Add/generate kms keys files

CHANGELOG.md

@@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+### Added
+- Generate kms key information into config files from aws
 
 ## 0.9.0 - 2020-02-24
 ### Added

Makefile

@@ -19,7 +19,7 @@ lint:
 	   templates/cloudformation/*.yaml
 	shellcheck scripts/*.sh
 	for playbook in provisioners/ansible/playbooks/*.yaml; do \
-		ANSIBLE_LIBRARY=conf/ansible/library ansible-playbook -vvv $$playbook --syntax-check; \
+		ANSIBLE_LIBRARY=provisioners/ansible/library ansible-playbook -vvv $$playbook --syntax-check; \
 	done
 
 package: stage
@@ -50,5 +50,11 @@ create-aws-resources:
 delete-aws-resources:
 	scripts/run-playbook-stack.sh delete-aws-resources "${env_type}" "${stack_prefix}"
 
+################################################################################
+# Generate AWS KMS key ids.
+################################################################################
+
+gen-kms-keys:
+	scripts/run-playbook-stack.sh gen-kms-keys "${env_type}" "${stack_prefix}"
 
 .PHONY: ci clean deps lint package create-aws-resources delete-aws-resources

conf/ansible/inventory/group_vars/defaults.yaml

@@ -15,3 +15,10 @@ aws:
       share_cmk_aws_account: 918473058104
       forward_proxy_cidr: 10.0.8.0/21
       jumphost_cidr: 10.0.8.0/21
+    kms:
+      alias:
+        EBSVolumeKMSKeyAlias: alias/aoc-EBSVolume-KMS
+        DynamoDBKMSKeyAlias: alias/aoc-DynamoDB-KMS
+        LambdaKMSKeyAlias: alias/aoc-Lambda-KMS
+        S3KMSKeyAlias: alias/aoc-S3-KMS
+        SNSKMSKeyAlias: alias/aoc-SNS-KMS

provisioners/ansible/library/create_kms_key_ids_config.py

@@ -0,0 +1,119 @@
+"""
+This module generates a YAML Packer AEM config file and a YAML AEM AWS Stack Builder config file which contains the KMS IDs for all components.
+The KMS IDs are based on AWS KMS Alias name searched from defaults vars.
+The YAML file is designed to be dropped directly in user configuration path.
+"""
+#!/usr/bin/python
+
+import sys, json, boto3, yaml, argparse
+from ansible.module_utils.basic import *
+
+def aws_get_kms_source_aliases(client):
+    StackResources = client.list_aliases(
+    )
+    aliases = StackResources['Aliases']
+    return aliases
+
+def get_kms_key_id(source_aliases, target_alias):
+    key_id = ''
+    for item in source_aliases:
+        if item['AliasName'] == target_alias:
+            key_id = item['TargetKeyId']
+    return key_id
+
+def aws_get_kms_key_arn(client, key_id):
+    response = client.describe_key(
+    KeyId = key_id
+    )
+    keyMetadata = response['KeyMetadata']
+    key_arn = keyMetadata['Arn']
+    return key_arn
+
+def get_kms_key_arn (client, target_alias):
+    if target_alias == "overwrite-me":
+        return "overwrite-me"
+    source_aliases = aws_get_kms_source_aliases(client)
+    key_id = get_kms_key_id(source_aliases, target_alias)
+    if key_id == '':
+        sys.stderr.write("No kms key id matched target alias: %s.\n" % target_alias)
+        raise SystemExit(1)
+    key_arn = str(aws_get_kms_key_arn(client, key_id))
+    return key_arn
+
+def build_packer_aem_file(ebs_key_arn, out_file_name):
+    out_file = open(out_file_name, 'w')
+    out_file.write('---\n')
+    out_file.write('# Generated by aem-helloworld-user-aws-resources\n')
+    out_file.write('# KMS keys for Packer AEM profile on aws platform\n')
+    yaml.dump({'aws': {
+                    'encryption': {
+                        'ebs_volume': {
+                            'kms_key_id': ebs_key_arn,
+                            }
+                        }
+                    }
+                }, out_file, default_flow_style=False)
+
+def build_stack_builder_aem_file(ebs_key_arn, dynamodb_key_arn, lambda_key_arn, s3_key_arn, sns_key_arn, out_file_name):
+    out_file = open(out_file_name, 'w')
+    out_file.write('---\n')
+    out_file.write('# Generated by aem-helloworld-user-aws-resources\n')
+    out_file.write('# KMS keys for Stack Builder AEM profile on aws platform\n')
+    yaml.dump({'aws': {
+                    'encryption': {
+                        'ebs_volume': {
+                            'kms_key_id': ebs_key_arn,
+                            },
+                        'dynamo_db': {
+                            'kms_key_id': dynamodb_key_arn,
+                            },
+                        'lambda': {
+                            'kms_key_id': lambda_key_arn,
+                            },
+                        's3': {
+                            'kms_key_id': s3_key_arn,
+                            },
+                        'sns': {
+                            'kms_key_id': sns_key_arn,
+                            },
+                        }
+                    }
+                }, out_file, default_flow_style=False)
+
+def main():
+    """
+    Run create_kms_key_ids_config module.
+    """
+
+    module = AnsibleModule(
+        argument_spec = dict(
+            region=dict(required=True, type='str'),
+            out_file_packer = dict(required = True, type = 'str'),
+            out_file_stack_builder = dict(required = True, type = 'str'),
+            ebs_key_alias = dict(required = True, type = 'str'),
+            dynamodb_key_alias = dict(required = True, type = 'str'),
+            lambda_key_alias = dict(required = True, type = 'str'),
+            s3_key_alias = dict(required = True, type = 'str'),
+            sns_key_alias = dict(required = True, type = 'str'),
+        )
+    )
+
+    client = boto3.client('kms', region_name=module.params['region'])
+    out_file_packer = module.params['out_file_packer']
+    out_file_stack_builder = module.params['out_file_stack_builder']
+    ebs_key_arn = get_kms_key_arn(client, module.params['ebs_key_alias'])
+    dynamodb_key_arn = get_kms_key_arn(client, module.params['dynamodb_key_alias'])
+    lambda_key_arn = get_kms_key_arn(client, module.params['lambda_key_alias'])
+    s3_key_arn =  get_kms_key_arn(client, module.params['s3_key_alias'])
+    sns_key_arn = get_kms_key_arn(client, module.params['sns_key_alias'])
+
+    # build packer kms yml file
+    build_packer_aem_file(ebs_key_arn, out_file_packer)
+
+    # build stack builder kms yml file
+    build_stack_builder_aem_file(ebs_key_arn, dynamodb_key_arn, lambda_key_arn, s3_key_arn, sns_key_arn, out_file_stack_builder)
+
+    module.exit_json(changed=True)
+
+if __name__ == '__main__':
+    main()

provisioners/ansible/playbooks/gen-kms-keys.yaml

@@ -0,0 +1,21 @@
+---
+- name: Create kms key ids configuration tasks
+  hosts: localhost
+  gather_facts: no
+  connection: local
+
+  tasks:
+
+    - name: Ensure stage directory exists
+      file: path=../../../stage/user-config/ state=directory
+
+    - name: Create Packer AEM and Stack Builder KMS Key IDs configuration file
+      create_kms_key_ids_config:
+        region: "{{ aws.region }}"
+        ebs_key_alias: "{{ aws.resources.kms.alias.EBSVolumeKMSKeyAlias }}"
+        dynamodb_key_alias: "{{ aws.resources.kms.alias.DynamoDBKMSKeyAlias }}"
+        lambda_key_alias: "{{ aws.resources.kms.alias.LambdaKMSKeyAlias }}"
+        s3_key_alias: "{{ aws.resources.kms.alias.S3KMSKeyAlias }}"
+        sns_key_alias: "{{ aws.resources.kms.alias.SNSKMSKeyAlias }}"
+        out_file_packer: "../../../stage/user-config/packer-kms-key-ids.yaml"
+        out_file_stack_builder: "../../../stage/user-config/stack-builder-kms-key-ids.yaml"