From be551272f617b2aeb0afd5d1f1fa161ca8a41b90 Mon Sep 17 00:00:00 2001 From: Sohan Yadav Date: Wed, 20 Sep 2023 17:08:38 +0530 Subject: [PATCH] adding encryption --- .gitignore | 1 + cluster.tf | 25 ++++++++++++++++++++++ kms.tf | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 12 +++++++++++ 4 files changed, 97 insertions(+) create mode 100644 kms.tf diff --git a/.gitignore b/.gitignore index ba53e438..4a6a43a3 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ eks/kubeconfig.yaml *~ .idea/ +.terraform.lock.hcl diff --git a/cluster.tf b/cluster.tf index af96c349..6d460f17 100644 --- a/cluster.tf +++ b/cluster.tf @@ -1,3 +1,19 @@ +locals { + # Encryption + cluster_encryption_config = { + resources = var.cluster_encryption_config + provider_key_arn = aws_kms_key.cluster.arn + } +} + +resource "aws_cloudwatch_log_group" "default" { + name = "/aws/eks/${var.environment_name}/cluster" + retention_in_days = 30 + tags = local.tags + kms_key_id = aws_kms_key.cloudwatch_log.arn +} + + resource "aws_eks_cluster" "cluster" { name = var.environment_name role_arn = aws_iam_role.cluster.arn @@ -17,6 +33,15 @@ resource "aws_eks_cluster" "cluster" { ]) } + dynamic "encryption_config" { + for_each = [local.cluster_encryption_config] + content { + resources = lookup(encryption_config.value, "resources") + provider { + key_arn = lookup(encryption_config.value, "provider_key_arn") + } + } + } enabled_cluster_log_types = var.cluster_logging depends_on = [ diff --git a/kms.tf b/kms.tf new file mode 100644 index 00000000..6a5e5c42 --- /dev/null +++ b/kms.tf @@ -0,0 +1,59 @@ +resource "aws_kms_key" "cluster" { + description = "EKS Cluster ${var.environment_name} Encryption Config KMS Key" + enable_key_rotation = true + deletion_window_in_days = 30 + policy = var.cluster_kms_policy + tags = local.tags +} + + +resource "aws_kms_key" "cloudwatch_log" { + description = "CloudWatch log group ${var.environment_name} Encryption Config KMS Key" + enable_key_rotation = true + deletion_window_in_days = 10 + policy = data.aws_iam_policy_document.cloudwatch.json + tags = local.tags +} + +data "aws_iam_policy_document" "cloudwatch" { + policy_id = "key-policy-cloudwatch" + statement { + sid = "Enable IAM User Permissions" + actions = [ + "kms:*", + ] + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + join("", data.aws_partition.current.*.partition), + data.aws_caller_identity.current.account_id + ) + ] + } + resources = ["*"] + } + statement { + sid = "AllowCloudWatchLogs" + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + effect = "Allow" + principals { + type = "Service" + identifiers = [ + format( + "logs.%s.amazonaws.com", + data.aws_region.current.name + ) + ] + } + resources = ["*"] + } +} diff --git a/variables.tf b/variables.tf index eea81e04..087ce87d 100644 --- a/variables.tf +++ b/variables.tf @@ -23,6 +23,18 @@ variable "aws_load_balancer_controller_enabled" { description = "Enable ALB controller by default" } +variable "cluster_encryption_config" { + type = list(any) + default = ["secrets"] + description = "Cluster Encryption Config Resources to encrypt, e.g. ['secrets']" +} + +variable "cluster_kms_policy" { + type = string + default = null + description = "Cluster Encryption Config KMS Key Resource argument - key policy" +} + variable "cluster_logging" { default = [ "api",