Merge pull request #71 from cookpad/disable-envelope-encryption

Adds an option to disable evelope encryption
cookpad · Mar 18, 2020 · 1258657 · 1258657
2 parents f585f83 + a1a4ba6
commit 1258657
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 7 deletions.
diff --git a/modules/cluster/main.tf b/modules/cluster/main.tf
@@ -106,11 +106,14 @@ resource "aws_eks_cluster" "control_plane" {
     subnet_ids              = concat(values(var.vpc_config.public_subnet_ids), values(var.vpc_config.private_subnet_ids))
   }
 
-  encryption_config {
-    resources = ["secrets"]
-
-    provider {
-      key_arn = local.kms_cmk_arn
+  dynamic "encryption_config" {
+    for_each = local.encryption_configs
+    content {
+      resources = ["secrets"]
+
+      provider {
+        key_arn = encryption_config.value
+      }
     }
   }
 
@@ -184,10 +187,12 @@ module "storage_classes" {
 }
 
 locals {
-  kms_cmk_arn = length(var.kms_cmk_arn) > 0 ? var.kms_cmk_arn : aws_kms_key.cmk[0].arn
+  create_key         = length(var.kms_cmk_arn) == 0 && var.envelope_encryption_enabled
+  kms_cmk_arn        = local.create_key ? aws_kms_key.cmk[0].arn : var.kms_cmk_arn
+  encryption_configs = var.envelope_encryption_enabled ? [local.kms_cmk_arn] : []
 }
 
 resource "aws_kms_key" "cmk" {
-  count       = length(var.kms_cmk_arn) > 0 ? 0 : 1
+  count       = local.create_key ? 1 : 0
   description = "eks secrets cmk: ${var.name}"
 }
diff --git a/modules/cluster/variables.tf b/modules/cluster/variables.tf
@@ -100,6 +100,12 @@ variable "aws_auth_user_map" {
   description = "A list of mappings from aws user arns to kubernetes users, and their groups"
 }
 
+variable "envelope_encryption_enabled" {
+  type        = bool
+  default     = true
+  description = "Should Cluster Envelope Encryption be enabled, if changed after provisioning - forces the cluster to be recreated"
+}
+
 variable "kms_cmk_arn" {
   type        = string
   default     = ""