diff --git a/terraform/kms.tf b/terraform/kms.tf new file mode 100644 index 0000000..78927b8 --- /dev/null +++ b/terraform/kms.tf @@ -0,0 +1,85 @@ +resource "aws_kms_key" "eks" { + description = "EKS Secret Encryption Key" + deletion_window_in_days = 7 + enable_key_rotation = true + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "Enable Root Account Permissions" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + } + Action = "kms:*" + Resource = "*" + }, + { + Sid = "Allow EKS Service" + Effect = "Allow" + Principal = { + Service = "eks.amazonaws.com" + } + Action = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:CreateGrant", + "kms:DescribeKey" + ] + Resource = "*" + }, + { + Sid = "Allow EKS Node Group Role" + Effect = "Allow" + Principal = { + AWS = aws_iam_role.eks_node_group_role.arn + } + Action = [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*" + ] + Resource = "*" + }, + { + Sid = "Allow EKS Admin Role" + Effect = "Allow" + Principal = { + AWS = aws_iam_role.eks_admin.arn + } + Action = [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*" + ] + Resource = "*" + }, + { + Sid = "Allow EKS Cluster Role" // Add this block + Effect = "Allow" + Principal = { + AWS = aws_iam_role.eks_cluster_role.arn + } + Action = [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant" + ] + Resource = "*" + }, + ] + }) +} + +# Add an alias for easier key management +resource "aws_kms_alias" "eks" { + name = "alias/eks-secure-auth-cluster-v2" + target_key_id = aws_kms_key.eks.key_id +} \ No newline at end of file