Skip to content

Commit

Permalink
Enable encryption config (cloudposse#62)
Browse files Browse the repository at this point in the history
* Enable aws_eks_cluster encryption_config

* make README

* Added Cluster Encryption Config KMS Key Alias

* Updated README.md

* Update variables.tf

* Update main.tf

* Update outputs.tf

* Update main.tf

* Update main.tf

* Update main.tf

* Update outputs.tf

* Updated README.md

* Executed 'terraform fmt'

Co-authored-by: Erik Osterman <[email protected]>
Co-authored-by: actions-bot <[email protected]>
  • Loading branch information
3 people authored Aug 3, 2020
1 parent e315d67 commit a84a3bd
Show file tree
Hide file tree
Showing 6 changed files with 152 additions and 58 deletions.
108 changes: 51 additions & 57 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,24 +1,20 @@
<!--
# terraform-aws-eks-cluster [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-eks-cluster.svg)](https://github.com/cloudposse/terraform-aws-eks-cluster/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)

[![README Header][readme_header_img]][readme_header_link]

[![Cloud Posse][logo]](https://cpco.io/homepage)

<!--
** DO NOT EDIT THIS FILE
**
** This file was automatically generated by the `build-harness`.
** 1) Make all changes to `README.yaml`
**
** This file was automatically generated by the `build-harness`.
** 1) Make all changes to `README.yaml`
** 2) Run `make init` (you only need to do this once)
** 3) Run`make readme` to rebuild this file.
** 3) Run`make readme` to rebuild this file.
**
** (We maintain HUNDREDS of open source projects. This is how we maintain our sanity.)
**
Expand All @@ -27,30 +23,14 @@
-->
[![README Header][readme_header_img]][readme_header_link]

[![Cloud Posse][logo]](https://cpco.io/homepage)

# terraform-aws-eks-cluster [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-eks-cluster.svg)](https://github.com/cloudposse/terraform-aws-eks-cluster/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)

-->

Terraform module to provision an [EKS](https://aws.amazon.com/eks/) cluster on AWS.


---

This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps.
This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps.
[<img align="right" title="Share via Email" src="https://docs.cloudposse.com/images/ionicons/ios-email-outline-2.0.1-16x16-999999.svg"/>][share_email]
[<img align="right" title="Share on Google+" src="https://docs.cloudposse.com/images/ionicons/social-googleplus-outline-2.0.1-16x16-999999.svg" />][share_googleplus]
[<img align="right" title="Share on Facebook" src="https://docs.cloudposse.com/images/ionicons/social-facebook-outline-2.0.1-16x16-999999.svg" />][share_facebook]
Expand All @@ -71,7 +51,7 @@ It's 100% Open Source and licensed under the [APACHE2](LICENSE).



We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out!
We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out!



Expand Down Expand Up @@ -293,8 +273,9 @@ Module usage with two worker groups:



<!-- markdownlint-disable -->
## Makefile Targets
```
```text
Available targets:
help Help screen
Expand All @@ -303,6 +284,7 @@ Available targets:
lint Lint terraform code
```
<!-- markdownlint-restore -->
## Requirements

| Name | Version |
Expand Down Expand Up @@ -330,6 +312,12 @@ Available targets:
| allowed\_security\_groups | List of Security Group IDs to be allowed to connect to the EKS cluster | `list(string)` | `[]` | no |
| apply\_config\_map\_aws\_auth | Whether to apply the ConfigMap to allow worker nodes to join the EKS cluster and allow additional users, accounts and roles to acces the cluster | `bool` | `true` | no |
| attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
| cluster\_encryption\_config\_enabled | Set to `true` to enable Cluster Encryption Configuration | `bool` | `false` | no |
| cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | `number` | `10` | no |
| cluster\_encryption\_config\_kms\_key\_enable\_key\_rotation | Cluster Encryption Config KMS Key Resource argument - enable kms key rotation | `bool` | `true` | no |
| cluster\_encryption\_config\_kms\_key\_id | Specify KMS Key Id ARN to use for cluster encryption config | `string` | `""` | no |
| cluster\_encryption\_config\_kms\_key\_policy | Cluster Encryption Config KMS Key Resource argument - key policy | `string` | `null` | no |
| cluster\_encryption\_config\_resources | Cluster Encryption Config Resources to encrypt, e.g. ['secrets'] | `list` | <pre>[<br> "secrets"<br>]</pre> | no |
| cluster\_log\_retention\_period | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `0` | no |
| delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | `string` | `"-"` | no |
| enabled | Set to false to prevent the module from creating any resources | `bool` | `true` | no |
Expand Down Expand Up @@ -360,6 +348,10 @@ Available targets:

| Name | Description |
|------|-------------|
| cluster\_encryption\_config\_enabled | If true, Cluster Encryption Configuration is enabled |
| cluster\_encryption\_config\_provider\_key\_alias | Cluster Encryption Config KMS Key Alias ARN |
| cluster\_encryption\_config\_provider\_key\_arn | Cluster Encryption Config KMS Key ARN |
| cluster\_encryption\_config\_resources | Cluster Encryption Config Resources |
| eks\_cluster\_arn | The Amazon Resource Name (ARN) of the cluster |
| eks\_cluster\_certificate\_authority\_data | The Kubernetes cluster certificate authority data |
| eks\_cluster\_endpoint | The endpoint for the Kubernetes API server |
Expand All @@ -377,9 +369,9 @@ Available targets:



## Share the Love
## Share the Love

Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-eks-cluster)! (it helps us **a lot**)
Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-eks-cluster)! (it helps us **a lot**)

Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =)

Expand All @@ -403,7 +395,7 @@ Check out these related projects.

## Help

**Got a question?** We got answers.
**Got a question?** We got answers.

File a GitHub [issue](https://github.com/cloudposse/terraform-aws-eks-cluster/issues), send us an [email][email] or join our [Slack Community][slack].

Expand All @@ -412,7 +404,7 @@ File a GitHub [issue](https://github.com/cloudposse/terraform-aws-eks-cluster/is
## DevOps Accelerator for Startups


We are a [**DevOps Accelerator**][commercial_support]. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.
We are a [**DevOps Accelerator**][commercial_support]. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.

[![Learn More](https://img.shields.io/badge/learn%20more-success.svg?style=for-the-badge)][commercial_support]

Expand Down Expand Up @@ -441,11 +433,11 @@ Participate in our [Discourse Forums][discourse]. Here you'll find answers to co

## Newsletter

Sign up for [our newsletter][newsletter] that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.
Sign up for [our newsletter][newsletter] that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.

## Office Hours

[Join us every Wednesday via Zoom][office_hours] for our weekly "Lunch & Learn" sessions. It's **FREE** for everyone!
[Join us every Wednesday via Zoom][office_hours] for our weekly "Lunch & Learn" sessions. It's **FREE** for everyone!

[![zoom](https://img.cloudposse.com/fit-in/200x200/https://cloudposse.com/wp-content/uploads/2019/08/Powered-by-Zoom.png")][office_hours]

Expand Down Expand Up @@ -476,28 +468,30 @@ Copyright © 2017-2020 [Cloud Posse, LLC](https://cpco.io/copyright)



## License
## License

[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)

See [LICENSE](LICENSE) for full details.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
```text
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
```



Expand All @@ -519,7 +513,7 @@ This project is maintained and funded by [Cloud Posse, LLC][website]. Like it? P

We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We ❤️ [Open Source Software][we_love_open_source].

We offer [paid support][commercial_support] on all of our projects.
We offer [paid support][commercial_support] on all of our projects.

Check out [our other projects][github], [follow us on twitter][twitter], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation.

Expand Down
4 changes: 3 additions & 1 deletion docs/targets.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
<!-- markdownlint-disable -->
## Makefile Targets
```
```text
Available targets:
help Help screen
Expand All @@ -8,3 +9,4 @@ Available targets:
lint Lint terraform code
```
<!-- markdownlint-restore -->
10 changes: 10 additions & 0 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@
| allowed\_security\_groups | List of Security Group IDs to be allowed to connect to the EKS cluster | `list(string)` | `[]` | no |
| apply\_config\_map\_aws\_auth | Whether to apply the ConfigMap to allow worker nodes to join the EKS cluster and allow additional users, accounts and roles to acces the cluster | `bool` | `true` | no |
| attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
| cluster\_encryption\_config\_enabled | Set to `true` to enable Cluster Encryption Configuration | `bool` | `false` | no |
| cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | `number` | `10` | no |
| cluster\_encryption\_config\_kms\_key\_enable\_key\_rotation | Cluster Encryption Config KMS Key Resource argument - enable kms key rotation | `bool` | `true` | no |
| cluster\_encryption\_config\_kms\_key\_id | Specify KMS Key Id ARN to use for cluster encryption config | `string` | `""` | no |
| cluster\_encryption\_config\_kms\_key\_policy | Cluster Encryption Config KMS Key Resource argument - key policy | `string` | `null` | no |
| cluster\_encryption\_config\_resources | Cluster Encryption Config Resources to encrypt, e.g. ['secrets'] | `list` | <pre>[<br> "secrets"<br>]</pre> | no |
| cluster\_log\_retention\_period | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `0` | no |
| delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | `string` | `"-"` | no |
| enabled | Set to false to prevent the module from creating any resources | `bool` | `true` | no |
Expand Down Expand Up @@ -55,6 +61,10 @@

| Name | Description |
|------|-------------|
| cluster\_encryption\_config\_enabled | If true, Cluster Encryption Configuration is enabled |
| cluster\_encryption\_config\_provider\_key\_alias | Cluster Encryption Config KMS Key Alias ARN |
| cluster\_encryption\_config\_provider\_key\_arn | Cluster Encryption Config KMS Key ARN |
| cluster\_encryption\_config\_resources | Cluster Encryption Config Resources |
| eks\_cluster\_arn | The Amazon Resource Name (ARN) of the cluster |
| eks\_cluster\_certificate\_authority\_data | The Kubernetes cluster certificate authority data |
| eks\_cluster\_endpoint | The endpoint for the Kubernetes API server |
Expand Down
32 changes: 32 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
locals {
cluster_encryption_config = {
resources = var.cluster_encryption_config_resources
provider_key_arn = var.enabled && var.cluster_encryption_config_enabled && var.cluster_encryption_config_kms_key_id == "" ? join("", aws_kms_key.cluster.*.arn) : var.cluster_encryption_config_kms_key_id
}
}

module "label" {
source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0"
namespace = var.namespace
Expand Down Expand Up @@ -106,6 +113,21 @@ resource "aws_cloudwatch_log_group" "default" {
tags = module.label.tags
}

resource "aws_kms_key" "cluster" {
count = var.enabled && var.cluster_encryption_config_enabled && var.cluster_encryption_config_kms_key_id == "" ? 1 : 0
description = "EKS Cluster ${module.label.id} Encryption Config KMS Key"
enable_key_rotation = var.cluster_encryption_config_kms_key_enable_key_rotation
deletion_window_in_days = var.cluster_encryption_config_kms_key_deletion_window_in_days
policy = var.cluster_encryption_config_kms_key_policy
tags = module.label.tags
}

resource "aws_kms_alias" "cluster" {
count = var.enabled && var.cluster_encryption_config_enabled && var.cluster_encryption_config_kms_key_id == "" ? 1 : 0
name = format("alias/%v", module.label.id)
target_key_id = join("", aws_kms_key.cluster.*.key_id)
}

resource "aws_eks_cluster" "default" {
count = var.enabled ? 1 : 0
name = module.label.id
Expand All @@ -114,6 +136,16 @@ resource "aws_eks_cluster" "default" {
version = var.kubernetes_version
enabled_cluster_log_types = var.enabled_cluster_log_types

dynamic "encryption_config" {
for_each = var.cluster_encryption_config_enabled ? [local.cluster_encryption_config] : []
content {
resources = lookup(encryption_config.value, "resources")
provider {
key_arn = lookup(encryption_config.value, "provider_key_arn")
}
}
}

vpc_config {
security_group_ids = [join("", aws_security_group.default.*.id)]
subnet_ids = var.subnet_ids
Expand Down
20 changes: 20 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -62,3 +62,23 @@ output "kubernetes_config_map_id" {
description = "ID of `aws-auth` Kubernetes ConfigMap"
value = var.kubernetes_config_map_ignore_role_changes ? join("", kubernetes_config_map.aws_auth_ignore_changes.*.id) : join("", kubernetes_config_map.aws_auth.*.id)
}

output "cluster_encryption_config_enabled" {
description = "If true, Cluster Encryption Configuration is enabled"
value = var.cluster_encryption_config_enabled
}

output "cluster_encryption_config_resources" {
description = "Cluster Encryption Config Resources"
value = var.cluster_encryption_config_resources
}

output "cluster_encryption_config_provider_key_arn" {
description = "Cluster Encryption Config KMS Key ARN"
value = local.cluster_encryption_config.provider_key_arn
}

output "cluster_encryption_config_provider_key_alias" {
description = "Cluster Encryption Config KMS Key Alias ARN"
value = join("", aws_kms_alias.cluster.*.arn)
}
36 changes: 36 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -180,3 +180,39 @@ variable "kubernetes_config_map_ignore_role_changes" {
default = true
description = "Set to `true` to ignore IAM role changes in the Kubernetes Auth ConfigMap"
}

variable "cluster_encryption_config_enabled" {
type = bool
default = false
description = "Set to `true` to enable Cluster Encryption Configuration"
}

variable "cluster_encryption_config_kms_key_id" {
type = string
default = ""
description = "Specify KMS Key Id ARN to use for cluster encryption config"
}

variable "cluster_encryption_config_kms_key_enable_key_rotation" {
type = bool
default = true
description = "Cluster Encryption Config KMS Key Resource argument - enable kms key rotation"
}

variable "cluster_encryption_config_kms_key_deletion_window_in_days" {
type = number
default = 10
description = "Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction"
}

variable "cluster_encryption_config_kms_key_policy" {
type = string
default = null
description = "Cluster Encryption Config KMS Key Resource argument - key policy"
}

variable "cluster_encryption_config_resources" {
type = list
default = ["secrets"]
description = "Cluster Encryption Config Resources to encrypt, e.g. ['secrets']"
}

0 comments on commit a84a3bd

Please sign in to comment.