fix: Fixes KMS permissions for ECS task container

* fix: Adds kms:Decrypt to ECS task execution role if KMS key is being used

* fix: Fixes dependencies

Author: GiamPy5

README.md

@@ -122,6 +122,7 @@ Before using this module, ensure you have the following:
 | [aws_iam_group_membership.directus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
 | [aws_iam_group_policy.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy) | resource |
 | [aws_iam_policy.cloudwatch_logs_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.ecs_ebs_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.ecs_service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.ecs_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -148,6 +149,7 @@ Before using this module, ensure you have the following:
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_s3_bucket.directus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
@@ -168,6 +170,7 @@ Before using this module, ensure you have the following:
 | <a name="input_ecs_service_enable_execute_command"></a> [ecs\_service\_enable\_execute\_command](#input\_ecs\_service\_enable\_execute\_command) | Whether to enable ECS service execute command | `bool` | `false` | no |
 | <a name="input_enable_alb_access_logs"></a> [enable\_alb\_access\_logs](#input\_enable\_alb\_access\_logs) | Whether to enable access logs of the Load Balancer | `bool` | `false` | no |
 | <a name="input_enable_ecs_volume"></a> [enable\_ecs\_volume](#input\_enable\_ecs\_volume) | Whether to enable ECS volume | `bool` | `false` | no |
+| <a name="input_enable_kms_encryption"></a> [enable\_kms\_encryption](#input\_enable\_kms\_encryption) | Whether to enable KMS encryption | `bool` | `false` | no |
 | <a name="input_enable_s3_bucket_versioning"></a> [enable\_s3\_bucket\_versioning](#input\_enable\_s3\_bucket\_versioning) | Whether to enable S3 bucket versioning | `bool` | `true` | no |
 | <a name="input_enable_ses_emails_sending"></a> [enable\_ses\_emails\_sending](#input\_enable\_ses\_emails\_sending) | Whether to enable sending emails using SES | `bool` | `false` | no |
 | <a name="input_force_new_ecs_deployment_on_apply"></a> [force\_new\_ecs\_deployment\_on\_apply](#input\_force\_new\_ecs\_deployment\_on\_apply) | Whether to force a new deployment of the ECS service on apply | `bool` | `false` | no |
@@ -200,6 +203,7 @@ Before using this module, ensure you have the following:
 | <a name="output_load_balancer_dns_name"></a> [load\_balancer\_dns\_name](#output\_load\_balancer\_dns\_name) | The DNS name of the load balancer |
 | <a name="output_load_balancer_listener_arn"></a> [load\_balancer\_listener\_arn](#output\_load\_balancer\_listener\_arn) | The ARN of the load balancer listener |
 | <a name="output_load_balancer_target_group_arn"></a> [load\_balancer\_target\_group\_arn](#output\_load\_balancer\_target\_group\_arn) | The ARN of the load balancer target group |
+| <a name="output_public_url"></a> [public\_url](#output\_public\_url) | The public URL of the Directus service |
 | <a name="output_s3_bucket_arn"></a> [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | The ARN of the S3 bucket |
 | <a name="output_s3_bucket_name"></a> [s3\_bucket\_name](#output\_s3\_bucket\_name) | The name of the S3 bucket |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/main.tf

@@ -74,7 +74,8 @@ module "directus" {
   create_s3_bucket = true # If you do not create an S3 bucket, you will need to provide an existing S3 bucket name
   s3_bucket_name   = "terraform-aws-directus-${local.region}"
 
-  kms_key_id = aws_kms_key.directus.id
+  enable_kms_encryption = true
+  kms_key_id            = aws_kms_key.directus.id
 
   image_tag = "10.12"
 

iam.tf

@@ -28,6 +28,28 @@ resource "aws_iam_role_policy_attachment" "ecs_ebs_role_policy" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForVolumes"
 }
 
+data "aws_iam_policy_document" "kms_policy" {
+  count = var.enable_kms_encryption ? 1 : 0
+
+  statement {
+    sid = "KmsAccess"
+
+    actions = [
+      "kms:Decrypt"
+    ]
+
+    resources = [local.kms_key_arn]
+  }
+}
+
+resource "aws_iam_policy" "kms_policy" {
+  count = var.enable_kms_encryption ? 1 : 0
+
+  name   = "${var.application_name}-kms-policy"
+  path   = "/${var.application_name}/"
+  policy = data.aws_iam_policy_document.kms_policy[0].json
+}
+
 resource "aws_iam_role" "ecs_service_role" {
   name = "${var.application_name}-ecs-service-role"
 
@@ -116,7 +138,8 @@ resource "aws_iam_group_policy" "s3_policy" {
 }
 
 resource "aws_iam_user_policy" "kms_access" {
-  count  = var.kms_key_id != "" ? 1 : 0
+  count = var.enable_kms_encryption ? 1 : 0
+
   name   = "${var.application_name}-kms-policy"
   user   = aws_iam_user.directus.name
   policy = data.aws_iam_policy_document.kms_access_policy[0].json
@@ -141,7 +164,7 @@ data "aws_iam_policy_document" "s3_policy" {
 }
 
 data "aws_iam_policy_document" "kms_access_policy" {
-  count = var.kms_key_id != "" ? 1 : 0
+  count = var.enable_kms_encryption ? 1 : 0
   statement {
     sid = "KmsUsage"
 

main.tf

@@ -124,7 +124,7 @@ resource "aws_s3_bucket" "directus" {
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
-  count  = var.create_s3_bucket && var.kms_key_id != "" ? 1 : 0
+  count  = var.create_s3_bucket && var.enable_kms_encryption ? 1 : 0
   bucket = aws_s3_bucket.directus[0].id
 
   rule {
@@ -230,9 +230,11 @@ module "ecs" {
 
   task_exec_iam_role_name = "${local.cluster_name}-task-exec-role"
   task_exec_iam_role_path = "/ecs/${local.cluster_name}/"
-  task_exec_iam_role_policies = {
+  task_exec_iam_role_policies = merge({
     "awslogs" : aws_iam_policy.cloudwatch_logs_policy.arn
-  }
+    }, var.enable_kms_encryption ? {
+    "kms" : aws_iam_policy.kms_policy[0].arn
+  } : {})
 
   task_exec_secret_arns = [
     aws_secretsmanager_secret.directus_secret.arn,

outputs.tf

@@ -22,3 +22,8 @@ output "load_balancer_listener_arn" {
   value       = aws_lb_listener.directus_lb_listener.arn
   description = "The ARN of the load balancer listener"
 }
+
+output "public_url" {
+  value       = local.public_url
+  description = "The public URL of the Directus service"
+}

variables.tf

@@ -68,6 +68,12 @@ variable "s3_bucket_versioning_configuration" {
   }
 }
 
+variable "enable_kms_encryption" {
+  description = "Whether to enable KMS encryption"
+  type        = bool
+  default     = false
+}
+
 variable "kms_key_id" {
   description = "The ID of the KMS key"
   type        = string