diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf
index 17562e82..cbd0885a 100644
--- a/examples/iam-role-for-service-accounts-eks/main.tf
+++ b/examples/iam-role-for-service-accounts-eks/main.tf
@@ -337,9 +337,10 @@ module "node_termination_handler_irsa_role" {
module "velero_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"
- role_name = "velero"
- attach_velero_policy = true
- velero_s3_bucket_arns = ["arn:aws:s3:::velero-backups"]
+ role_name = "velero"
+ attach_velero_policy = true
+ velero_s3_bucket_arns = ["arn:aws:s3:::velero-backups"]
+ velero_s3_kms_key_arns = ["arn:aws:kms:eu-west-1:123456789012:key/abcd1234-12ab-34cd-56ef-1234567890ab"]
oidc_providers = {
ex = {
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
index 30f04340..6079819d 100644
--- a/modules/iam-role-for-service-accounts-eks/README.md
+++ b/modules/iam-role-for-service-accounts-eks/README.md
@@ -253,6 +253,7 @@ No modules.
| [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |
| [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |
| [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` | [
"*"
]
| no |
+| [velero\_s3\_kms\_key\_arns](#input\_velero\_s3\_kms\_key\_arns) | List of KMS Key ARNs that Velero needs access to in order to encrypt backups | `list(string)` | `[]` | no |
| [vpc\_cni\_enable\_cloudwatch\_logs](#input\_vpc\_cni\_enable\_cloudwatch\_logs) | Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events | `bool` | `false` | no |
| [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no |
| [vpc\_cni\_enable\_ipv6](#input\_vpc\_cni\_enable\_ipv6) | Determines whether to enable IPv6 permissions for VPC CNI policy | `bool` | `false` | no |
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
index 22fa140e..e4bfac2c 100644
--- a/modules/iam-role-for-service-accounts-eks/policies.tf
+++ b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -1565,6 +1565,21 @@ data "aws_iam_policy_document" "velero" {
]
resources = var.velero_s3_bucket_arns
}
+
+ dynamic "statement" {
+ for_each = var.velero_s3_kms_key_arns
+
+ content {
+ actions = [
+ "kms:Encrypt",
+ "kms:Decrypt",
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
+ "kms:DescribeKey"
+ ]
+ resources = [statement.value]
+ }
+ }
}
resource "aws_iam_policy" "velero" {
diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf
index 148ce89c..7dc19a38 100644
--- a/modules/iam-role-for-service-accounts-eks/variables.tf
+++ b/modules/iam-role-for-service-accounts-eks/variables.tf
@@ -357,6 +357,12 @@ variable "velero_s3_bucket_arns" {
default = ["*"]
}
+variable "velero_s3_kms_key_arns" {
+ description = "List of KMS Key ARNs that Velero needs access to in order to encrypt backups"
+ type = list(string)
+ default = []
+}
+
# VPC CNI
variable "attach_vpc_cni_policy" {
description = "Determines whether to attach the VPC CNI IAM policy to the role"
diff --git a/wrappers/iam-role-for-service-accounts-eks/main.tf b/wrappers/iam-role-for-service-accounts-eks/main.tf
index 0ca1f8c9..759601e1 100644
--- a/wrappers/iam-role-for-service-accounts-eks/main.tf
+++ b/wrappers/iam-role-for-service-accounts-eks/main.tf
@@ -63,6 +63,7 @@ module "wrapper" {
role_policy_arns = try(each.value.role_policy_arns, var.defaults.role_policy_arns, {})
tags = try(each.value.tags, var.defaults.tags, {})
velero_s3_bucket_arns = try(each.value.velero_s3_bucket_arns, var.defaults.velero_s3_bucket_arns, ["*"])
+ velero_s3_kms_key_arns = try(each.value.velero_s3_kms_key_arns, var.defaults.velero_s3_kms_key_arns, [])
vpc_cni_enable_cloudwatch_logs = try(each.value.vpc_cni_enable_cloudwatch_logs, var.defaults.vpc_cni_enable_cloudwatch_logs, false)
vpc_cni_enable_ipv4 = try(each.value.vpc_cni_enable_ipv4, var.defaults.vpc_cni_enable_ipv4, false)
vpc_cni_enable_ipv6 = try(each.value.vpc_cni_enable_ipv6, var.defaults.vpc_cni_enable_ipv6, false)