fix: Add kms:decrypt policy for External Secret (#349)

Co-authored-by: Bryant Biggs <[email protected]>

Author: zhuoyang

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0
+    rev: v1.77.1
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

examples/iam-role-for-service-accounts-eks/main.tf

@@ -137,6 +137,7 @@ module "external_secrets_irsa_role" {
   attach_external_secrets_policy        = true
   external_secrets_ssm_parameter_arns   = ["arn:aws:ssm:*:*:parameter/foo"]
   external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"]
+  external_secrets_kms_key_arns         = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]
 
   oidc_providers = {
     ex = {

modules/iam-role-for-service-accounts-eks/README.md

@@ -204,6 +204,7 @@ No modules.
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no |
 | <a name="input_ebs_csi_kms_cmk_ids"></a> [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
 | <a name="input_external_dns_hosted_zone_arns"></a> [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | <pre>[<br>  "arn:aws:route53:::hostedzone/*"<br>]</pre> | no |
+| <a name="input_external_secrets_kms_key_arns"></a> [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:kms:*:*:key/*"<br>]</pre> | no |
 | <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:secretsmanager:*:*:secret:*"<br>]</pre> | no |
 | <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:ssm:*:*:parameter/*"<br>]</pre> | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no |

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -458,6 +458,13 @@ data "aws_iam_policy_document" "external_secrets" {
     ]
     resources = var.external_secrets_secrets_manager_arns
   }
+
+  statement {
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = var.external_secrets_kms_key_arns
+  }
 }
 
 resource "aws_iam_policy" "external_secrets" {

modules/iam-role-for-service-accounts-eks/variables.tf

@@ -164,6 +164,12 @@ variable "external_secrets_secrets_manager_arns" {
   default     = ["arn:aws:secretsmanager:*:*:secret:*"]
 }
 
+variable "external_secrets_kms_key_arns" {
+  description = "List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets"
+  type        = list(string)
+  default     = ["arn:aws:kms:*:*:key/*"]
+}
+
 # FSx Lustre CSI
 variable "attach_fsx_lustre_csi_policy" {
   description = "Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role"