Skip to content

Commit

Permalink
Adding EKS secrets encryption via KMS (#151)
Browse files Browse the repository at this point in the history
  • Loading branch information
@eternalyperplxed
eternalyperplxed authored Aug 14, 2023
1 parent 45e0390 commit 25773be
Showing 1 changed file with 18 additions and 0 deletions.
18 changes: 18 additions & 0 deletions aws/cluster/modules/eks-cluster/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,13 @@ resource "aws_eks_cluster" "this" {
subnet_ids = concat(var.private_subnet_ids, var.public_subnet_ids)
}

encryption_config {
provider {
key_arn = aws_kms_key.eks_key.arn
}
resources = "secrets"
}

depends_on = [
# Ensure that IAM Role permissions are created before and deleted after EKS
# Cluster handling. Otherwise, EKS will not be able to properly delete EKS
Expand Down Expand Up @@ -81,5 +88,16 @@ resource "aws_security_group_rule" "egress" {
type = "egress"
}

resource "aws_kms_key" "eks_key" {
description = "KMS Key for EKS cluster ${var.name} secrets encryption"
key_usage = "ENCRYPT_DECRYPT"
enable_key_rotation = true
}

resource "aws_kms_alias" "eks_key_alias" {
target_key_id = aws_kms_key.eks_key
name_prefix = "alias/${var.name}"
}

data "aws_partition" "current" {
}

0 comments on commit 25773be

Please sign in to comment.