From bfa1d43e7c4b99f0cbb87ee6bf0baba9401beaa0 Mon Sep 17 00:00:00 2001 From: Martin Danko Date: Tue, 22 Jul 2025 12:55:19 +0200 Subject: [PATCH 1/4] feat: Add KMS policy to Velero IAM policy for CMK KMS keys --- .../iam-role-for-service-accounts-eks/README.md | 1 + .../policies.tf | 16 ++++++++++++++++ .../variables.tf | 6 ++++++ .../iam-role-for-service-accounts-eks/main.tf | 1 + 4 files changed, 24 insertions(+) diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index 30f04340..6079819d 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -253,6 +253,7 @@ No modules. | [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no | | [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no | | [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` | 
[
  "*"
]
| no | +| [velero\_s3\_kms\_key\_arns](#input\_velero\_s3\_kms\_key\_arns) | List of KMS Key ARNs that Velero needs access to in order to encrypt backups | `list(string)` | `[]` | no | | [vpc\_cni\_enable\_cloudwatch\_logs](#input\_vpc\_cni\_enable\_cloudwatch\_logs) | Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events | `bool` | `false` | no | | [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no | | [vpc\_cni\_enable\_ipv6](#input\_vpc\_cni\_enable\_ipv6) | Determines whether to enable IPv6 permissions for VPC CNI policy | `bool` | `false` | no | diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 22fa140e..444a4cc3 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -1565,6 +1565,22 @@ data "aws_iam_policy_document" "velero" { ] resources = var.velero_s3_bucket_arns } + + dynamic "statement" { + for_each = length(var.velero_s3_kms_key_arns) > 0 ? [1] : [] + + content { + sid = "KMSReadWrite" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = var.velero_kms_key_arns + } + } } resource "aws_iam_policy" "velero" { diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index 148ce89c..7dc19a38 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -357,6 +357,12 @@ variable "velero_s3_bucket_arns" { default = ["*"] } +variable "velero_s3_kms_key_arns" { + description = "List of KMS Key ARNs that Velero needs access to in order to encrypt backups" + type = list(string) + default = [] +} + # VPC CNI variable "attach_vpc_cni_policy" { description = "Determines whether to attach the VPC CNI IAM policy to the role" diff --git a/wrappers/iam-role-for-service-accounts-eks/main.tf b/wrappers/iam-role-for-service-accounts-eks/main.tf index 0ca1f8c9..759601e1 100644 --- a/wrappers/iam-role-for-service-accounts-eks/main.tf +++ b/wrappers/iam-role-for-service-accounts-eks/main.tf @@ -63,6 +63,7 @@ module "wrapper" { role_policy_arns = try(each.value.role_policy_arns, var.defaults.role_policy_arns, {}) tags = try(each.value.tags, var.defaults.tags, {}) velero_s3_bucket_arns = try(each.value.velero_s3_bucket_arns, var.defaults.velero_s3_bucket_arns, ["*"]) + velero_s3_kms_key_arns = try(each.value.velero_s3_kms_key_arns, var.defaults.velero_s3_kms_key_arns, []) vpc_cni_enable_cloudwatch_logs = try(each.value.vpc_cni_enable_cloudwatch_logs, var.defaults.vpc_cni_enable_cloudwatch_logs, false) vpc_cni_enable_ipv4 = try(each.value.vpc_cni_enable_ipv4, var.defaults.vpc_cni_enable_ipv4, false) vpc_cni_enable_ipv6 = try(each.value.vpc_cni_enable_ipv6, var.defaults.vpc_cni_enable_ipv6, false) From 7005dc8b80d66067f96a1a7d691c4eb09f8aa1c4 Mon Sep 17 00:00:00 2001 From: Martin Danko Date: Tue, 22 Jul 2025 13:05:47 +0200 Subject: [PATCH 2/4] Add example --- examples/iam-role-for-service-accounts-eks/main.tf | 7 ++++--- modules/iam-role-for-service-accounts-eks/policies.tf | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index 17562e82..cbd0885a 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -337,9 +337,10 @@ module "node_termination_handler_irsa_role" { module "velero_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" - role_name = "velero" - attach_velero_policy = true - velero_s3_bucket_arns = ["arn:aws:s3:::velero-backups"] + role_name = "velero" + attach_velero_policy = true + velero_s3_bucket_arns = ["arn:aws:s3:::velero-backups"] + velero_s3_kms_key_arns = ["arn:aws:kms:eu-west-1:123456789012:key/abcd1234-12ab-34cd-56ef-1234567890ab"] oidc_providers = { ex = { diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 444a4cc3..f95d9e84 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -1578,7 +1578,7 @@ data "aws_iam_policy_document" "velero" { "kms:GenerateDataKey*", "kms:DescribeKey" ] - resources = var.velero_kms_key_arns + resources = var.velero_s3_kms_key_arns } } } From 9990ef744737be9404368fb18a213e1102bb8200 Mon Sep 17 00:00:00 2001 From: Martin Danko Date: Tue, 12 Aug 2025 11:59:47 +0200 Subject: [PATCH 3/4] Create mutiple statements for each KMS key --- modules/iam-role-for-service-accounts-eks/policies.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index f95d9e84..e243fb1f 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -1567,10 +1567,9 @@ data "aws_iam_policy_document" "velero" { } dynamic "statement" { - for_each = length(var.velero_s3_kms_key_arns) > 0 ? [1] : [] + for_each = toset(var.velero_s3_kms_key_arns) content { - sid = "KMSReadWrite" actions = [ "kms:Encrypt", "kms:Decrypt", @@ -1578,7 +1577,7 @@ data "aws_iam_policy_document" "velero" { "kms:GenerateDataKey*", "kms:DescribeKey" ] - resources = var.velero_s3_kms_key_arns + resources = [statement.value] } } } From 263ac0b8e281d796db9821b12d4c8bbe2ad4cce5 Mon Sep 17 00:00:00 2001 From: Martin Danko <46035688+zepellin@users.noreply.github.com> Date: Tue, 12 Aug 2025 14:28:33 +0200 Subject: [PATCH 4/4] remove toset --- modules/iam-role-for-service-accounts-eks/policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index e243fb1f..e4bfac2c 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -1567,7 +1567,7 @@ data "aws_iam_policy_document" "velero" { } dynamic "statement" { - for_each = toset(var.velero_s3_kms_key_arns) + for_each = var.velero_s3_kms_key_arns content { actions = [