Skip to content

fix: Correct encryption configuration enable logic; avoid creating Auto Mode policy when Auto Mode is not enabled #3439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 25, 2025
Merged

fix: Correct encryption configuration enable logic; avoid creating Auto Mode policy when Auto Mode is not enabled #3439

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Determines whether to create an OpenID Connect Provider for EKS to enable IRSA | `bool` | `true` | no |
| <a name="input_enable_kms_key_rotation"></a> [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no |
| <a name="input_enabled_log_types"></a> [enabled\_log\_types](#input\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | <pre>[<br/> "audit",<br/> "api",<br/> "authenticator"<br/>]</pre> | no |
| <a name="input_encryption_config"></a> [encryption\_config](#input\_encryption\_config) | Configuration block with encryption configuration for the cluster | <pre>object({<br/> provider_key_arn = optional(string)<br/> resources = optional(list(string))<br/> })</pre> | <pre>{<br/> "resources": [<br/> "secrets"<br/> ]<br/>}</pre> | no |
| <a name="input_encryption_config"></a> [encryption\_config](#input\_encryption\_config) | Configuration block with encryption configuration for the cluster | <pre>object({<br/> provider_key_arn = optional(string)<br/> resources = optional(list(string), ["secrets"])<br/> })</pre> | `{}` | no |
| <a name="input_encryption_policy_description"></a> [encryption\_policy\_description](#input\_encryption\_policy\_description) | Description of the cluster encryption policy created | `string` | `"Cluster encryption policy to allow cluster role to utilize CMK provided"` | no |
| <a name="input_encryption_policy_name"></a> [encryption\_policy\_name](#input\_encryption\_policy\_name) | Name to use on cluster encryption policy created | `string` | `null` | no |
| <a name="input_encryption_policy_path"></a> [encryption\_policy\_path](#input\_encryption\_policy\_path) | Cluster encryption policy path | `string` | `null` | no |
Expand Down
8 changes: 4 additions & 4 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ locals {
role_arn = try(aws_iam_role.this[0].arn, var.iam_role_arn)

create_outposts_local_cluster = var.outpost_config != null
enable_encryption_config = length(var.encryption_config) > 0 && !local.create_outposts_local_cluster
enable_encryption_config = var.encryption_config != null && !local.create_outposts_local_cluster

auto_mode_enabled = try(var.compute_config.enabled, false)
}
Expand Down Expand Up @@ -590,7 +590,7 @@ resource "aws_iam_policy" "cluster_encryption" {
}

data "aws_iam_policy_document" "custom" {
count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0
count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0

dynamic "statement" {
for_each = var.enable_auto_mode_custom_tags ? [1] : []
Expand Down Expand Up @@ -724,7 +724,7 @@ data "aws_iam_policy_document" "custom" {
}

resource "aws_iam_policy" "custom" {
count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0
count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0

name = var.iam_role_use_name_prefix ? null : local.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
Expand All @@ -737,7 +737,7 @@ resource "aws_iam_policy" "custom" {
}

resource "aws_iam_role_policy_attachment" "custom" {
count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0
count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0

policy_arn = aws_iam_policy.custom[0].arn
role = aws_iam_role.this[0].name
Expand Down
6 changes: 2 additions & 4 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,11 +165,9 @@ variable "encryption_config" {
description = "Configuration block with encryption configuration for the cluster"
type = object({
provider_key_arn = optional(string)
resources = optional(list(string))
resources = optional(list(string), ["secrets"])
})
default = {
resources = ["secrets"]
}
default = {}
}

variable "attach_encryption_policy" {
Expand Down