From e3f06031becff79fda09ce86d433df9ac7a4039c Mon Sep 17 00:00:00 2001
From: Joaquin Lopez <joaquin.lopez@dominodatalab.com>
Date: Fri, 31 Jan 2025 15:40:21 -0800
Subject: [PATCH 1/6] Add a couple permissions

---
 modules/iam-bootstrap/bootstrap-2.json | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/modules/iam-bootstrap/bootstrap-2.json b/modules/iam-bootstrap/bootstrap-2.json
index 7bcd9e9e..28bd874f 100644
--- a/modules/iam-bootstrap/bootstrap-2.json
+++ b/modules/iam-bootstrap/bootstrap-2.json
@@ -20,7 +20,6 @@
       "Effect": "Allow",
       "Action": [
         "lambda:CreateFunction",
-        "lambda:TagResource",
         "lambda:GetFunction",
         "lambda:ListVersionsByFunction",
         "lambda:DeleteFunction",
@@ -42,7 +41,9 @@
         "lambda:UpdateCodeSigningConfig",
         "lambda:GetCodeSigningConfig",
         "lambda:GetFunctionCodeSigningConfig",
-        "lambda:DeleteCodeSigningConfig"
+        "lambda:DeleteCodeSigningConfig",
+        "lambda:TagResource",
+        "lambda:ListTags"
       ],
       "Resource": "*"
     },
@@ -60,7 +61,9 @@
       "Action": [
         "cur:PutReportDefinition",
         "cur:DescribeReportDefinitions",
-        "cur:DeleteReportDefinition"
+        "cur:DeleteReportDefinition",
+        "cur:TagResource",
+        "cur:ListTagsForResource"
       ],
       "Resource": [
         "*"

From 7cfcefcd33320801f42f0af69c565e39f15db1d3 Mon Sep 17 00:00:00 2001
From: Joaquin Lopez <joaquin.lopez@dominodatalab.com>
Date: Fri, 31 Jan 2025 15:51:08 -0800
Subject: [PATCH 2/6] Port ashok's changes

---
 modules/infra/submodules/cost-usage-report/glue.tf | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/infra/submodules/cost-usage-report/glue.tf b/modules/infra/submodules/cost-usage-report/glue.tf
index 06f3d973..e2d4397c 100644
--- a/modules/infra/submodules/cost-usage-report/glue.tf
+++ b/modules/infra/submodules/cost-usage-report/glue.tf
@@ -15,17 +15,17 @@ resource "aws_glue_security_configuration" "lambda_config" {
 
   encryption_configuration {
     cloudwatch_encryption {
-      cloudwatch_encryption_mode = "SSE-KMS"
+      cloudwatch_encryption_mode = var.kms_info.enabled ? "SSE-KMS" : "DISABLED"
       kms_key_arn                = local.kms_key_arn
     }
 
     job_bookmarks_encryption {
-      job_bookmarks_encryption_mode = "CSE-KMS"
+      job_bookmarks_encryption_mode = var.kms_info.enabled ? "CSE-KMS" : "DISABLED"
       kms_key_arn                   = local.kms_key_arn
     }
 
     s3_encryption {
-      s3_encryption_mode = "SSE-KMS"
+      s3_encryption_mode = var.kms_info.enabled ? "SSE-KMS" : "SSE-S3"
       kms_key_arn        = local.kms_key_arn
     }
   }
@@ -117,7 +117,7 @@ resource "aws_athena_workgroup" "athena_work_group" {
       output_location = "s3://${aws_s3_bucket.athena_result.bucket}/"
 
       encryption_configuration {
-        encryption_option = "SSE_KMS"
+        encryption_option = var.kms_info.enabled ? "SSE_KMS" : "SSE_S3"
         kms_key_arn       = local.kms_key_arn
       }
     }
@@ -137,4 +137,4 @@ resource "aws_vpc_endpoint" "aws_glue_vpc_endpoint" {
   tags = {
     "Name" = "${var.deploy_id}-glue"
   }
-}
\ No newline at end of file
+}

From 4460b9c5164990b33cca7a33ca8235c871316801 Mon Sep 17 00:00:00 2001
From: Joaquin Lopez <joaquin.lopez@dominodatalab.com>
Date: Fri, 31 Jan 2025 16:48:49 -0800
Subject: [PATCH 3/6] Use KMS where there's no SSE fallback

---
 modules/infra/submodules/cost-usage-report/glue.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/infra/submodules/cost-usage-report/glue.tf b/modules/infra/submodules/cost-usage-report/glue.tf
index e2d4397c..01d17fe9 100644
--- a/modules/infra/submodules/cost-usage-report/glue.tf
+++ b/modules/infra/submodules/cost-usage-report/glue.tf
@@ -15,13 +15,13 @@ resource "aws_glue_security_configuration" "lambda_config" {
 
   encryption_configuration {
     cloudwatch_encryption {
-      cloudwatch_encryption_mode = var.kms_info.enabled ? "SSE-KMS" : "DISABLED"
-      kms_key_arn                = local.kms_key_arn
+      cloudwatch_encryption_mode = "SSE-KMS"
+      kms_key_arn                = var.kms_info.key_arn
     }
 
     job_bookmarks_encryption {
-      job_bookmarks_encryption_mode = var.kms_info.enabled ? "CSE-KMS" : "DISABLED"
-      kms_key_arn                   = local.kms_key_arn
+      job_bookmarks_encryption_mode = "CSE-KMS"
+      kms_key_arn                   = var.kms_info.key_arn
     }
 
     s3_encryption {

From f0d00a951187e6a3f91a33d9b47f89f7b544f8e3 Mon Sep 17 00:00:00 2001
From: Joaquin Lopez <joaquin.lopez@dominodatalab.com>
Date: Thu, 6 Feb 2025 10:29:09 -0800
Subject: [PATCH 4/6] Revert "Use KMS where there's no SSE fallback"

This reverts commit 4460b9c5164990b33cca7a33ca8235c871316801.

If you want this encrypted, you can just turn on kms. This keeps
parity with Ashok's customer, and makes the options more literally
honest.
---
 modules/infra/submodules/cost-usage-report/glue.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/infra/submodules/cost-usage-report/glue.tf b/modules/infra/submodules/cost-usage-report/glue.tf
index 01d17fe9..e2d4397c 100644
--- a/modules/infra/submodules/cost-usage-report/glue.tf
+++ b/modules/infra/submodules/cost-usage-report/glue.tf
@@ -15,13 +15,13 @@ resource "aws_glue_security_configuration" "lambda_config" {
 
   encryption_configuration {
     cloudwatch_encryption {
-      cloudwatch_encryption_mode = "SSE-KMS"
-      kms_key_arn                = var.kms_info.key_arn
+      cloudwatch_encryption_mode = var.kms_info.enabled ? "SSE-KMS" : "DISABLED"
+      kms_key_arn                = local.kms_key_arn
     }
 
     job_bookmarks_encryption {
-      job_bookmarks_encryption_mode = "CSE-KMS"
-      kms_key_arn                   = var.kms_info.key_arn
+      job_bookmarks_encryption_mode = var.kms_info.enabled ? "CSE-KMS" : "DISABLED"
+      kms_key_arn                   = local.kms_key_arn
     }
 
     s3_encryption {

From 14c4441f339ff6613f1b7813448ebb240af3de4b Mon Sep 17 00:00:00 2001
From: Joaquin Lopez <joaquin.lopez@dominodatalab.com>
Date: Thu, 6 Feb 2025 10:36:59 -0800
Subject: [PATCH 5/6] Checkov exception in glue

---
 modules/infra/submodules/cost-usage-report/glue.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/infra/submodules/cost-usage-report/glue.tf b/modules/infra/submodules/cost-usage-report/glue.tf
index e2d4397c..8d31f27a 100644
--- a/modules/infra/submodules/cost-usage-report/glue.tf
+++ b/modules/infra/submodules/cost-usage-report/glue.tf
@@ -11,6 +11,7 @@ resource "aws_glue_catalog_database" "aws_cur_database" {
 
 
 resource "aws_glue_security_configuration" "lambda_config" {
+  # checkov:skip=CKV_AWS_99:Ensure Glue Security Configuration Encryption is enabled
   name = "${var.deploy_id}_lambda_security_config"
 
   encryption_configuration {

From 7372717cbd53c9f4a73224aea0b79d02090489b9 Mon Sep 17 00:00:00 2001
From: Joaquin Lopez <joaquin.lopez@dominodatalab.com>
Date: Fri, 7 Feb 2025 12:15:52 -0800
Subject: [PATCH 6/6] Also add the untag options

---
 modules/iam-bootstrap/bootstrap-2.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/iam-bootstrap/bootstrap-2.json b/modules/iam-bootstrap/bootstrap-2.json
index 28bd874f..2a5b480a 100644
--- a/modules/iam-bootstrap/bootstrap-2.json
+++ b/modules/iam-bootstrap/bootstrap-2.json
@@ -43,6 +43,7 @@
         "lambda:GetFunctionCodeSigningConfig",
         "lambda:DeleteCodeSigningConfig",
         "lambda:TagResource",
+        "lambda:UntagResource",
         "lambda:ListTags"
       ],
       "Resource": "*"
@@ -63,6 +64,7 @@
         "cur:DescribeReportDefinitions",
         "cur:DeleteReportDefinition",
         "cur:TagResource",
+        "cur:UntagResource",
         "cur:ListTagsForResource"
       ],
       "Resource": [