Skip to content

Commit

Permalink
Adds an option to disable evelope encryption
Browse files Browse the repository at this point in the history 
This is needed as legacy clusters were created before it existed, and
this setting cannot be changed on an existing cluster without
recreation.
  • Loading branch information
@errm
errm committed Mar 18, 2020
1 parent f585f83 commit a1a4ba6
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 7 deletions.
19 changes: 12 additions & 7 deletions modules/cluster/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,11 +106,14 @@ resource "aws_eks_cluster" "control_plane" {
subnet_ids = concat(values(var.vpc_config.public_subnet_ids), values(var.vpc_config.private_subnet_ids))
}

encryption_config {
resources = ["secrets"]

provider {
key_arn = local.kms_cmk_arn
dynamic "encryption_config" {
for_each = local.encryption_configs
content {
resources = ["secrets"]

provider {
key_arn = encryption_config.value
}
}
}

Expand Down Expand Up @@ -184,10 +187,12 @@ module "storage_classes" {
}

locals {
kms_cmk_arn = length(var.kms_cmk_arn) > 0 ? var.kms_cmk_arn : aws_kms_key.cmk[0].arn
create_key = length(var.kms_cmk_arn) == 0 && var.envelope_encryption_enabled
kms_cmk_arn = local.create_key ? aws_kms_key.cmk[0].arn : var.kms_cmk_arn
encryption_configs = var.envelope_encryption_enabled ? [local.kms_cmk_arn] : []
}

resource "aws_kms_key" "cmk" {
count = length(var.kms_cmk_arn) > 0 ? 0 : 1
count = local.create_key ? 1 : 0
description = "eks secrets cmk: ${var.name}"
}
6 changes: 6 additions & 0 deletions modules/cluster/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,12 @@ variable "aws_auth_user_map" {
description = "A list of mappings from aws user arns to kubernetes users, and their groups"
}

variable "envelope_encryption_enabled" {
type = bool
default = true
description = "Should Cluster Envelope Encryption be enabled, if changed after provisioning - forces the cluster to be recreated"
}

variable "kms_cmk_arn" {
type = string
default = ""
Expand Down

0 comments on commit a1a4ba6

Please sign in to comment.