Skip to content

Commit 28e0acc

Browse files
kavkav
committed
chore: merge conflict antics
1 parent 02353e1 commit 28e0acc

File tree

2 files changed

+39
-0
lines changed

2 files changed

+39
-0
lines changed

main.tf

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,10 @@ locals {
4242
}
4343
s3_csi_arns = compact(concat([module.s3_csi.s3_bucket_arn], var.s3_csi_driver_bucket_arns))
4444
# See https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
45+
kms_policy_arns = compact(concat(
46+
var.kms_key_arns,
47+
var.stack_enable_cluster_kms && var.stack_create ? [module.eks.kms_key_arn] : []
48+
))
4549
cloudinit_pre_nodeadm = [
4650
{
4751
content_type = "application/node.eks.aws"
@@ -213,6 +217,35 @@ module "eks" {
213217
"karpenter.sh/discovery" = var.stack_name
214218
})
215219
}
220+
resource "aws_iam_policy" "cluster_encryption" {
221+
count = length(var.kms_key_arns) > 0 ? 1 : 0
222+
name = "${var.stack_name}-encryption-policy"
223+
description = "IAM policy for EKS cluster KMS encryption"
224+
policy = data.aws_iam_policy_document.cluster_encryption[0].json
225+
}
226+
227+
data "aws_iam_policy_document" "cluster_encryption" {
228+
count = length(var.kms_key_arns) > 0 ? 1 : 0
229+
statement {
230+
effect = "Allow"
231+
actions = [
232+
"kms:Encrypt",
233+
"kms:Decrypt",
234+
"kms:ListGrants",
235+
"kms:GenerateDataKey*",
236+
"kms:DescribeKey",
237+
"kms:GenerateDataKeyWithoutPlaintext"
238+
]
239+
resources = local.kms_policy_arns
240+
}
241+
}
242+
243+
resource "aws_iam_role_policy_attachment" "cluster_encryption" {
244+
count = length(var.kms_key_arns) > 0 ? 1 : 0
245+
policy_arn = aws_iam_policy.cluster_encryption[0].arn
246+
role = module.eks.cluster_iam_role_name
247+
}
248+
216249
data "aws_iam_policy_document" "source" { # allow usage with irsa
217250
statement {
218251
actions = ["sts:AssumeRoleWithWebIdentity"]

variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,3 +198,9 @@ variable "cluster_endpoint_public_access" {
198198
default = true
199199
description = "Whether the EKS cluster API server endpoint is publicly accessible. Set to false for private-only access (requires VPC connectivity)."
200200
}
201+
202+
variable "kms_key_arns" {
203+
type = list(string)
204+
default = []
205+
description = "Additional KMS key ARNs to grant encrypt/decrypt access to the EKS cluster IAM role. When non-empty, creates an IAM policy with KMS permissions and attaches it to the cluster role."
206+
}

0 commit comments

Comments
 (0)