Add EKS Secret envelope encryption support (#772)

This adds support for configuring EKS clusters that utilise envelope encryption for Secrets: - https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/ - https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/
2026-03-26 03:11:06 +01:00 · 2020-03-11 11:26:06 +00:00
parent 2715b01e4e
commit 23c005e5ef
8 changed files with 218 additions and 2 deletions
--- a/examples/secrets_encryption/variables.tf
+++ b/examples/secrets_encryption/variables.tf
@@ -0,0 +1,52 @@
+variable "region" {
+  default = "us-west-2"
+}
+
+variable "map_accounts" {
+  description = "Additional AWS account numbers to add to the aws-auth configmap."
+  type        = list(string)
+
+  default = [
+    "777777777777",
+    "888888888888",
+  ]
+}
+
+variable "map_roles" {
+  description = "Additional IAM roles to add to the aws-auth configmap."
+  type = list(object({
+    rolearn  = string
+    username = string
+    groups   = list(string)
+  }))
+
+  default = [
+    {
+      rolearn  = "arn:aws:iam::66666666666:role/role1"
+      username = "role1"
+      groups   = ["system:masters"]
+    },
+  ]
+}
+
+variable "map_users" {
+  description = "Additional IAM users to add to the aws-auth configmap."
+  type = list(object({
+    userarn  = string
+    username = string
+    groups   = list(string)
+  }))
+
+  default = [
+    {
+      userarn  = "arn:aws:iam::66666666666:user/user1"
+      username = "user1"
+      groups   = ["system:masters"]
+    },
+    {
+      userarn  = "arn:aws:iam::66666666666:user/user2"
+      username = "user2"
+      groups   = ["system:masters"]
+    },
+  ]
+}