github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-03-12 05:21:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: Ensure that custom KMS key is not created if encryption is not enabled, support computed values in cluster name (#2328)

Browse Source 
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
Resolves undefined
Resolved undefined
Closes undefined
This commit is contained in:
Carlos Santana
2022-12-07 11:05:49 -05:00
committed by GitHub
parent c0423efb94
commit b83f6d98bf
4 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
examples/complete/README.md
View File

@@ -54,6 +54,7 @@ Note that this example may create resources which cost money. Run `terraform des
| <a name="module_eks"></a> [eks](#module\_eks) | ../.. | n/a | | <a name="module_eks"></a> [eks](#module\_eks) | ../.. | n/a |
| <a name="module_eks_managed_node_group"></a> [eks\_managed\_node\_group](#module\_eks\_managed\_node\_group) | ../../modules/eks-managed-node-group | n/a | | <a name="module_eks_managed_node_group"></a> [eks\_managed\_node\_group](#module\_eks\_managed\_node\_group) | ../../modules/eks-managed-node-group | n/a |
| <a name="module_fargate_profile"></a> [fargate\_profile](#module\_fargate\_profile) | ../../modules/fargate-profile | n/a | | <a name="module_fargate_profile"></a> [fargate\_profile](#module\_fargate\_profile) | ../../modules/fargate-profile | n/a |
| <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | 1.1.0 |
| <a name="module_self_managed_node_group"></a> [self\_managed\_node\_group](#module\_self\_managed\_node\_group) | ../../modules/self-managed-node-group | n/a | | <a name="module_self_managed_node_group"></a> [self\_managed\_node\_group](#module\_self\_managed\_node\_group) | ../../modules/self-managed-node-group | n/a |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 | | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
@@ -64,6 +65,7 @@ Note that this example may create resources which cost money. Run `terraform des
| [aws_iam_policy.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_security_group.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
## Inputs ## Inputs

22
examples/complete/main.tf
View File

@@ -15,6 +15,7 @@ provider "kubernetes" {
} }
data "aws_availability_zones" "available" {} data "aws_availability_zones" "available" {}
data "aws_caller_identity" "current" {}
locals { locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}" name = "ex-${replace(basename(path.cwd), "_", "-")}"
@@ -58,13 +59,12 @@ module "eks" {
} }
} }
# Encryption key # External encryption key
create_kms_key = true create_kms_key = false
cluster_encryption_config = { cluster_encryption_config = {
resources = ["secrets"] resources = ["secrets"]
provider_key_arn = module.kms.key_arn
} }
kms_key_deletion_window_in_days = 7
enable_kms_key_rotation = true
iam_role_additional_policies = { iam_role_additional_policies = {
additional = aws_iam_policy.additional.arn additional = aws_iam_policy.additional.arn
@@ -460,3 +460,15 @@ resource "aws_iam_policy" "additional" {
] ]
}) })
} }
module "kms" {
source = "terraform-aws-modules/kms/aws"
version = "1.1.0"
aliases = ["eks/${local.name}"]
description = "${local.name} cluster encryption key"
enable_default_policy = true
key_owners = [data.aws_caller_identity.current.arn]
tags = local.tags
}

8
main.tf
View File

@@ -112,7 +112,7 @@ module "kms" {
source = "terraform-aws-modules/kms/aws" source = "terraform-aws-modules/kms/aws"
version = "1.1.0" # Note - be mindful of Terraform/provider version compatibility between modules version = "1.1.0" # Note - be mindful of Terraform/provider version compatibility between modules
create = local.create && var.create_kms_key && !local.create_outposts_local_cluster # not valid on Outposts create = local.create && var.create_kms_key && local.enable_cluster_encryption_config # not valid on Outposts
description = coalesce(var.kms_key_description, "${var.cluster_name} cluster encryption key") description = coalesce(var.kms_key_description, "${var.cluster_name} cluster encryption key")
key_usage = "ENCRYPT_DECRYPT" key_usage = "ENCRYPT_DECRYPT"
@@ -129,7 +129,11 @@ module "kms" {
override_policy_documents = var.kms_key_override_policy_documents override_policy_documents = var.kms_key_override_policy_documents
# Aliases # Aliases
aliases = concat(["eks/${var.cluster_name}"], var.kms_key_aliases) aliases = var.kms_key_aliases
computed_aliases = {
# Computed since users can pass in computed values for cluster name such as random provider resources
cluster = { name = "eks/${var.cluster_name}" }
}
tags = var.tags tags = var.tags
} }

2
modules/eks-managed-node-group/main.tf
View File

@@ -300,7 +300,7 @@ resource "aws_launch_template" "this" {
################################################################################ ################################################################################
locals { locals {
launch_template_id = var.create && var.create_launch_template ? aws_launch_template.this[0].id : var.launch_template_id launch_template_id = var.create && var.create_launch_template ? try(aws_launch_template.this[0].id, null) : var.launch_template_id
# Change order to allow users to set version priority before using defaults # Change order to allow users to set version priority before using defaults
launch_template_version = coalesce(var.launch_template_version, try(aws_launch_template.this[0].default_version, "$Default")) launch_template_version = coalesce(var.launch_template_version, try(aws_launch_template.this[0].default_version, "$Default"))
} }