add support for cross-acct state mgmt (#3)

Author: cdaniluk

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Rhythmic Technologies, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -3,7 +3,9 @@
 [![](https://github.com/rhythmictech/terraform-aws-backend/workflows/check/badge.svg)](https://github.com/rhythmictech/terraform-aws-backend/actions)
 
 Creates a backend S3 bucket and DynamoDB table for managing Terraform state. Useful for bootstrapping a new
-environment.
+environment. This module supports cross-account state management, using a centralized account that holds the S3 bucket and KMS key.
+
+_Note: A centralized DynamoDB locking table is not supported because terraform cannot assume more than one IAM role per execution._
 
 ## Usage
 ```
@@ -16,14 +18,60 @@ module "backend" {
 
 ```
 
+## Cross Account State Management
+Managing state across accounts requires additional configuration to ensure that the S3 bucket is appropriately accessible and the KMS key is usable.
+
+The following module declaration will create an S3 bucket and KMS key that are accessible to the root account (and users with the AdministratorAccess managed role) in the target account:
+
+```yaml
+module "backend" {
+  source    = "git::ssh://git@github.com/rhythmictech/terraform-aws-backend"
+  allowed_account_ids = ["123456789012"]
+  bucket              = "012345678901-us-east-1-tfstate"
+  region              = "us-east-1"
+}
+```
+
+In the target account, use this declaration to import the module:
+
+```yaml
+module "backend" {
+  source    = "git::ssh://git@github.com/rhythmictech/terraform-aws-backend"
+  kms_key_id               = "arn:aws:kms:us-east-1:012345678901:key/59381274-af42-8521-04af-ab0acfe3d521"
+  region                   = "us-east-1"
+  remote_bucket            = "012345678901-us-east-1-tfstate"
+}
+```
+
+The module will automatically write to the source account S3 bucket using the KMS key with cross-account access.
+
+Access to the source S3 bucket is done based on a prefix that matches the AWS Account ID. Therefore, target accounts must use a `workspace_key_prefix` that matches the account ID, such as in the following sample backend-config values:
+
+```
+bucket               = "012345678901-us-east-1-tf-state"
+key                  = "project.tfstate"
+workspace_key_prefix = "123456789012"
+region               = "us-east-1"
+```
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| bucket | Name of bucket to create | string | n/a | yes |
+| allowed\_account\_ids | Account IDs that are allowed to access the bucket/KMS key | list(string) | `[]` | no |
+| bucket | Name of bucket to create \(do not provide if using `remote\_bucket`\) | string | `""` | no |
+| kms\_key\_id | ARN for KMS key for all encryption operations. | string | `""` | no |
 | region | Region bucket will be created in | string | n/a | yes |
-| table | Name of Dynamo Table to create | string | n/a | yes |
+| remote\_bucket | If specified, the remote bucket will be used for the backend. A new bucket will not be created | string | `""` | no |
+| table | Name of Dynamo Table to create | string | `"tf-locktable"` | no |
 | tags | Mapping of any extra tags you want added to resources | map(string) | `{}` | no |
 
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| kms\_key\_arn | ARN of KMS Key for S3 bucket |
+| s3\_bucket\_backend | S3 bucket |
+
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

kms.tf

@@ -0,0 +1,55 @@
+data "aws_iam_policy_document" "key" {
+
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.account_id}:root"]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.allowed_account_ids
+
+    content {
+
+      actions = [
+        "kms:Encrypt*",
+        "kms:Decrypt*",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey",
+      ]
+      effect    = "Allow"
+      resources = ["*"]
+      principals {
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${statement.value}:root"]
+      }
+    }
+  }
+
+}
+
+
+resource "aws_kms_key" "this" {
+  count                   = var.kms_key_id == "" ? 1 : 0
+  deletion_window_in_days = 7
+  description             = "Terraform State KMS key"
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.key.json
+  tags = merge(
+    {
+      "Name" = "tf-backend-key"
+    },
+    var.tags
+  )
+}
+
+resource "aws_kms_alias" "this" {
+  count         = var.kms_key_id == "" ? 1 : 0
+  name          = "alias/tf_backend_config"
+  target_key_id = aws_kms_key.this[0].id
+}

main.tf

@@ -1,10 +1,24 @@
 data "aws_caller_identity" "current" {
 }
 
-resource "aws_s3_bucket" "config_bucket" {
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+
+  # Account IDs that will have access to stream CloudTrail logs
+  account_ids = concat([local.account_id], var.allowed_account_ids)
+
+  # Format account IDs into necessary resource lists.
+  iam_account_principals = formatlist("arn:aws:iam::%s:root", local.account_ids)
+
+  # Resolve resource names
+  bucket     = var.remote_bucket == "" ? aws_s3_bucket.this[0].id : var.remote_bucket
+  kms_key_id = var.kms_key_id == "" ? aws_kms_key.this[0].arn : var.kms_key_id
+}
+
+resource "aws_s3_bucket" "this" {
+  count  = var.remote_bucket == "" ? 1 : 0
   bucket = var.bucket
   acl    = "log-delivery-write"
-
   tags = merge(
     var.tags,
     {
@@ -28,7 +42,8 @@ resource "aws_s3_bucket" "config_bucket" {
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
-        sse_algorithm = "aws:kms"
+        sse_algorithm     = "aws:kms"
+        kms_master_key_id = local.kms_key_id
       }
     }
   }
@@ -39,15 +54,16 @@ resource "aws_s3_bucket" "config_bucket" {
   }
 }
 
-resource "aws_s3_bucket_public_access_block" "block_public_access" {
-  bucket                  = aws_s3_bucket.config_bucket.id
+resource "aws_s3_bucket_public_access_block" "this" {
+  count                   = var.remote_bucket == "" ? 1 : 0
+  bucket                  = aws_s3_bucket.this[0].id
   block_public_acls       = true
   block_public_policy     = true
   ignore_public_acls      = true
   restrict_public_buckets = true
 }
 
-resource "aws_dynamodb_table" "terraform_statelock" {
+resource "aws_dynamodb_table" "this" {
   name         = var.table
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = "LockID"
@@ -64,3 +80,49 @@ resource "aws_dynamodb_table" "terraform_statelock" {
     },
   )
 }
+
+
+data "aws_iam_policy_document" "this" {
+
+
+  statement {
+    actions = [
+      "s3:ListBucket"
+    ]
+    effect = "Allow"
+    resources = [
+      "arn:aws:s3:::${local.bucket}"
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = local.iam_account_principals
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.allowed_account_ids
+
+    content {
+
+      actions = [
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:DeleteObject"
+      ]
+      effect    = "Allow"
+      resources = ["arn:aws:s3:::${local.bucket}/${statement.value}/*"]
+
+      principals {
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${statement.value}:root"]
+      }
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  count  = var.remote_bucket == "" ? 1 : 0
+  bucket = aws_s3_bucket.this[0].id
+  policy = data.aws_iam_policy_document.this.json
+}

outputs.tf

@@ -0,0 +1,9 @@
+output "s3_bucket_backend" {
+  description = "S3 bucket"
+  value       = var.remote_bucket == "" ? aws_s3_bucket.this[0].bucket : var.remote_bucket
+}
+
+output "kms_key_arn" {
+  description = "ARN of KMS Key for S3 bucket"
+  value       = var.kms_key_id == "" ? aws_kms_key.this[0].arn : var.kms_key_id
+}

variables.tf

@@ -1,5 +1,18 @@
+variable "allowed_account_ids" {
+  default     = []
+  description = "Account IDs that are allowed to access the bucket/KMS key"
+  type        = list(string)
+}
+
 variable "bucket" {
-  description = "Name of bucket to create"
+  default     = ""
+  description = "Name of bucket to create (do not provide if using `remote_bucket`)"
+  type        = string
+}
+
+variable "kms_key_id" {
+  default     = ""
+  description = "ARN for KMS key for all encryption operations."
   type        = string
 }
 
@@ -8,7 +21,14 @@ variable "region" {
   type        = string
 }
 
+variable "remote_bucket" {
+  default     = ""
+  description = "If specified, the remote bucket will be used for the backend. A new bucket will not be created"
+  type        = string
+}
+
 variable "table" {
+  default     = "tf-locktable"
   description = "Name of Dynamo Table to create"
   type        = string
 }