Skip to content

Commit

Permalink
fix: Always let the node role have access to the default_kms_key (#249
Browse files Browse the repository at this point in the history 
)

* fix: Use bucket KMS key arn if provided for W&B managed bucket, always use that key even if empty for customer provided buckets

* fix: Always let the node role have access to the `default_kms_key`
  • Loading branch information
@zacharyblasczyk
zacharyblasczyk authored Jul 24, 2024
1 parent 00f6ff5 commit d8fa06f
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 5 deletions.
7 changes: 5 additions & 2 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ module "kms" {
}

locals {

default_kms_key = module.kms.key.arn
clickhouse_kms_key = var.enable_clickhouse ? module.kms.clickhouse_key.arn : null
database_kms_key_arn = length(var.database_kms_key_arn) > 0 ? var.database_kms_key_arn : local.default_kms_key
Expand Down Expand Up @@ -141,7 +140,11 @@ module "app_eks" {
map_roles = var.kubernetes_map_roles
map_users = var.kubernetes_map_users

bucket_kms_key_arn = local.s3_kms_key_arn
bucket_kms_key_arns = compact([
local.default_kms_key,
var.bucket_kms_key_arn != "" && var.bucket_kms_key_arn != null ? var.bucket_kms_key_arn : null
])

bucket_arn = data.aws_s3_bucket.file_storage.arn
bucket_sqs_queue_arn = local.use_internal_queue ? null : data.aws_sqs_queue.file_storage.0.arn

Expand Down
2 changes: 1 addition & 1 deletion modules/app_eks/iam-policy-docs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ data "aws_iam_policy_document" "node_kms" {
"kms:DescribeKey"
]
effect = "Allow"
resources = var.bucket_kms_key_arn == "" || var.bucket_kms_key_arn == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.node.name}"] : [var.bucket_kms_key_arn]
resources = var.bucket_kms_key_arns
}
}

Expand Down
4 changes: 2 additions & 2 deletions modules/app_eks/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ variable "bucket_arn" {
nullable = false
}

variable "bucket_kms_key_arn" {
variable "bucket_kms_key_arns" {
description = "The Amazon Resource Name of the KMS key with which S3 storage bucket objects will be encrypted."
type = string
type = list(string)
}

variable "fqdn" {
Expand Down

0 comments on commit d8fa06f

Please sign in to comment.