Merge pull request #89 from zama-ai/fred/fix/add-backup-in-configmap

fegmorte · web-flow · commit 0d0e641e5a7d · 2026-02-23T12:36:02.000+01:00
fix: Add backup info in configmap
diff --git a/modules/mpc-backup-key/main.tf b/modules/mpc-backup-key/main.tf
@@ -48,6 +48,7 @@ resource "aws_kms_key" "this_backup" {
         },
         Action = [
           "kms:GetPublicKey",
+          "kms:DescribeKey",
         ],
         Resource = "*"
       },
diff --git a/modules/mpc-party/main.tf b/modules/mpc-party/main.tf
@@ -224,7 +224,7 @@ resource "aws_iam_policy" "mpc_aws" {
         {
           Sid      = "AllowCrossAccountKeyBackup"
           Effect   = "Allow"
-          Action   = "kms:GetPublicKey"
+          Action   = ["kms:GetPublicKey", "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt"]
           Resource = var.kms_backup_vault_kms_key_arn
         }
       ] : []
@@ -535,6 +535,10 @@ resource "kubernetes_config_map" "mpc_party_config" {
     "KMS_CORE__PRIVATE_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_ID"   = local.kms_key_id
     "KMS_CORE__PRIVATE_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_SPEC" = var.kms_enabled_nitro_enclaves ? "symm" : null
     "KMS_CONNECTOR__TX_SENDER_AWS_KMS_KEY_ID"                   = var.kms_connector_enable_txsender_key ? local.connector_key_id : null
+    "KMS_CORE__BACKUP_VAULT__STORAGE__S3__BUCKET"               = var.kms_enable_backup_vault && var.kms_backup_vault_bucket_name != null ? var.kms_backup_vault_bucket_name : null
+    "KMS_CORE__BACKUP_VAULT__STORAGE__S3__PREFIX"               = "backup"
+    "KMS_CORE__BACKUP_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_ID"    = var.kms_enable_backup_vault && var.kms_backup_vault_kms_key_arn != null ? var.kms_backup_vault_kms_key_arn : null
+    "KMS_CORE__BACKUP_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_SPEC"  = var.kms_enable_backup_vault && var.kms_backup_vault_kms_key_arn != null ? "asymm" : null
   }
 
   depends_on = [kubernetes_namespace.mpc_party_namespace, aws_s3_bucket.vault_private_bucket, aws_s3_bucket.vault_public_bucket]

Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,7 @@ resource "aws_iam_policy" "mpc_aws" {`
`224`	`224`	`{`
`225`	`225`	`Sid = "AllowCrossAccountKeyBackup"`
`226`	`226`	`Effect = "Allow"`
`227`		`- Action = "kms:GetPublicKey"`
	`227`	`+ Action = ["kms:GetPublicKey", "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt"]`
`228`	`228`	`Resource = var.kms_backup_vault_kms_key_arn`
`229`	`229`	`}`
`230`	`230`	`] : []`
`@@ -535,6 +535,10 @@ resource "kubernetes_config_map" "mpc_party_config" {`
`535`	`535`	`"KMS_CORE__PRIVATE_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_ID" = local.kms_key_id`
`536`	`536`	`"KMS_CORE__PRIVATE_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_SPEC" = var.kms_enabled_nitro_enclaves ? "symm" : null`
`537`	`537`	`"KMS_CONNECTOR__TX_SENDER_AWS_KMS_KEY_ID" = var.kms_connector_enable_txsender_key ? local.connector_key_id : null`
	`538`	`+ "KMS_CORE__BACKUP_VAULT__STORAGE__S3__BUCKET" = var.kms_enable_backup_vault && var.kms_backup_vault_bucket_name != null ? var.kms_backup_vault_bucket_name : null`
	`539`	`+ "KMS_CORE__BACKUP_VAULT__STORAGE__S3__PREFIX" = "backup"`
	`540`	`+ "KMS_CORE__BACKUP_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_ID" = var.kms_enable_backup_vault && var.kms_backup_vault_kms_key_arn != null ? var.kms_backup_vault_kms_key_arn : null`
	`541`	`+ "KMS_CORE__BACKUP_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_SPEC" = var.kms_enable_backup_vault && var.kms_backup_vault_kms_key_arn != null ? "asymm" : null`
`538`	`542`	`}`
`539`	`543`
`540`	`544`	`depends_on = [kubernetes_namespace.mpc_party_namespace, aws_s3_bucket.vault_private_bucket, aws_s3_bucket.vault_public_bucket]`