github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-01-17 09:07:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add variables to allow users to control attributes on cluster_encryption IAM policy (#1928)

Browse Source
This commit is contained in:
Bryant Biggs
2022-03-09 09:13:18 -05:00
committed by GitHub
parent 27f99f03a7
commit 2df1572b8a
3 changed files with 43 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@@ -855,6 +855,11 @@ Full contributing [guidelines are covered here](https://github.com/terraform-aws
| <a name="input_cluster_addons"></a> [cluster\_addons](#input\_cluster\_addons) | Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | `any` | `{}` | no | | <a name="input_cluster_addons"></a> [cluster\_addons](#input\_cluster\_addons) | Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | `any` | `{}` | no |
| <a name="input_cluster_enabled_log_types"></a> [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | <pre>[<br> "audit",<br> "api",<br> "authenticator"<br>]</pre> | no | | <a name="input_cluster_enabled_log_types"></a> [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | <pre>[<br> "audit",<br> "api",<br> "authenticator"<br>]</pre> | no |
| <a name="input_cluster_encryption_config"></a> [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster | <pre>list(object({<br> provider_key_arn = string<br> resources = list(string)<br> }))</pre> | `[]` | no | | <a name="input_cluster_encryption_config"></a> [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster | <pre>list(object({<br> provider_key_arn = string<br> resources = list(string)<br> }))</pre> | `[]` | no |
| <a name="input_cluster_encryption_policy_description"></a> [cluster\_encryption\_policy\_description](#input\_cluster\_encryption\_policy\_description) | Description of the cluster encryption policy created | `string` | `"Cluster encryption policy to allow cluster role to utilize CMK provided"` | no |
| <a name="input_cluster_encryption_policy_name"></a> [cluster\_encryption\_policy\_name](#input\_cluster\_encryption\_policy\_name) | Name to use on cluster encryption policy created | `string` | `null` | no |
| <a name="input_cluster_encryption_policy_path"></a> [cluster\_encryption\_policy\_path](#input\_cluster\_encryption\_policy\_path) | Cluster encryption policy path | `string` | `null` | no |
| <a name="input_cluster_encryption_policy_tags"></a> [cluster\_encryption\_policy\_tags](#input\_cluster\_encryption\_policy\_tags) | A map of additional tags to add to the cluster encryption policy created | `map(string)` | `{}` | no |
| <a name="input_cluster_encryption_policy_use_name_prefix"></a> [cluster\_encryption\_policy\_use\_name\_prefix](#input\_cluster\_encryption\_policy\_use\_name\_prefix) | Determines whether cluster encryption policy name (`cluster_encryption_policy_name`) is used as a prefix | `string` | `true` | no |
| <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | `false` | no | | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | `false` | no |
| <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `true` | no | | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `true` | no |
| <a name="input_cluster_endpoint_public_access_cidrs"></a> [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no | | <a name="input_cluster_endpoint_public_access_cidrs"></a> [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |

13
main.tf
View File

@@ -174,6 +174,8 @@ locals {
iam_role_name = coalesce(var.iam_role_name, "${var.cluster_name}-cluster") iam_role_name = coalesce(var.iam_role_name, "${var.cluster_name}-cluster")
policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy" policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
cluster_encryption_policy_name = coalesce(var.cluster_encryption_policy_name, "${local.iam_role_name}-ClusterEncryption")
# TODO - hopefully this can be removed once the AWS endpoint is named properly in China # TODO - hopefully this can be removed once the AWS endpoint is named properly in China
# https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904 # https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904
dns_suffix = coalesce(var.cluster_iam_role_dns_suffix, data.aws_partition.current.dns_suffix) dns_suffix = coalesce(var.cluster_iam_role_dns_suffix, data.aws_partition.current.dns_suffix)
@@ -230,8 +232,10 @@ resource "aws_iam_role_policy_attachment" "cluster_encryption" {
resource "aws_iam_policy" "cluster_encryption" { resource "aws_iam_policy" "cluster_encryption" {
count = local.create_iam_role && var.attach_cluster_encryption_policy && length(var.cluster_encryption_config) > 0 ? 1 : 0 count = local.create_iam_role && var.attach_cluster_encryption_policy && length(var.cluster_encryption_config) > 0 ? 1 : 0
name_prefix = "${local.iam_role_name}-ClusterEncryption-" name = var.cluster_encryption_policy_use_name_prefix ? null : local.cluster_encryption_policy_name
description = "Cluster encryption policy to allow cluster role to utilize CMK provided" name_prefix = var.cluster_encryption_policy_use_name_prefix ? local.cluster_encryption_policy_name : null
description = var.cluster_encryption_policy_description
path = var.cluster_encryption_policy_path
policy = jsonencode({ policy = jsonencode({
Version = "2012-10-17" Version = "2012-10-17"
@@ -243,14 +247,13 @@ resource "aws_iam_policy" "cluster_encryption" {
"kms:ListGrants", "kms:ListGrants",
"kms:DescribeKey", "kms:DescribeKey",
] ]
Effect = "Allow" Effect = "Allow"
# TODO - does cluster_encryption_config need to be a list?!
Resource = [for config in var.cluster_encryption_config : config.provider_key_arn] Resource = [for config in var.cluster_encryption_config : config.provider_key_arn]
}, },
] ]
}) })
tags = var.tags tags = merge(var.tags, var.cluster_encryption_policy_tags)
} }
################################################################################ ################################################################################

30
variables.tf
View File

@@ -325,6 +325,36 @@ variable "iam_role_tags" {
default = {} default = {}
} }
variable "cluster_encryption_policy_use_name_prefix" {
description = "Determines whether cluster encryption policy name (`cluster_encryption_policy_name`) is used as a prefix"
type = string
default = true
}
variable "cluster_encryption_policy_name" {
description = "Name to use on cluster encryption policy created"
type = string
default = null
}
variable "cluster_encryption_policy_description" {
description = "Description of the cluster encryption policy created"
type = string
default = "Cluster encryption policy to allow cluster role to utilize CMK provided"
}
variable "cluster_encryption_policy_path" {
description = "Cluster encryption policy path"
type = string
default = null
}
variable "cluster_encryption_policy_tags" {
description = "A map of additional tags to add to the cluster encryption policy created"
type = map(string)
default = {}
}
################################################################################ ################################################################################
# EKS Addons # EKS Addons
################################################################################ ################################################################################