feat: Add variables to allow users to control attributes on cluster_encryption IAM policy (#1928)

README.md

@@ -855,6 +855,11 @@ Full contributing [guidelines are covered here](https://github.com/terraform-aws
 | <a name="input_cluster_addons"></a> [cluster\_addons](#input\_cluster\_addons) | Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | `any` | `{}` | no |
 | <a name="input_cluster_enabled_log_types"></a> [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | <pre>[<br>  "audit",<br>  "api",<br>  "authenticator"<br>]</pre> | no |
 | <a name="input_cluster_encryption_config"></a> [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster | <pre>list(object({<br>    provider_key_arn = string<br>    resources        = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_cluster_encryption_policy_description"></a> [cluster\_encryption\_policy\_description](#input\_cluster\_encryption\_policy\_description) | Description of the cluster encryption policy created | `string` | `"Cluster encryption policy to allow cluster role to utilize CMK provided"` | no |
+| <a name="input_cluster_encryption_policy_name"></a> [cluster\_encryption\_policy\_name](#input\_cluster\_encryption\_policy\_name) | Name to use on cluster encryption policy created | `string` | `null` | no |
+| <a name="input_cluster_encryption_policy_path"></a> [cluster\_encryption\_policy\_path](#input\_cluster\_encryption\_policy\_path) | Cluster encryption policy path | `string` | `null` | no |
+| <a name="input_cluster_encryption_policy_tags"></a> [cluster\_encryption\_policy\_tags](#input\_cluster\_encryption\_policy\_tags) | A map of additional tags to add to the cluster encryption policy created | `map(string)` | `{}` | no |
+| <a name="input_cluster_encryption_policy_use_name_prefix"></a> [cluster\_encryption\_policy\_use\_name\_prefix](#input\_cluster\_encryption\_policy\_use\_name\_prefix) | Determines whether cluster encryption policy name (`cluster_encryption_policy_name`) is used as a prefix | `string` | `true` | no |
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | `false` | no |
 | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `true` | no |
 | <a name="input_cluster_endpoint_public_access_cidrs"></a> [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |

main.tf

@@ -174,6 +174,8 @@ locals {
   iam_role_name     = coalesce(var.iam_role_name, "${var.cluster_name}-cluster")
   policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
 
+  cluster_encryption_policy_name = coalesce(var.cluster_encryption_policy_name, "${local.iam_role_name}-ClusterEncryption")
+
   # TODO - hopefully this can be removed once the AWS endpoint is named properly in China
   # https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904
   dns_suffix = coalesce(var.cluster_iam_role_dns_suffix, data.aws_partition.current.dns_suffix)
@@ -230,8 +232,10 @@ resource "aws_iam_role_policy_attachment" "cluster_encryption" {
 resource "aws_iam_policy" "cluster_encryption" {
   count = local.create_iam_role && var.attach_cluster_encryption_policy && length(var.cluster_encryption_config) > 0 ? 1 : 0
 
-  name_prefix = "${local.iam_role_name}-ClusterEncryption-"
-  description = "Cluster encryption policy to allow cluster role to utilize CMK provided"
+  name        = var.cluster_encryption_policy_use_name_prefix ? null : local.cluster_encryption_policy_name
+  name_prefix = var.cluster_encryption_policy_use_name_prefix ? local.cluster_encryption_policy_name : null
+  description = var.cluster_encryption_policy_description
+  path        = var.cluster_encryption_policy_path
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -243,14 +247,13 @@ resource "aws_iam_policy" "cluster_encryption" {
           "kms:ListGrants",
           "kms:DescribeKey",
         ]
-        Effect = "Allow"
-        # TODO - does cluster_encryption_config need to be a list?!
+        Effect   = "Allow"
         Resource = [for config in var.cluster_encryption_config : config.provider_key_arn]
       },
     ]
   })
 
-  tags = var.tags
+  tags = merge(var.tags, var.cluster_encryption_policy_tags)
 }
 
 ################################################################################

variables.tf

@@ -325,6 +325,36 @@ variable "iam_role_tags" {
   default     = {}
 }
 
+variable "cluster_encryption_policy_use_name_prefix" {
+  description = "Determines whether cluster encryption policy name (`cluster_encryption_policy_name`) is used as a prefix"
+  type        = string
+  default     = true
+}
+
+variable "cluster_encryption_policy_name" {
+  description = "Name to use on cluster encryption policy created"
+  type        = string
+  default     = null
+}
+
+variable "cluster_encryption_policy_description" {
+  description = "Description of the cluster encryption policy created"
+  type        = string
+  default     = "Cluster encryption policy to allow cluster role to utilize CMK provided"
+}
+
+variable "cluster_encryption_policy_path" {
+  description = "Cluster encryption policy path"
+  type        = string
+  default     = null
+}
+
+variable "cluster_encryption_policy_tags" {
+  description = "A map of additional tags to add to the cluster encryption policy created"
+  type        = map(string)
+  default     = {}
+}
+
 ################################################################################
 # EKS Addons
 ################################################################################