feat: add KMS encryption policy for cluster IAM role

kav · claude · kav · commit 3006f41c869c · 2026-02-26T12:25:31.000-08:00
When kms_key_arns is non-empty, creates an IAM policy granting
KMS encrypt/decrypt and attaches it to the EKS cluster role.
Automatically includes the cluster's own KMS key when enabled.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/main.tf b/main.tf
@@ -42,6 +42,10 @@ locals {
   }
   s3_csi_arns = compact(concat([module.s3_csi.s3_bucket_arn], var.s3_csi_driver_bucket_arns))
   # See https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
+  kms_policy_arns = compact(concat(
+    var.kms_key_arns,
+    var.stack_enable_cluster_kms && var.stack_create ? [module.eks.kms_key_arn] : []
+  ))
   cloudinit_pre_nodeadm = [
     {
       content_type = "application/node.eks.aws"
@@ -213,6 +217,35 @@ module "eks" {
     "karpenter.sh/discovery" = var.stack_name
   })
 }
+resource "aws_iam_policy" "cluster_encryption" {
+  count       = length(var.kms_key_arns) > 0 ? 1 : 0
+  name        = "${var.stack_name}-encryption-policy"
+  description = "IAM policy for EKS cluster KMS encryption"
+  policy      = data.aws_iam_policy_document.cluster_encryption[0].json
+}
+
+data "aws_iam_policy_document" "cluster_encryption" {
+  count = length(var.kms_key_arns) > 0 ? 1 : 0
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ListGrants",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+      "kms:GenerateDataKeyWithoutPlaintext"
+    ]
+    resources = local.kms_policy_arns
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_encryption" {
+  count      = length(var.kms_key_arns) > 0 ? 1 : 0
+  policy_arn = aws_iam_policy.cluster_encryption[0].arn
+  role       = module.eks.cluster_iam_role_name
+}
+
 data "aws_iam_policy_document" "source" { # allow usage with irsa
   statement {
     actions = ["sts:AssumeRoleWithWebIdentity"]
diff --git a/variables.tf b/variables.tf
@@ -193,3 +193,8 @@ variable "vpc_endpoints" {
   description = "vpc endpoints within the cluster vpc network, note: this only works when using the internal created VPC"
   default     = []
 }
+variable "kms_key_arns" {
+  type        = list(string)
+  default     = []
+  description = "Additional KMS key ARNs to grant encrypt/decrypt access to the EKS cluster IAM role. When non-empty, creates an IAM policy with KMS permissions and attaches it to the cluster role."
+}

Original file line number	Diff line number	Diff line change
`@@ -193,3 +193,8 @@ variable "vpc_endpoints" {`
`193`	`193`	`description = "vpc endpoints within the cluster vpc network, note: this only works when using the internal created VPC"`
`194`	`194`	`default = []`
`195`	`195`	`}`
	`196`	`+variable "kms_key_arns" {`
	`197`	`+ type = list(string)`
	`198`	`+ default = []`
	`199`	`+ description = "Additional KMS key ARNs to grant encrypt/decrypt access to the EKS cluster IAM role. When non-empty, creates an IAM policy with KMS permissions and attaches it to the cluster role."`
	`200`	`+}`