adding encryption

opszero · Sep 20, 2023 · be55127 · be55127
1 parent cebe10c
commit be55127
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -20,3 +20,4 @@ eks/kubeconfig.yaml
 *~
 
 .idea/
+.terraform.lock.hcl
diff --git a/cluster.tf b/cluster.tf
@@ -1,3 +1,19 @@
+locals {
+  # Encryption
+  cluster_encryption_config = {
+    resources        = var.cluster_encryption_config
+    provider_key_arn =  aws_kms_key.cluster.arn
+  }
+}
+
+resource "aws_cloudwatch_log_group" "default" {
+  name              = "/aws/eks/${var.environment_name}/cluster"
+  retention_in_days = 30
+  tags              =  local.tags
+  kms_key_id        = aws_kms_key.cloudwatch_log.arn
+}
+
+
 resource "aws_eks_cluster" "cluster" {
   name     = var.environment_name
   role_arn = aws_iam_role.cluster.arn
@@ -17,6 +33,15 @@ resource "aws_eks_cluster" "cluster" {
     ])
   }
 
+  dynamic "encryption_config" {
+    for_each = [local.cluster_encryption_config]
+    content {
+      resources = lookup(encryption_config.value, "resources")
+      provider {
+        key_arn = lookup(encryption_config.value, "provider_key_arn")
+      }
+    }
+  }
   enabled_cluster_log_types = var.cluster_logging
 
   depends_on = [

diff --git a/kms.tf b/kms.tf
@@ -0,0 +1,59 @@
+resource "aws_kms_key" "cluster" {
+  description             = "EKS Cluster ${var.environment_name} Encryption Config KMS Key"
+  enable_key_rotation     = true
+  deletion_window_in_days = 30
+  policy                  = var.cluster_kms_policy
+  tags                    =  local.tags
+}
+
+
+resource "aws_kms_key" "cloudwatch_log" {
+  description             = "CloudWatch log group ${var.environment_name} Encryption Config KMS Key"
+  enable_key_rotation     = true
+  deletion_window_in_days = 10
+  policy                  = data.aws_iam_policy_document.cloudwatch.json
+  tags                    =  local.tags
+}
+
+data "aws_iam_policy_document" "cloudwatch" {
+  policy_id = "key-policy-cloudwatch"
+  statement {
+    sid = "Enable IAM User Permissions"
+    actions = [
+      "kms:*",
+    ]
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          join("", data.aws_partition.current.*.partition),
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    resources = ["*"]
+  }
+  statement {
+    sid = "AllowCloudWatchLogs"
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    effect = "Allow"
+    principals {
+      type = "Service"
+      identifiers = [
+        format(
+          "logs.%s.amazonaws.com",
+          data.aws_region.current.name
+        )
+      ]
+    }
+    resources = ["*"]
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -23,6 +23,18 @@ variable "aws_load_balancer_controller_enabled" {
   description = "Enable ALB controller by default"
 }
 
+variable "cluster_encryption_config" {
+  type        = list(any)
+  default     = ["secrets"]
+  description = "Cluster Encryption Config Resources to encrypt, e.g. ['secrets']"
+}
+
+variable "cluster_kms_policy" {
+  type        = string
+  default     = null
+  description = "Cluster Encryption Config KMS Key Resource argument - key policy"
+}
+
 variable "cluster_logging" {
   default = [
     "api",
Original file line number	Diff line number	Diff line change
Expand Up		@@ -20,3 +20,4 @@ eks/kubeconfig.yaml
		*~

		.idea/
		.terraform.lock.hcl