feat: Add Key Management Service support

README.md

@@ -15,6 +15,7 @@ module "eks_ack_addons" {
   enable_s3            = true
   enable_rds           = true
   enable_amp           = true
+  enable_kms           = true
 
   tags = {
     Environment = "dev"
@@ -51,22 +52,26 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws
 | <a name="module_amp"></a> [amp](#module\_amp) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
 | <a name="module_api_gatewayv2"></a> [api\_gatewayv2](#module\_api\_gatewayv2) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
 | <a name="module_dynamodb"></a> [dynamodb](#module\_dynamodb) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
+| <a name="module_kms"></a> [kms](#module\_kms) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
 | <a name="module_rds"></a> [rds](#module\_rds) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
 | <a name="module_s3"></a> [s3](#module\_s3) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.ack_kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [time_sleep.dataplane](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
 | [aws_iam_policy.amp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.api_gatewayv2_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.api_gatewayv2_invoke](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.ack_kms_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
@@ -82,10 +87,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws
 | <a name="input_enable_amp"></a> [enable\_amp](#input\_enable\_amp) | Enable ACK amp add-on | `bool` | `false` | no |
 | <a name="input_enable_api_gatewayv2"></a> [enable\_api\_gatewayv2](#input\_enable\_api\_gatewayv2) | Enable ACK API gateway v2 add-on | `bool` | `false` | no |
 | <a name="input_enable_dynamodb"></a> [enable\_dynamodb](#input\_enable\_dynamodb) | Enable ACK dynamodb add-on | `bool` | `false` | no |
+| <a name="input_enable_kms"></a> [enable\_kms](#input\_enable\_kms) | Enable ACK kms add-on | `bool` | `false` | no |
 | <a name="input_enable_rds"></a> [enable\_rds](#input\_enable\_rds) | Enable ACK rds add-on | `bool` | `false` | no |
 | <a name="input_enable_s3"></a> [enable\_s3](#input\_enable\_s3) | Enable ACK s3 add-on | `bool` | `false` | no |
 | <a name="input_irsa_iam_permissions_boundary"></a> [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `""` | no |
 | <a name="input_irsa_iam_role_path"></a> [irsa\_iam\_role\_path](#input\_irsa\_iam\_role\_path) | IAM role path for IRSA roles | `string` | `"/"` | no |
+| <a name="input_kms_helm_config"></a> [kms\_helm\_config](#input\_kms\_helm\_config) | ACK kms Helm Chart config | `any` | `{}` | no |
 | <a name="input_rds_helm_config"></a> [rds\_helm\_config](#input\_rds\_helm\_config) | ACK rds Helm Chart config | `any` | `{}` | no |
 | <a name="input_s3_helm_config"></a> [s3\_helm\_config](#input\_s3\_helm\_config) | ACK s3 Helm Chart config | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no |

examples/complete/main.tf

@@ -101,6 +101,7 @@ module "eks_ack_addons" {
   enable_s3            = true
   enable_rds           = true
   enable_amp           = true
+  enable_kms           = true
 
   tags = local.tags
 }

main.tf

@@ -13,6 +13,7 @@ locals {
 
   eks_oidc_issuer_url = replace(data.aws_eks_cluster.this.identity[0].oidc[0].issuer, "https://", "")
 
+  tags = var.tags
   addon_context = {
     aws_caller_identity_account_id = data.aws_caller_identity.current.account_id
     aws_caller_identity_arn        = data.aws_caller_identity.current.arn
@@ -22,7 +23,7 @@ locals {
     eks_cluster_id                 = var.cluster_id
     eks_oidc_issuer_url            = local.eks_oidc_issuer_url
     eks_oidc_provider_arn          = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.eks_oidc_issuer_url}"
-    tags                           = var.tags
+    tags                           = local.tags
     irsa_iam_role_path             = var.irsa_iam_role_path
     irsa_iam_permissions_boundary  = var.irsa_iam_permissions_boundary
   }
@@ -372,3 +373,96 @@ data "aws_iam_policy" "amp" {
 
   name = "AmazonPrometheusFullAccess"
 }
+
+################################################################################
+# Key Management Service
+################################################################################
+
+locals {
+  kms_name = "ack-kms"
+}
+
+module "kms" {
+  source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon?ref=v4.12.2"
+
+  count = var.enable_kms ? 1 : 0
+
+  helm_config = merge(
+    {
+      name             = local.kms_name
+      chart            = "kms-chart"
+      repository       = "oci://public.ecr.aws/aws-controllers-k8s"
+      version          = "v0.1.3"
+      namespace        = local.kms_name
+      create_namespace = true
+      description      = "ACK kms Controller v2 Helm chart deployment configuration"
+      values = [
+        # shortens pod name from `ack-kms-kms-chart-xxxxxxxxxxxxx` to `ack-kms-xxxxxxxxxxxxx`
+        <<-EOT
+          nameOverride: ack-kms
+        EOT
+      ]
+    },
+    var.kms_helm_config
+  )
+
+  set_values = [
+    {
+      name  = "serviceAccount.name"
+      value = local.kms_name
+    },
+    {
+      name  = "serviceAccount.create"
+      value = false
+    },
+    {
+      name  = "aws.region"
+      value = local.region
+    }
+  ]
+
+  irsa_config = {
+    create_kubernetes_namespace = true
+    kubernetes_namespace        = try(var.kms_helm_config.namespace, local.kms_name)
+
+    create_kubernetes_service_account = true
+    kubernetes_service_account        = local.kms_name
+
+    irsa_iam_policies = [aws_iam_policy.ack_kms_policy[0].arn, data.aws_iam_policy.kms[0].arn]
+  }
+
+  addon_context = local.addon_context
+}
+
+resource "aws_iam_policy" "ack_kms_policy" {
+  count = var.enable_kms ? 1 : 0
+
+  name        = "${local.cluster_id}-ack-kms-sa-policy"
+  description = "IAM policy for ${local.kms_name} Service Account"
+  path        = "/"
+  policy      = data.aws_iam_policy_document.ack_kms_policy_document[0].json
+
+  tags = local.tags
+}
+
+data "aws_iam_policy_document" "ack_kms_policy_document" {
+  count = var.enable_kms ? 1 : 0
+
+  statement {
+    sid    = "ACKKMSPolicy"
+    effect = "Allow"
+    actions = [
+      "kms:ScheduleKeyDeletion",
+      "kms:EnableKeyRotation",
+      "kms:CreateGrant",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy" "kms" {
+  count = var.enable_kms ? 1 : 0
+
+  name = "AWSKeyManagementServicePowerUser"
+}

variables.tf

@@ -106,3 +106,19 @@ variable "amp_helm_config" {
   type        = any
   default     = {}
 }
+
+################################################################################
+# KMS
+################################################################################
+
+variable "enable_kms" {
+  description = "Enable ACK kms add-on"
+  type        = bool
+  default     = false
+}
+
+variable "kms_helm_config" {
+  description = "ACK kms Helm Chart config"
+  type        = any
+  default     = {}
+}