diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 27d478d..9eaabc7 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.72.1
+ rev: v1.73.0
hooks:
- id: terraform_fmt
- id: terraform_validate
diff --git a/README.md b/README.md
index 4677dc0..5931ada 100644
--- a/README.md
+++ b/README.md
@@ -226,6 +226,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
|------|--------|---------|
| [eks\_managed\_node\_group](#module\_eks\_managed\_node\_group) | ./modules/eks-managed-node-group | n/a |
| [fargate\_profile](#module\_fargate\_profile) | ./modules/fargate-profile | n/a |
+| [kms](#module\_kms) | terraform-aws-modules/kms/aws | 1.0.0 |
| [self\_managed\_node\_group](#module\_self\_managed\_node\_group) | ./modules/self-managed-node-group | n/a |
## Resources
@@ -249,6 +250,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| [aws_security_group_rule.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [kubernetes_config_map.aws_auth](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
| [kubernetes_config_map_v1_data.aws_auth](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cni_ipv6_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -270,7 +272,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| [cluster\_additional\_security\_group\_ids](#input\_cluster\_additional\_security\_group\_ids) | List of additional, externally created security group IDs to attach to the cluster control plane | `list(string)` | `[]` | no |
| [cluster\_addons](#input\_cluster\_addons) | Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | `any` | `{}` | no |
| [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | [
"audit",
"api",
"authenticator"
]
| no |
-| [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster | list(object({
provider_key_arn = string
resources = list(string)
})) | `[]` | no |
+| [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster | `list(any)` | `[]` | no |
| [cluster\_encryption\_policy\_description](#input\_cluster\_encryption\_policy\_description) | Description of the cluster encryption policy created | `string` | `"Cluster encryption policy to allow cluster role to utilize CMK provided"` | no |
| [cluster\_encryption\_policy\_name](#input\_cluster\_encryption\_policy\_name) | Name to use on cluster encryption policy created | `string` | `null` | no |
| [cluster\_encryption\_policy\_path](#input\_cluster\_encryption\_policy\_path) | Cluster encryption policy path | `string` | `null` | no |
@@ -301,11 +303,13 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| [create\_cluster\_security\_group](#input\_create\_cluster\_security\_group) | Determines if a security group is created for the cluster or use the existing `cluster_security_group_id` | `bool` | `true` | no |
| [create\_cni\_ipv6\_iam\_policy](#input\_create\_cni\_ipv6\_iam\_policy) | Determines whether to create an [`AmazonEKS_CNI_IPv6_Policy`](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy) | `bool` | `false` | no |
| [create\_iam\_role](#input\_create\_iam\_role) | Determines whether a an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
+| [create\_kms\_key](#input\_create\_kms\_key) | Controls if a KMS key for cluster encryption should be created | `bool` | `false` | no |
| [create\_node\_security\_group](#input\_create\_node\_security\_group) | Determines whether to create a security group for the node groups or use the existing `node_security_group_id` | `bool` | `true` | no |
| [custom\_oidc\_thumbprints](#input\_custom\_oidc\_thumbprints) | Additional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s) | `list(string)` | `[]` | no |
| [eks\_managed\_node\_group\_defaults](#input\_eks\_managed\_node\_group\_defaults) | Map of EKS managed node group default configurations | `any` | `{}` | no |
| [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | Map of EKS managed node group definitions to create | `any` | `{}` | no |
| [enable\_irsa](#input\_enable\_irsa) | Determines whether to create an OpenID Connect Provider for EKS to enable IRSA | `bool` | `true` | no |
+| [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | Specifies whether key rotation is enabled. Defaults to `true` | `bool` | `true` | no |
| [fargate\_profile\_defaults](#input\_fargate\_profile\_defaults) | Map of Fargate Profile default configurations | `any` | `{}` | no |
| [fargate\_profiles](#input\_fargate\_profiles) | Map of Fargate Profile definitions to create | `any` | `{}` | no |
| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
@@ -316,6 +320,16 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators). If no value is provided, the current caller identity is used to ensure at least one key admin is available | `list(string)` | `[]` | no |
+| [kms\_key\_aliases](#input\_kms\_key\_aliases) | A list of aliases to create. Note - due to the use of `toset()`, values must be static strings and not computed values | `list(string)` | `[]` | no |
+| [kms\_key\_deletion\_window\_in\_days](#input\_kms\_key\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30` | `number` | `null` | no |
+| [kms\_key\_description](#input\_kms\_key\_description) | The description of the key as viewed in AWS console | `string` | `null` | no |
+| [kms\_key\_enable\_default\_policy](#input\_kms\_key\_enable\_default\_policy) | Specifies whether to enable the default key policy. Defaults to `true` | `bool` | `false` | no |
+| [kms\_key\_override\_policy\_documents](#input\_kms\_key\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
+| [kms\_key\_owners](#input\_kms\_key\_owners) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
+| [kms\_key\_service\_users](#input\_kms\_key\_service\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |
+| [kms\_key\_source\_policy\_documents](#input\_kms\_key\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
+| [kms\_key\_users](#input\_kms\_key\_users) | A list of IAM ARNs for [key users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users) | `list(string)` | `[]` | no |
| [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Determines whether to manage the aws-auth configmap | `bool` | `false` | no |
| [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source | `any` | `{}` | no |
| [node\_security\_group\_description](#input\_node\_security\_group\_description) | Description of the node security group created | `string` | `"EKS node shared security group"` | no |
@@ -358,6 +372,9 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| [eks\_managed\_node\_groups](#output\_eks\_managed\_node\_groups) | Map of attribute maps for all EKS managed node groups created |
| [eks\_managed\_node\_groups\_autoscaling\_group\_names](#output\_eks\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by EKS managed node groups |
| [fargate\_profiles](#output\_fargate\_profiles) | Map of attribute maps for all EKS Fargate Profiles created |
+| [kms\_key\_arn](#output\_kms\_key\_arn) | The Amazon Resource Name (ARN) of the key |
+| [kms\_key\_id](#output\_kms\_key\_id) | The globally unique identifier for the key |
+| [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key |
| [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group |
| [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |
| [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |
diff --git a/examples/complete/README.md b/examples/complete/README.md
index d329fad..7aa52f0 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -61,7 +61,6 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Type |
|------|------|
-| [aws_kms_key.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_security_group.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
## Inputs
@@ -92,6 +91,9 @@ No inputs.
| [eks\_managed\_node\_groups](#output\_eks\_managed\_node\_groups) | Map of attribute maps for all EKS managed node groups created |
| [eks\_managed\_node\_groups\_autoscaling\_group\_names](#output\_eks\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by EKS managed node groups |
| [fargate\_profiles](#output\_fargate\_profiles) | Map of attribute maps for all EKS Fargate Profiles created |
+| [kms\_key\_arn](#output\_kms\_key\_arn) | The Amazon Resource Name (ARN) of the key |
+| [kms\_key\_id](#output\_kms\_key\_id) | The globally unique identifier for the key |
+| [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key |
| [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |
| [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true` |
| [self\_managed\_node\_groups](#output\_self\_managed\_node\_groups) | Map of attribute maps for all self managed node groups created |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 69014ac..9145893 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -52,10 +52,13 @@ module "eks" {
}
}
+ # Encryption key
+ create_kms_key = true
cluster_encryption_config = [{
- provider_key_arn = aws_kms_key.eks.arn
- resources = ["secrets"]
+ resources = ["secrets"]
}]
+ kms_key_deletion_window_in_days = 7
+ enable_kms_key_rotation = true
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
@@ -372,11 +375,3 @@ resource "aws_security_group" "additional" {
tags = local.tags
}
-
-resource "aws_kms_key" "eks" {
- description = "EKS Secret Encryption Key"
- deletion_window_in_days = 7
- enable_key_rotation = true
-
- tags = local.tags
-}
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
index cbfae9a..c612b0f 100644
--- a/examples/complete/outputs.tf
+++ b/examples/complete/outputs.tf
@@ -42,6 +42,25 @@ output "cluster_security_group_id" {
value = module.eks.cluster_security_group_id
}
+################################################################################
+# KMS Key
+################################################################################
+
+output "kms_key_arn" {
+ description = "The Amazon Resource Name (ARN) of the key"
+ value = module.eks.kms_key_arn
+}
+
+output "kms_key_id" {
+ description = "The globally unique identifier for the key"
+ value = module.eks.kms_key_id
+}
+
+output "kms_key_policy" {
+ description = "The IAM resource policy set on the key"
+ value = module.eks.kms_key_policy
+}
+
################################################################################
# Security Group
################################################################################
diff --git a/examples/eks_managed_node_group/README.md b/examples/eks_managed_node_group/README.md
index 8afef35..71eb4fa 100644
--- a/examples/eks_managed_node_group/README.md
+++ b/examples/eks_managed_node_group/README.md
@@ -125,6 +125,9 @@ No inputs.
| [eks\_managed\_node\_groups](#output\_eks\_managed\_node\_groups) | Map of attribute maps for all EKS managed node groups created |
| [eks\_managed\_node\_groups\_autoscaling\_group\_names](#output\_eks\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by EKS managed node groups |
| [fargate\_profiles](#output\_fargate\_profiles) | Map of attribute maps for all EKS Fargate Profiles created |
+| [kms\_key\_arn](#output\_kms\_key\_arn) | The Amazon Resource Name (ARN) of the key |
+| [kms\_key\_id](#output\_kms\_key\_id) | The globally unique identifier for the key |
+| [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key |
| [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group |
| [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |
| [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |
diff --git a/examples/eks_managed_node_group/outputs.tf b/examples/eks_managed_node_group/outputs.tf
index bfe5398..3e9e8dd 100644
--- a/examples/eks_managed_node_group/outputs.tf
+++ b/examples/eks_managed_node_group/outputs.tf
@@ -42,6 +42,25 @@ output "cluster_primary_security_group_id" {
value = module.eks.cluster_primary_security_group_id
}
+################################################################################
+# KMS Key
+################################################################################
+
+output "kms_key_arn" {
+ description = "The Amazon Resource Name (ARN) of the key"
+ value = module.eks.kms_key_arn
+}
+
+output "kms_key_id" {
+ description = "The globally unique identifier for the key"
+ value = module.eks.kms_key_id
+}
+
+output "kms_key_policy" {
+ description = "The IAM resource policy set on the key"
+ value = module.eks.kms_key_policy
+}
+
################################################################################
# Security Group
################################################################################
diff --git a/examples/fargate_profile/README.md b/examples/fargate_profile/README.md
index 1dcb863..81f0366 100644
--- a/examples/fargate_profile/README.md
+++ b/examples/fargate_profile/README.md
@@ -71,6 +71,9 @@ No inputs.
| [eks\_managed\_node\_groups](#output\_eks\_managed\_node\_groups) | Map of attribute maps for all EKS managed node groups created |
| [eks\_managed\_node\_groups\_autoscaling\_group\_names](#output\_eks\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by EKS managed node groups |
| [fargate\_profiles](#output\_fargate\_profiles) | Map of attribute maps for all EKS Fargate Profiles created |
+| [kms\_key\_arn](#output\_kms\_key\_arn) | The Amazon Resource Name (ARN) of the key |
+| [kms\_key\_id](#output\_kms\_key\_id) | The globally unique identifier for the key |
+| [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key |
| [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group |
| [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |
| [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |
diff --git a/examples/fargate_profile/outputs.tf b/examples/fargate_profile/outputs.tf
index bfe5398..3e9e8dd 100644
--- a/examples/fargate_profile/outputs.tf
+++ b/examples/fargate_profile/outputs.tf
@@ -42,6 +42,25 @@ output "cluster_primary_security_group_id" {
value = module.eks.cluster_primary_security_group_id
}
+################################################################################
+# KMS Key
+################################################################################
+
+output "kms_key_arn" {
+ description = "The Amazon Resource Name (ARN) of the key"
+ value = module.eks.kms_key_arn
+}
+
+output "kms_key_id" {
+ description = "The globally unique identifier for the key"
+ value = module.eks.kms_key_id
+}
+
+output "kms_key_policy" {
+ description = "The IAM resource policy set on the key"
+ value = module.eks.kms_key_policy
+}
+
################################################################################
# Security Group
################################################################################
diff --git a/examples/self_managed_node_group/README.md b/examples/self_managed_node_group/README.md
index d668611..a0caf4a 100644
--- a/examples/self_managed_node_group/README.md
+++ b/examples/self_managed_node_group/README.md
@@ -88,6 +88,9 @@ No inputs.
| [eks\_managed\_node\_groups](#output\_eks\_managed\_node\_groups) | Map of attribute maps for all EKS managed node groups created |
| [eks\_managed\_node\_groups\_autoscaling\_group\_names](#output\_eks\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by EKS managed node groups |
| [fargate\_profiles](#output\_fargate\_profiles) | Map of attribute maps for all EKS Fargate Profiles created |
+| [kms\_key\_arn](#output\_kms\_key\_arn) | The Amazon Resource Name (ARN) of the key |
+| [kms\_key\_id](#output\_kms\_key\_id) | The globally unique identifier for the key |
+| [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key |
| [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group |
| [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |
| [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |
diff --git a/examples/self_managed_node_group/outputs.tf b/examples/self_managed_node_group/outputs.tf
index bfe5398..3e9e8dd 100644
--- a/examples/self_managed_node_group/outputs.tf
+++ b/examples/self_managed_node_group/outputs.tf
@@ -42,6 +42,25 @@ output "cluster_primary_security_group_id" {
value = module.eks.cluster_primary_security_group_id
}
+################################################################################
+# KMS Key
+################################################################################
+
+output "kms_key_arn" {
+ description = "The Amazon Resource Name (ARN) of the key"
+ value = module.eks.kms_key_arn
+}
+
+output "kms_key_id" {
+ description = "The globally unique identifier for the key"
+ value = module.eks.kms_key_id
+}
+
+output "kms_key_policy" {
+ description = "The IAM resource policy set on the key"
+ value = module.eks.kms_key_policy
+}
+
################################################################################
# Security Group
################################################################################
diff --git a/main.tf b/main.tf
index 4f3a36e..916a62e 100644
--- a/main.tf
+++ b/main.tf
@@ -1,7 +1,10 @@
data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
locals {
create = var.create && var.putin_khuylo
+
+ cluster_role = try(aws_iam_role.this[0].arn, var.iam_role_arn)
}
################################################################################
@@ -12,7 +15,7 @@ resource "aws_eks_cluster" "this" {
count = local.create ? 1 : 0
name = var.cluster_name
- role_arn = try(aws_iam_role.this[0].arn, var.iam_role_arn)
+ role_arn = local.cluster_role
version = var.cluster_version
enabled_cluster_log_types = var.cluster_enabled_log_types
@@ -34,7 +37,7 @@ resource "aws_eks_cluster" "this" {
content {
provider {
- key_arn = encryption_config.value.provider_key_arn
+ key_arn = var.create_kms_key ? module.kms.key_arn : encryption_config.value.provider_key_arn
}
resources = encryption_config.value.resources
}
@@ -80,6 +83,36 @@ resource "aws_cloudwatch_log_group" "this" {
tags = var.tags
}
+################################################################################
+# KMS Key
+################################################################################
+
+module "kms" {
+ source = "terraform-aws-modules/kms/aws"
+ version = "1.0.0"
+
+ create = var.create_kms_key
+
+ description = coalesce(var.kms_key_description, "${var.cluster_name} cluster encryption key")
+ key_usage = "ENCRYPT_DECRYPT"
+ deletion_window_in_days = var.kms_key_deletion_window_in_days
+ enable_key_rotation = var.enable_kms_key_rotation
+
+ # Policy
+ enable_default_policy = var.kms_key_enable_default_policy
+ key_owners = var.kms_key_owners
+ key_administrators = coalescelist(var.kms_key_administrators, [data.aws_caller_identity.current.arn])
+ key_users = concat([local.cluster_role], var.kms_key_users)
+ key_service_users = var.kms_key_service_users
+ source_policy_documents = var.kms_key_source_policy_documents
+ override_policy_documents = var.kms_key_override_policy_documents
+
+ # Aliases
+ aliases = concat(["eks/${var.cluster_name}"], var.kms_key_aliases)
+
+ tags = var.tags
+}
+
################################################################################
# Cluster Security Group
# Defaults follow https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
@@ -290,7 +323,7 @@ resource "aws_iam_policy" "cluster_encryption" {
"kms:DescribeKey",
]
Effect = "Allow"
- Resource = [for config in var.cluster_encryption_config : config.provider_key_arn]
+ Resource = var.create_kms_key ? [module.kms.key_arn] : [for config in var.cluster_encryption_config : config.provider_key_arn]
},
]
})
diff --git a/outputs.tf b/outputs.tf
index 1245e43..8ff30fc 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -47,6 +47,25 @@ output "cluster_primary_security_group_id" {
value = try(aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id, "")
}
+################################################################################
+# KMS Key
+################################################################################
+
+output "kms_key_arn" {
+ description = "The Amazon Resource Name (ARN) of the key"
+ value = module.kms.key_arn
+}
+
+output "kms_key_id" {
+ description = "The globally unique identifier for the key"
+ value = module.kms.key_id
+}
+
+output "kms_key_policy" {
+ description = "The IAM resource policy set on the key"
+ value = module.kms.key_policy
+}
+
################################################################################
# Cluster Security Group
################################################################################
diff --git a/variables.tf b/variables.tf
index 094711f..0f2c2df 100644
--- a/variables.tf
+++ b/variables.tf
@@ -88,11 +88,8 @@ variable "cluster_service_ipv4_cidr" {
variable "cluster_encryption_config" {
description = "Configuration block with encryption configuration for the cluster"
- type = list(object({
- provider_key_arn = string
- resources = list(string)
- }))
- default = []
+ type = list(any)
+ default = []
}
variable "attach_cluster_encryption_policy" {
@@ -119,6 +116,82 @@ variable "cluster_timeouts" {
default = {}
}
+################################################################################
+# KMS Key
+################################################################################
+
+variable "create_kms_key" {
+ description = "Controls if a KMS key for cluster encryption should be created"
+ type = bool
+ default = false
+}
+
+variable "kms_key_description" {
+ description = "The description of the key as viewed in AWS console"
+ type = string
+ default = null
+}
+
+variable "kms_key_deletion_window_in_days" {
+ description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`"
+ type = number
+ default = null
+}
+
+variable "enable_kms_key_rotation" {
+ description = "Specifies whether key rotation is enabled. Defaults to `true`"
+ type = bool
+ default = true
+}
+
+variable "kms_key_enable_default_policy" {
+ description = "Specifies whether to enable the default key policy. Defaults to `true`"
+ type = bool
+ default = false
+}
+
+variable "kms_key_owners" {
+ description = "A list of IAM ARNs for those who will have full key permissions (`kms:*`)"
+ type = list(string)
+ default = []
+}
+
+variable "kms_key_administrators" {
+ description = "A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators). If no value is provided, the current caller identity is used to ensure at least one key admin is available"
+ type = list(string)
+ default = []
+}
+
+variable "kms_key_users" {
+ description = "A list of IAM ARNs for [key users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users)"
+ type = list(string)
+ default = []
+}
+
+variable "kms_key_service_users" {
+ description = "A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration)"
+ type = list(string)
+ default = []
+}
+
+variable "kms_key_source_policy_documents" {
+ description = "List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s"
+ type = list(string)
+ default = []
+}
+
+variable "kms_key_override_policy_documents" {
+ description = "List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`"
+ type = list(string)
+ default = []
+}
+
+variable "kms_key_aliases" {
+ description = "A list of aliases to create. Note - due to the use of `toset()`, values must be static strings and not computed values"
+ type = list(string)
+ default = []
+}
+
################################################################################
# CloudWatch Log Group
################################################################################