Skip to content

feat: Add KMS policy to Velero IAM policy for CMK KMS keys #578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: Add KMS policy to Velero IAM policy for CMK KMS keys #578

wants to merge 4 commits into from
+27 −3

Conversation

zepellin
Copy link

Description

Adds and option to specify ARNs of KMS keys, for which additional policy blocks will be created containing actions to operate with these keys.

Motivation and Context

Using this module, if the var.velero_s3_kms_key_arns is set to an S3 bucket with default encryption set to customer managed KMS key (CMK), the backup will fail since the policy doesn't include statement with policies allowing operating this KMS keys (such as kms:Encrypt, kms:Decrypt etc.).

This is similar to the cases of EBS (var.ebs_csi_kms_cmk_ids) and S3 mountpoint (var.mountpoint_s3_csi_kms_arns) controllers IAM policies created by this module that contain similar blocks for the same reason.

Breaking Changes

No breaking changes, the newly introduced var.velero_s3_kms_key_arns variable has default of [] which doesn't change the behaviour of the current configuration.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@zepellin
Copy link
Author

Hi @bryantbiggs, any chance you could have a look at this one?

bryantbiggs
bryantbiggs reviewed Aug 8, 2025
View reviewed changes
modules/iam-role-for-service-accounts-eks/policies.tf Outdated
@@ -1565,6 +1565,22 @@ data "aws_iam_policy_document" "velero" {
]
resources = var.velero_s3_bucket_arns
}

dynamic "statement" {
for_each = length(var.velero_s3_kms_key_arns) > 0 ? [1] : []
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this will work if you pass in computed values since those are unknown

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I've updated to code that this should be computed values safe.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, toset() will not work either

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again, removed the toset, the idea was there to "ignore" duplicates in the case there were any in the arns.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for this scenario, we can accept a list(string) of KMS key ARNs, but we should have a 2nd variable like velero_enable_kms that is a bool type to toggle on/off since we can't rely on length() or toset() due to computed values not being known

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bryantbiggs bryantbiggs bryantbiggs left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zepellin @bryantbiggs