From 4c10ac3099d52d318c79da656f884ab4be05a195 Mon Sep 17 00:00:00 2001
From: ddl-rliu <140021987+ddl-rliu@users.noreply.github.com>
Date: Fri, 8 Mar 2024 13:49:03 -0800
Subject: [PATCH] [DOM-55148] Use SSE-KMS as default in Flyte S3 buckets

[DOM-55148] Use SSE-KMS as default in Flyte S3 buckets
---
 modules/flyte/README.md    |  3 +++
 modules/flyte/iam.tf       | 16 ++++++++++++++++
 modules/flyte/main.tf      |  3 ++-
 modules/flyte/s3.tf        | 13 ++++++++++---
 modules/flyte/variables.tf | 25 ++++++++++++++++++++++++-
 modules/flyte/versions.tf  |  2 +-
 modules/irsa/outputs.tf    |  1 -
 7 files changed, 56 insertions(+), 7 deletions(-)

diff --git a/modules/flyte/README.md b/modules/flyte/README.md
index a1e7d013..4b18ff49 100644
--- a/modules/flyte/README.md
+++ b/modules/flyte/README.md
@@ -35,6 +35,7 @@ No modules.
 | [aws_s3_bucket_policy.flyte_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.flye_metadata_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.flyte_data_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.flyte_dataplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -48,7 +49,9 @@ No modules.
 | <a name="input_compute_namespace"></a> [compute\_namespace](#input\_compute\_namespace) | Name of Domino compute namespace for this deploy | `string` | n/a | yes |
 | <a name="input_eks_info"></a> [eks\_info](#input\_eks\_info) | cluster = {<br>      specs {<br>        name            = Cluster name.<br>        account\_id      = AWS account id where the cluster resides.<br>      }<br>      oidc = {<br>        arn = OIDC provider ARN.<br>        url = OIDC provider url.<br>        cert = {<br>          thumbprint\_list = OIDC cert thumbprints.<br>          url             = OIDC cert URL.<br>      }<br>    } | <pre>object({<br>    cluster = object({<br>      specs = object({<br>        name       = string<br>        account_id = string<br>      })<br>      oidc = object({<br>        arn = string<br>        url = string<br>        cert = object({<br>          thumbprint_list = list(string)<br>          url             = string<br>        })<br>      })<br>    })<br>  })</pre> | n/a | yes |
 | <a name="input_force_destroy_on_deletion"></a> [force\_destroy\_on\_deletion](#input\_force\_destroy\_on\_deletion) | Whether to force destroy flyte s3 buckets on deletion | `bool` | `true` | no |
+| <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | key\_id  = KMS key id.<br>    key\_arn = KMS key arn.<br>    enabled = KMS key is enabled | <pre>object({<br>    key_id  = string<br>    key_arn = string<br>    enabled = bool<br>  })</pre> | n/a | yes |
 | <a name="input_platform_namespace"></a> [platform\_namespace](#input\_platform\_namespace) | Name of Domino platform namespace for this deploy | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
 | <a name="input_serviceaccount_names"></a> [serviceaccount\_names](#input\_serviceaccount\_names) | Service account names for Flyte | <pre>object({<br>    datacatalog    = optional(string, "datacatalog")<br>    flyteadmin     = optional(string, "flyteadmin")<br>    flytepropeller = optional(string, "flytepropeller")<br>  })</pre> | `{}` | no |
 
 ## Outputs
diff --git a/modules/flyte/iam.tf b/modules/flyte/iam.tf
index 695de67b..c4b89ad0 100644
--- a/modules/flyte/iam.tf
+++ b/modules/flyte/iam.tf
@@ -36,6 +36,14 @@ data "aws_iam_policy_document" "flyte_controlplane" {
       "s3:ListBucket",
     ]
   }
+  statement {
+    effect    = "Allow"
+    resources = ["arn:${data.aws_partition.current.partition}:kms:${var.region}:${data.aws_caller_identity.aws_account.account_id}:key/*"]
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+    ]
+  }
 }
 
 resource "aws_iam_policy" "flyte_controlplane" {
@@ -89,6 +97,14 @@ data "aws_iam_policy_document" "flyte_dataplane" {
       "s3:ListBucket"
     ]
   }
+  statement {
+    effect    = "Allow"
+    resources = ["arn:${data.aws_partition.current.partition}:kms:${var.region}:${data.aws_caller_identity.aws_account.account_id}:key/*"]
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+    ]
+  }
 }
 
 resource "aws_iam_policy" "flyte_dataplane" {
diff --git a/modules/flyte/main.tf b/modules/flyte/main.tf
index 8c00e730..50dca0e1 100644
--- a/modules/flyte/main.tf
+++ b/modules/flyte/main.tf
@@ -1,7 +1,8 @@
 data "aws_partition" "current" {}
+data "aws_caller_identity" "aws_account" {}
 
 locals {
   deploy_id         = var.eks_info.cluster.specs.name
   oidc_provider_arn = var.eks_info.cluster.oidc.arn
   oidc_provider_url = var.eks_info.cluster.oidc.cert.url
-}
\ No newline at end of file
+}
diff --git a/modules/flyte/s3.tf b/modules/flyte/s3.tf
index c7e2a50a..efa6dd3a 100644
--- a/modules/flyte/s3.tf
+++ b/modules/flyte/s3.tf
@@ -1,3 +1,8 @@
+locals {
+  s3_server_side_encryption = var.kms_info.enabled ? "aws:kms" : "AES256"
+  kms_key_arn               = var.kms_info.enabled ? var.kms_info.key_arn : null
+}
+
 resource "aws_s3_bucket" "flyte_metadata" {
   bucket              = "${local.deploy_id}-flyte-metadata"
   force_destroy       = var.force_destroy_on_deletion
@@ -37,7 +42,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "flye_metadata_enc
   bucket = aws_s3_bucket.flyte_metadata.bucket
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
+      sse_algorithm     = local.s3_server_side_encryption
+      kms_master_key_id = local.kms_key_arn
     }
     bucket_key_enabled = false
   }
@@ -88,7 +94,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "flyte_data_encryp
   bucket = aws_s3_bucket.flyte_data.bucket
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
+      sse_algorithm     = local.s3_server_side_encryption
+      kms_master_key_id = local.kms_key_arn
     }
     bucket_key_enabled = false
   }
@@ -98,4 +105,4 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "flyte_data_encryp
       rule,
     ]
   }
-}
\ No newline at end of file
+}
diff --git a/modules/flyte/variables.tf b/modules/flyte/variables.tf
index 60f6a65e..9536a831 100644
--- a/modules/flyte/variables.tf
+++ b/modules/flyte/variables.tf
@@ -57,4 +57,27 @@ variable "serviceaccount_names" {
   })
 
   default = {}
-}
\ No newline at end of file
+}
+
+variable "kms_info" {
+  description = <<EOF
+    key_id  = KMS key id.
+    key_arn = KMS key arn.
+    enabled = KMS key is enabled
+  EOF
+  type = object({
+    key_id  = string
+    key_arn = string
+    enabled = bool
+  })
+}
+
+variable "region" {
+  type        = string
+  description = "AWS region for the deployment"
+  nullable    = false
+  validation {
+    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af|il)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
+    error_message = "The provided region must follow the format of AWS region names, e.g., us-west-2, us-gov-west-1."
+  }
+}
diff --git a/modules/flyte/versions.tf b/modules/flyte/versions.tf
index 3e225a8d..6fe2b841 100644
--- a/modules/flyte/versions.tf
+++ b/modules/flyte/versions.tf
@@ -10,4 +10,4 @@ terraform {
       version = "~> 5.0"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/modules/irsa/outputs.tf b/modules/irsa/outputs.tf
index 4bfc4f1e..db7d33d1 100644
--- a/modules/irsa/outputs.tf
+++ b/modules/irsa/outputs.tf
@@ -12,4 +12,3 @@ output "external_dns" {
     external_dns_use_eks_idp = var.use_cluster_odc_idp
   } : null
 }
-