Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

Commit

Permalink
Merge pull request #46 from g-linville/kms-key
Browse files Browse the repository at this point in the history 
Create KMS Key service acorn
  • Loading branch information
@g-linville
g-linville authored Sep 18, 2023
2 parents 1739505 + 1223172 commit 1dbd0a4
Show file tree
Hide file tree
Showing 13 changed files with 731 additions and 1 deletion.
2 changes: 1 addition & 1 deletion iam/role/role.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ func main() {
}
stackProps.setDefaults()
if err := stackProps.validateProps(); err != nil {
logrus.Fatalf("invalid stack properties: %w", err)
logrus.Fatalf("invalid stack properties: %v", err)
}

common.AppendScopedTags(app, stackProps.Tags)
Expand Down
21 changes: 21 additions & 0 deletions kms/key/.dockerignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib

# Test binary, built with `go test -c`
*.test

# Output of the go coverage tool, specifically when used with LiteIDE
*.out

# go.sum should be committed
!go.sum

# CDK asset staging directory
.cdk.staging
cdk.out

.git
19 changes: 19 additions & 0 deletions kms/key/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib

# Test binary, built with `go test -c`
*.test

# Output of the go coverage tool, specifically when used with LiteIDE
*.out

# go.sum should be committed
!go.sum

# CDK asset staging directory
.cdk.staging
cdk.out
144 changes: 144 additions & 0 deletions kms/key/Acornfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
name: "AWS KMS Key"
description: "AWS Key Management Service (KMS) Key"
info: localData.info
readme: "./README.md"

args: {
// Name of the Key to create. The default is auto-generated.
keyName: ""
// The ARN of the principal that will be allowed to manage the key as an admin. Optional. You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions.
adminArn: ""
// Extra tags to place on the created Key. Optional.
tags: {}
// Alias for the Key. Optional.
keyAlias: ""
// Description for the Key. Optional.
description: "Acorn created KMS Key"
// Whether to enable the Key to be used. Default true.
enabled: true
// Whether to enable automatic rotation of the Key. Default false.
enableKeyRotation: false
// Type of Key to create. Options are "SYMMETRIC_DEFAULT", "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "HMAC_224", "HMAC_256", "HMAC_384", and "HMAC_512". Default is "SYMMETRIC_DEFAULT".
keySpec: "SYMMETRIC_DEFAULT"
// The usage for the Key. Options are "ENCRYPT_DECRYPT", "SIGN_VERIFY", and "GENERATE_VERIFY_HMAC". Each keySpec is only compatible with certain keyUsages - see README for more info. Default is "ENCRYPT_DECRYPT".
keyUsage: "ENCRYPT_DECRYPT"
// The time (in days) that must pass after key deletion is requested before the key is deleted. Default is 7. Minimum is 7. Maximum is 30.
pendingWindowDays: 7
// AWS IAM policy to attach to the Key. Optional.
keyPolicy: {}
}

services: key: {
name: "AWS KMS Key"
generated: job: "apply"
consumer: permissions: rules: [{
apiGroups: ["aws.acorn.io"]
verbs: [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:GenerateMac",
"kms:GenerateRandom",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:GetPublicKey",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeyPolicies",
"kms:ListResourceTags",
"kms:ListRetirableGrants",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:Sign",
"kms:Verify",
"kms:VerifyMac",
]
resources: ["*"]
}]
}

jobs: apply: {
build: {
context: "."
additionalContexts: {
common: "../../libs"
}
}
files: "/app/config.json": std.toJSON(args)
env: {
CDK_DEFAULT_ACCOUNT: "@{secrets.aws-context.account-id}"
CDK_DEFAULT_REGION: "@{secrets.aws-context.aws-region}"
VPC_ID: "@{secrets.aws-context.vpc-id}"
ACORN_ACCOUNT: "@{acorn.account}"
ACORN_NAME: "@{acorn.name}"
ACORN_PROJECT: "@{acorn.project}"
ACORN_EXTERNAL_ID: "@{acorn.externalId}"
}
events: ["create", "update", "delete"]
permissions: rules: [{
apiGroup: "aws.acorn.io"
verbs: [
"cloudformation:DescribeStacks",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:ExecuteChangeSet",
"cloudformation:PreviewStackUpdate",
"cloudformation:UpdateStack",
"cloudformation:GetTemplateSummary",
"cloudformation:DeleteStack",
"kms:*",
]
resources: ["*"]
}, {
apiGroup: "aws.acorn.io"
verbs: [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
]
resources: ["*"]
}, {
apiGroup: "api.acorn.io"
verbs: [
"create",
]
resources: ["events"]
}]
}

secrets: "aws-context": {
name: "AWS Context"
external: "context://aws"
type: "opaque"
data: {
"account-id": ""
"vpc-id": ""
"aws-region": ""
}
}

localData: info: """
Key ARN: @{services.key.data.arn}
Key Alias: \(args.keyAlias)
Key Description: \(args.description)
Key Spec: \(args.keySpec)
Key Usage: \(args.keyUsage)

Example usage:

```typescript
services: kmskey: external: "@{acorn.name}"

containers: app: {
build: context: "./"
consumes: ["kmskey"]
env: KEY_ARN: "@{@{service.}kmskey.data.arn}"
}
```
"""
21 changes: 21 additions & 0 deletions kms/key/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
FROM cgr.dev/chainguard/go as build

WORKDIR /src/kms/key
COPY --from=common . ../../libs
COPY . .

RUN --mount=type=cache,target=/root/go/pkg \
--mount=type=cache,target=/root/.cache/go-build \
go build -o key .

FROM ghcr.io/acorn-io/aws/utils/cdk-runner:v0.6.0 as cdk-runner
FROM cgr.dev/chainguard/wolfi-base
RUN apk add -U --no-cache nodejs bash busybox jq && \
apk del --no-cache wolfi-base apk-tools
RUN npm install -g aws-cdk
WORKDIR /app
COPY ./cdk.json ./
COPY ./scripts ./scripts
COPY --from=cdk-runner /cdk-runner .
COPY --from=build /src/kms/key/key .
CMD [ "/app/cdk-runner" ]
100 changes: 100 additions & 0 deletions kms/key/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
# KMS Key Service Acorn

This Service Acorn creates a CloudFormation stack containing the given KMS Key.

## Limitations

Currently, this Service Acorn only supports adding a single ARN as an admin for the key.

## Usage

### Running the Acorn

```
acorn run ghcr.io/acorn-io/aws/kms/key:v0.1.0 \
--key-name="my-key" \
--key-alias="my-key" \
--admin-arn="<arn>" \
--description="Example key for encryption and decryption" \
--key-spec="RSA_4098" \
--key-usage="ENCRYPT_DECRYPT" \
--pending-window-days=10 \
--key-policy @policy.json
```

### Using the service in an Acornfile

```cue
services: key: {
image: "ghcr.io/acorn-io/aws/kms/key:v0.1.0"
serviceArgs: {
keyName: "my-key"
keyAlias: "my-key"
adminArn: "<arn>"
description: "Example key for encryption and decryption"
keySpec: "RSA_4098"
keyUsage: "ENCRYPT_DECRYPT"
pendingWindowDays: 10
tags: "my-tag": "my-tag-value"
// This is an example policy:
keyPolicy: {
Version: "2012-10-07"
Statement: [
{
Effect: "Allow"
Principal: AWS: "arn:aws:iam::<account ID>:root"
Action: "kms:*"
Resource: "*"
},
]
}
}
}
containers: mycontainer: {
image: "<image>"
consumes: ["key"]
env: KEY_ARN: "@{services.key.data.arn}"
}
```

### Arguments

| Name | Description | Required | Default |
|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------------------------|
| `--key-name` | The name of the key in the CloudFormation stack. | No | (generated) |
| `--key-alias` | The alias (friendly name) to give to the key. | No | (none) |
| `--admin-arn` | The ARN of a user to set as the administrator of the key. You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions. | No | (none) |
| `--description` | Description to attach to the key. | No | "Acorn created KMS Key" |
| `--key-spec` | The type of key to create. | Yes | `SYMMETRIC_DEFAULT` |
| `--key-usage` | The usage of the key. Each key spec only supports certain usages. See table below for details. | Yes | `ENCRYPT_DECRYPT` |
| `--pending-window-days` | The time (in days) that must pass after key deletion is requested before the key is deleted. Must be between 7 and 30 (inclusive) | Yes | 7 |
| `--key-policy` | The key policy to attach to the key. This must be in JSON format. | No | (created by AWS) |
| `--tags` | Tags to attach to the key. | No | (none) |

#### Key Specs and Usages

| Key Spec | Supported Key Usages |
|---------------------|----------------------------------|
| `SYMMETRIC_DEFAULT` | `ENCRYPT_DECRYPT` |
| `RSA_2048` | `ENCRYPT_DECRYPT`, `SIGN_VERIFY` |
| `RSA_3072` | `ENCRYPT_DECRYPT`, `SIGN_VERIFY` |
| `RSA_4096` | `ENCRYPT_DECRYPT`, `SIGN_VERIFY` |
| `ECC_NIST_P256` | `SIGN_VERIFY` |
| `ECC_NIST_P384` | `SIGN_VERIFY` |
| `ECC_NIST_P521` | `SIGN_VERIFY` |
| `ECC_SECG_P256K1` | `SIGN_VERIFY` |
| `HMAC_224` | `GENERATE_VERIFY_MAC` |
| `HMAC_256` | `GENERATE_VERIFY_MAC` |
| `HMAC_384` | `GENERATE_VERIFY_MAC` |
| `HMAC_512` | `GENERATE_VERIFY_MAC` |

Source: https://pkg.go.dev/github.com/aws/aws-cdk-go/awscdk/v2/[email protected]#KeySpec

### Outputs

| Name | Description |
|-------|-----------------------------|
| `arn` | The ARN of the created key. |
4 changes: 4 additions & 0 deletions kms/key/cdk.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"app": "./key",
"versionReporting": false
}
30 changes: 30 additions & 0 deletions kms/key/go.mod
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
module github.com/acorn-io/aws/kms/key

go 1.21.1

require (
github.com/acorn-io/services/aws/libs/common v0.0.0
github.com/aws/aws-cdk-go/awscdk/v2 v2.96.0
github.com/aws/aws-sdk-go-v2 v1.21.0
github.com/aws/constructs-go/constructs/v10 v10.2.70
github.com/aws/jsii-runtime-go v1.88.0
github.com/sirupsen/logrus v1.9.3
golang.org/x/exp v0.0.0-20230905200255-921286631fa9
)

replace github.com/acorn-io/services/aws/libs/common v0.0.0 => ../../libs/common

require (
github.com/Masterminds/semver/v3 v3.2.1 // indirect
github.com/cdklabs/awscdk-asset-awscli-go/awscliv1/v2 v2.2.200 // indirect
github.com/cdklabs/awscdk-asset-kubectl-go/kubectlv20/v2 v2.1.2 // indirect
github.com/cdklabs/awscdk-asset-node-proxy-agent-go/nodeproxyagentv6/v2 v2.0.1 // indirect
github.com/fatih/color v1.15.0 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.19 // indirect
github.com/yuin/goldmark v1.4.13 // indirect
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
golang.org/x/mod v0.12.0 // indirect
golang.org/x/sys v0.12.0 // indirect
golang.org/x/tools v0.13.0 // indirect
)
Loading

0 comments on commit 1dbd0a4

Please sign in to comment.