Adds logic to encrypt cluster (#17)

- Adds kms_id, kms_key_id, kms_private_endpoint, and autorize_kms variables
- Updates cluster provisioning to include kms_config block if values provided
- Updates metadata to include kns dependency

Signed-off-by: Sean Sundberg <[email protected]>

Author: Sean Sundberg

main.tf

@@ -45,6 +45,16 @@ locals {
   vpc_subnets           = !var.exists ? var.vpc_subnets : []
   security_group_id     = !var.exists ? data.ibm_is_vpc.vpc[0].default_security_group : ""
   ipv4_cidr_blocks      = !var.exists ? data.ibm_is_subnet.vpc_subnet[*].ipv4_cidr_block : []
+  kms_enabled           = var.kms_id != "" && var.kms_key_id != ""
+  kms_config            = local.kms_enabled ? [{
+    instance_id      = var.kms_id
+    crk_id           = var.kms_key_id
+    private_endpoint = var.kms_private_endpoint
+  }] : []
+  policy_targets     = [
+    "kms",
+    "hs-crypto"
+  ]
 }
 
 resource null_resource create_dirs {
@@ -116,9 +126,17 @@ data ibm_is_subnet vpc_subnet {
   identifier = local.vpc_subnets[count.index].id
 }
 
+resource "ibm_iam_authorization_policy" "policy" {
+  count = local.kms_enabled && var.authorize_kms ? length(local.policy_targets) : 0
+
+  source_service_name         = "containers-kubernetes"
+  target_service_name         = local.policy_targets[count.index]
+  roles                       = ["Reader"]
+}
+
 resource ibm_container_vpc_cluster cluster {
   count = !var.exists ? 1 : 0
-  depends_on = [null_resource.print_resources]
+  depends_on = [null_resource.print_resources, ibm_iam_authorization_policy.policy]
 
   name              = local.cluster_name
   vpc_id            = local.vpc_id
@@ -135,6 +153,16 @@ resource ibm_container_vpc_cluster cluster {
     name      = local.vpc_subnets[0].zone
     subnet_id = local.vpc_subnets[0].id
   }
+
+  dynamic "kms_config" {
+    for_each = local.kms_config
+
+    content {
+      instance_id      = kms_config.value["instance_id"]
+      crk_id           = kms_config.value["crk_id"]
+      private_endpoint = kms_config.value["private_endpoint"]
+    }
+  }
 }
 
 resource ibm_container_vpc_worker_pool cluster_pool {

module.yaml

@@ -26,6 +26,13 @@ versions:
       refs:
         - source: github.com/cloud-native-toolkit/terraform-ibm-vpc-subnets
           version: ">= 1.0.0"
+    - id: kms
+      refs:
+        - source: github.com/cloud-native-toolkit/terraform-ibm-key-protect
+          version: ">= 1.0.0"
+        - source: github.com/cloud-native-toolkit/terraform-ibm-hpcs
+          version: ">= 1.0.0"
+      optional: true
   variables:
     - name: resource_group_name
       moduleRef:
@@ -47,6 +54,13 @@ versions:
       moduleRef:
         id: cos
         output: id
+    - name: kms_id
+      moduleRef:
+        id: kms
+        output: id
+      optional: true
+    - name: kms_key_id
+      optional: true
     - name: name_prefix
       scope: global
     - name: region

variables.tf

@@ -94,3 +94,27 @@ variable "cos_id" {
   type        = string
   description = "The crn of the COS instance that will be used with the OCP instance"
 }
+
+variable "kms_id" {
+  type        = string
+  description = "The crn of the KMS instance that will be used to encrypt the cluster."
+  default     = ""
+}
+
+variable "kms_key_id" {
+  type        = string
+  description = "The id of the root key in the KMS instance that will be used to encrypt the cluster."
+  default     = ""
+}
+
+variable "kms_private_endpoint" {
+  type        = bool
+  description = "Flag indicating that the private endpoint should be used to connect the KMS system to the cluster."
+  default     = true
+}
+
+variable "authorize_kms" {
+  type        = bool
+  description = "Flag indicating that the authorization between the kms and the service should be created."
+  default     = true
+}