From 2df1572b8a031fbd31a845cc5c61f015ec387f56 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 9 Mar 2022 09:13:18 -0500 Subject: [PATCH] feat: Add variables to allow users to control attributes on `cluster_encryption` IAM policy (#1928) --- README.md | 5 +++++ main.tf | 13 ++++++++----- variables.tf | 30 ++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 1a78ba0..e46dcef 100644 --- a/README.md +++ b/README.md @@ -855,6 +855,11 @@ Full contributing [guidelines are covered here](https://github.com/terraform-aws | [cluster\_addons](#input\_cluster\_addons) | Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | `any` | `{}` | no | | [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | 
[
  "audit",
  "api",
  "authenticator"
]
| no | | [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster | 
list(object({
    provider_key_arn = string
    resources        = list(string)
  }))
| `[]` | no | +| [cluster\_encryption\_policy\_description](#input\_cluster\_encryption\_policy\_description) | Description of the cluster encryption policy created | `string` | `"Cluster encryption policy to allow cluster role to utilize CMK provided"` | no | +| [cluster\_encryption\_policy\_name](#input\_cluster\_encryption\_policy\_name) | Name to use on cluster encryption policy created | `string` | `null` | no | +| [cluster\_encryption\_policy\_path](#input\_cluster\_encryption\_policy\_path) | Cluster encryption policy path | `string` | `null` | no | +| [cluster\_encryption\_policy\_tags](#input\_cluster\_encryption\_policy\_tags) | A map of additional tags to add to the cluster encryption policy created | `map(string)` | `{}` | no | +| [cluster\_encryption\_policy\_use\_name\_prefix](#input\_cluster\_encryption\_policy\_use\_name\_prefix) | Determines whether cluster encryption policy name (`cluster_encryption_policy_name`) is used as a prefix | `string` | `true` | no | | [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | `false` | no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `true` | no | | [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | diff --git a/main.tf b/main.tf index 7aa426f..e47582b 100644 --- a/main.tf +++ b/main.tf @@ -174,6 +174,8 @@ locals { iam_role_name = coalesce(var.iam_role_name, "${var.cluster_name}-cluster") policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy" + cluster_encryption_policy_name = coalesce(var.cluster_encryption_policy_name, "${local.iam_role_name}-ClusterEncryption") + # TODO - hopefully this can be removed once the AWS endpoint is named properly in China # https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904 dns_suffix = coalesce(var.cluster_iam_role_dns_suffix, data.aws_partition.current.dns_suffix) @@ -230,8 +232,10 @@ resource "aws_iam_role_policy_attachment" "cluster_encryption" { resource "aws_iam_policy" "cluster_encryption" { count = local.create_iam_role && var.attach_cluster_encryption_policy && length(var.cluster_encryption_config) > 0 ? 1 : 0 - name_prefix = "${local.iam_role_name}-ClusterEncryption-" - description = "Cluster encryption policy to allow cluster role to utilize CMK provided" + name = var.cluster_encryption_policy_use_name_prefix ? null : local.cluster_encryption_policy_name + name_prefix = var.cluster_encryption_policy_use_name_prefix ? local.cluster_encryption_policy_name : null + description = var.cluster_encryption_policy_description + path = var.cluster_encryption_policy_path policy = jsonencode({ Version = "2012-10-17" @@ -243,14 +247,13 @@ resource "aws_iam_policy" "cluster_encryption" { "kms:ListGrants", "kms:DescribeKey", ] - Effect = "Allow" - # TODO - does cluster_encryption_config need to be a list?! + Effect = "Allow" Resource = [for config in var.cluster_encryption_config : config.provider_key_arn] }, ] }) - tags = var.tags + tags = merge(var.tags, var.cluster_encryption_policy_tags) } ################################################################################ diff --git a/variables.tf b/variables.tf index 2e479ac..7d2af1c 100644 --- a/variables.tf +++ b/variables.tf @@ -325,6 +325,36 @@ variable "iam_role_tags" { default = {} } +variable "cluster_encryption_policy_use_name_prefix" { + description = "Determines whether cluster encryption policy name (`cluster_encryption_policy_name`) is used as a prefix" + type = string + default = true +} + +variable "cluster_encryption_policy_name" { + description = "Name to use on cluster encryption policy created" + type = string + default = null +} + +variable "cluster_encryption_policy_description" { + description = "Description of the cluster encryption policy created" + type = string + default = "Cluster encryption policy to allow cluster role to utilize CMK provided" +} + +variable "cluster_encryption_policy_path" { + description = "Cluster encryption policy path" + type = string + default = null +} + +variable "cluster_encryption_policy_tags" { + description = "A map of additional tags to add to the cluster encryption policy created" + type = map(string) + default = {} +} + ################################################################################ # EKS Addons ################################################################################