feat: support cse feature (#120)

Signed-off-by: Sammy Huang <sammy.huang@zilliz.com>

Author: yellow-shine

.gitignore

@@ -35,3 +35,5 @@ terraform.rc
 **/rendered-agent.yaml
 **/test-module
 
+
+.notebook/**

examples/aws-project-byoc-I/README.md

@@ -240,7 +240,28 @@ The example automatically creates **4 IAM roles** with specific purposes:
 
 ---
 
-### 6. ECR Integration
+### 6. Encryption
+
+#### Client-Side Encryption (CSE)
+- **Enable AWS CSE with automatic KMS key creation**:
+  ```hcl
+  enable_aws_cse = true
+  ```
+  - **Purpose**: Enables client-side encryption for Milvus data
+  - **Behavior**: Automatically creates a new KMS key for CSE operations
+  - **Output**: `cse_key_arn` - The ARN of the created CSE KMS key
+
+- **Enable AWS CSE with existing KMS key**:
+  ```hcl
+  enable_aws_cse          = true
+  aws_cse_exiting_key_arn = "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"
+  ```
+  - **Purpose**: Uses your existing KMS key for client-side encryption
+  - **Note**: The existing key must allow the storage role to use it for encryption/decryption
+
+---
+
+### 7. ECR Integration
 
 #### Default
 - **Default ECR Configuration**:
@@ -275,7 +296,7 @@ The example automatically creates **4 IAM roles** with specific purposes:
 
 ---
 
-### 7. Resource Tagging
+### 8. Resource Tagging
 
 #### Default
 - **Default Tags**: Resources are automatically tagged with:
@@ -501,6 +522,7 @@ After successful deployment:
 |--------|-------------|
 | `data_plane_id` | BYOC project data plane ID |
 | `project_id` | BYOC project ID |
+| `cse_key_arn` | CSE KMS key ARN (if `enable_aws_cse = true`) |
 
 ## Important Notes
 

examples/aws-project-byoc-I/main.tf

@@ -79,6 +79,14 @@ module "eks" {
   depends_on = [module.private_link]
 }
 
+module "kms" {
+  count = var.enable_aws_cse ? 1 : 0
+  source = "../../modules/aws_byoc_i/kms"
+  prefix = local.prefix_name
+  trust_role_arn = local.storage_role.arn
+  aws_cse_exiting_key_arn = var.aws_cse_exiting_key_arn
+}
+
 resource "zillizcloud_byoc_i_project_agent" "this" {
   project_id    = local.project_id
   data_plane_id = local.data_plane_id
@@ -108,11 +116,16 @@ resource "zillizcloud_byoc_i_project" "this" {
     storage = {
       bucket_id = local.s3_bucket_id
     }
+    cse = var.enable_aws_cse ? {
+      default_aws_cse_key_arn     = module.kms[0].cse_key_arn
+      aws_cse_role_arn    = module.kms[0].cse_role_arn
+      external_id = module.kms[0].external_id
+    } : null
   }
 
   // depend on private link to establish agent tunnel connection
   depends_on = [zillizcloud_byoc_i_project_agent.this,
-    module.eks, module.private_link, module.vpc, module.s3]
+    module.eks, module.private_link, module.vpc, module.s3, module.kms]
   lifecycle {
      ignore_changes = [data_plane_id, project_id, aws, ext_config]
      prevent_destroy = true
@@ -121,6 +134,13 @@ resource "zillizcloud_byoc_i_project" "this" {
   ext_config = base64encode(jsonencode(local.ext_config))
 }
 
+
+
+
+output "cse_key_arn" {
+  value = var.enable_aws_cse ? module.kms[0].cse_key_arn : null
+}
+
 output "data_plane_id" {
   value = local.dataplane_id
 }

examples/aws-project-byoc-I/terraform.sample.tfvars

@@ -105,4 +105,9 @@ minimal_roles = {
     name = ""  # Custom name for node role (optional)
     # use_existing_arn = "arn:aws:iam::123456789012:role/your-existing-node-role"  # Use existing role by ARN (optional)
   }
-}
+}
+
+# Enable AWS Client-Side Encryption (CSE) for Milvus data
+# When enabled without aws_cse_exiting_key_arn, a new KMS key will be created automatically
+enable_aws_cse          = false
+aws_cse_exiting_key_arn = ""  # Optional: Use existing KMS key ARN for CSE

examples/aws-project-byoc-I/variables.tf

@@ -210,3 +210,15 @@ variable "s3_kms_key_arn" {
   type        = string
   default     = ""
 }
+
+variable "enable_aws_cse" {
+  description = "Enable AWS CSE"
+  type        = bool
+  default     = false
+}
+
+variable "aws_cse_exiting_key_arn" {
+  description = "The ARN of the existing KMS key to use for AWS CSE"
+  type        = string
+  default     = ""
+}

modules/aws_byoc_i/kms/main.tf

@@ -0,0 +1,97 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  create_key  = var.aws_cse_exiting_key_arn == ""
+  cse_key_arn = local.create_key ? aws_kms_key.zilliz_cse[0].arn : var.aws_cse_exiting_key_arn
+}
+
+# Multi-Region symmetric KMS key for Zilliz cluster encryption and decryption
+resource "aws_kms_key" "zilliz_cse" {
+  count = local.create_key ? 1 : 0
+
+  description              = "Multi-Region symmetric KMS key for Zilliz cluster encryption and decryption"
+  key_usage                = "ENCRYPT_DECRYPT"
+  customer_master_key_spec = "SYMMETRIC_DEFAULT"
+  multi_region             = true
+  enable_key_rotation      = true
+
+  tags = {
+    Vendor = "zilliz-byoc"
+  }
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "key-default-1"
+    Statement = [
+      {
+        Sid       = "Enable IAM User Permissions"
+        Effect    = "Allow"
+        Principal = {
+          # 
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_kms_alias" "zilliz_cse" {
+  count = local.create_key ? 1 : 0
+
+  name          = "alias/${var.prefix}-zilliz-cse"
+  target_key_id = aws_kms_key.zilliz_cse[0].key_id
+}
+
+# IAM role for Zilliz cse cross-account access
+resource "aws_iam_role" "zilliz_cse" {
+  name = "${var.prefix}-zilliz-cse-role"
+
+  tags = {
+    Vendor = "zilliz-byoc"
+  }
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = {
+          AWS = var.trust_role_arn
+        }
+        Action    = "sts:AssumeRole"
+        Condition = {
+          StringEquals = {
+            "sts:ExternalId" = var.prefix
+          }
+        }
+      }
+    ]
+  })
+}
+
+# Inline policy granting KMS encrypt/decrypt/describe on the cse key
+resource "aws_iam_role_policy" "zilliz_cse_policy" {
+  name = "${var.prefix}-zilliz-cse-policy"
+  role = aws_iam_role.zilliz_cse.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Decrypt",
+          "kms:Encrypt",
+          "kms:DescribeKey",
+          "kms:GenerateDataKey",
+          "kms:GenerateDataKeyWithoutPlaintext"
+        ]
+        Resource = [
+          local.cse_key_arn
+        ]
+      }
+    ]
+  })
+}

modules/aws_byoc_i/kms/output.tf

@@ -0,0 +1,14 @@
+output "cse_key_arn" {
+  description = "ARN of the KMS CMEK key (created or existing)"
+  value       = local.cse_key_arn
+}
+
+output "cse_role_arn" {
+  description = "ARN of the IAM role for cross-account CMEK access"
+  value       = aws_iam_role.zilliz_cse.arn
+}
+
+output "external_id" {
+  description = "External ID for the role"
+  value       = var.prefix
+}

modules/aws_byoc_i/kms/variable.tf

@@ -0,0 +1,30 @@
+variable "trust_role_arn" {
+  description = "The arn of the trust role"
+  type        = string
+  nullable    = false
+
+  validation {
+    condition     = can(regex("^arn:aws:iam::[0-9]{12}:role/.+$", var.trust_role_arn))
+    error_message = "trust_role_arn must be a valid IAM role ARN (e.g. arn:aws:iam::123456789012:role/MyRole)."
+  }
+}
+
+
+
+variable "prefix" {
+  description = "prefix of the resource name"
+  type        = string
+  nullable    = false
+
+  validation {
+    condition     = length(var.prefix) > 0
+    error_message = "prefix must not be empty."
+  }
+}
+
+
+variable "aws_cse_exiting_key_arn" {
+  description = "ARN of an existing KMS key to use. When set, no new key is created."
+  type        = string
+  nullable    = true
+}