feat: inject additional AWS Identities (#124)

Co-authored-by: Dibya Dhar <dibay.dhar@ensono.com>
Ensono · Jun 6, 2024 · 051d482 · 051d482
1 parent e3f203f
commit 051d482
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 15 deletions.
diff --git a/aws/modules/infrastructure_modules/eks/data.tf b/aws/modules/infrastructure_modules/eks/data.tf
@@ -3,18 +3,20 @@ data "aws_caller_identity" "this" {}
 
 data "aws_availability_zones" "available" {}
 
+locals {
+
+  trusted_key_identities = var.trusted_role_arn == "" ? ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"] : ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root", "${var.trusted_role_arn}"]
+}
+
 ## EKS
 data "aws_iam_policy_document" "eks_secret_encryption_kms_key_policy" {
   statement {
     sid    = "Allow access for Key Administrators"
     effect = "Allow"
 
     principals {
-      type = "AWS"
-
-      identifiers = [
-        "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root",
-      ]
+      type        = "AWS"
+      identifiers = local.trusted_key_identities
     }
 
     actions = [
@@ -42,11 +44,8 @@ data "aws_iam_policy_document" "eks_secret_encryption_kms_key_policy" {
     effect = "Allow"
 
     principals {
-      type = "AWS"
-
-      identifiers = [
-        "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root",
-      ]
+      type        = "AWS"
+      identifiers = local.trusted_key_identities
     }
 
     actions = [
@@ -65,11 +64,8 @@ data "aws_iam_policy_document" "eks_secret_encryption_kms_key_policy" {
     effect = "Allow"
 
     principals {
-      type = "AWS"
-
-      identifiers = [
-        "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root",
-      ]
+      type        = "AWS"
+      identifiers = local.trusted_key_identities
     }
 
     actions = [

diff --git a/aws/modules/infrastructure_modules/eks/variables.tf b/aws/modules/infrastructure_modules/eks/variables.tf
@@ -121,3 +121,8 @@ variable "cluster_security_group_additional_rules" {
     }
   }
 }
+variable "trusted_role_arn" {
+  description = "IAM role passed to KMS Policy"
+  type        = string
+  default     = ""
+}