:11 — with GitHub Actions Inactive

enabled encryption

8117741

kunduso temporarily deployed to production November 18, 2023 14:17 — with GitHub Actions Inactive

kunduso had a problem deploying to production November 18, 2023 14:17 — with GitHub Actions Failure

fmt

94c792a

kunduso temporarily deployed to production November 18, 2023 14:18 — with GitHub Actions Inactive

update reason for checkov scan

254fc34

kunduso temporarily deployed to production November 18, 2023 14:20 — with GitHub Actions Inactive

kunduso merged commit 1e5b4fc into main Nov 18, 2023
5 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Corrected AWS KMS Key policy to attach the AWS CloudWatch log group #33

Corrected AWS KMS Key policy to attach the AWS CloudWatch log group #33

kunduso commented Nov 18, 2023

github-actions bot commented Nov 18, 2023 •

edited

Loading

github-actions bot commented Nov 18, 2023

github-actions bot commented Nov 18, 2023

github-actions bot commented Nov 18, 2023

Corrected AWS KMS Key policy to attach the AWS CloudWatch log group #33

Corrected AWS KMS Key policy to attach the AWS CloudWatch log group #33

Conversation

kunduso commented Nov 18, 2023

github-actions bot commented Nov 18, 2023 • edited Loading

Infracost report

💰 Monthly cost will increase by $223 📈

github-actions bot commented Nov 18, 2023

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

github-actions bot commented Nov 18, 2023

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

github-actions bot commented Nov 18, 2023

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

github-actions bot commented Nov 18, 2023 •

edited

Loading

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Plan 📖`success`

Terraform Validation 🤖`success`

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Plan 📖`success`

Terraform Validation 🤖`success`

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Plan 📖`success`

Terraform Validation 🤖`success`