From d8fa06f89da48443cb9fe0a45f491e5c13bb41cc Mon Sep 17 00:00:00 2001
From: Zachary Blasczyk <77289967+zacharyblasczyk@users.noreply.github.com>
Date: Wed, 24 Jul 2024 12:17:36 -0500
Subject: [PATCH] fix: Always let the node role have access to the
 `default_kms_key` (#249)

* fix: Use bucket KMS key arn if provided for W&B managed bucket, always use that key even if empty for customer provided buckets

* fix: Always let the node role have access to the `default_kms_key`
---
 main.tf                            | 7 +++++--
 modules/app_eks/iam-policy-docs.tf | 2 +-
 modules/app_eks/variables.tf       | 4 ++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/main.tf b/main.tf
index 45f04812..64d74304 100644
--- a/main.tf
+++ b/main.tf
@@ -12,7 +12,6 @@ module "kms" {
 }
 
 locals {
-
   default_kms_key                           = module.kms.key.arn
   clickhouse_kms_key                        = var.enable_clickhouse ? module.kms.clickhouse_key.arn : null
   database_kms_key_arn                      = length(var.database_kms_key_arn) > 0 ? var.database_kms_key_arn : local.default_kms_key
@@ -141,7 +140,11 @@ module "app_eks" {
   map_roles        = var.kubernetes_map_roles
   map_users        = var.kubernetes_map_users
 
-  bucket_kms_key_arn   = local.s3_kms_key_arn
+  bucket_kms_key_arns = compact([
+    local.default_kms_key,
+    var.bucket_kms_key_arn != "" && var.bucket_kms_key_arn != null ? var.bucket_kms_key_arn : null
+  ])
+
   bucket_arn           = data.aws_s3_bucket.file_storage.arn
   bucket_sqs_queue_arn = local.use_internal_queue ? null : data.aws_sqs_queue.file_storage.0.arn
 
diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf
index 4e7f27b4..83b6aa1e 100644
--- a/modules/app_eks/iam-policy-docs.tf
+++ b/modules/app_eks/iam-policy-docs.tf
@@ -35,7 +35,7 @@ data "aws_iam_policy_document" "node_kms" {
       "kms:DescribeKey"
     ]
     effect    = "Allow"
-    resources = var.bucket_kms_key_arn == "" || var.bucket_kms_key_arn == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.node.name}"] : [var.bucket_kms_key_arn]
+    resources = var.bucket_kms_key_arns
   }
 }
 
diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf
index 64e6df6e..ff2d4ce6 100644
--- a/modules/app_eks/variables.tf
+++ b/modules/app_eks/variables.tf
@@ -3,9 +3,9 @@ variable "bucket_arn" {
   nullable = false
 }
 
-variable "bucket_kms_key_arn" {
+variable "bucket_kms_key_arns" {
   description = "The Amazon Resource Name of the KMS key with which S3 storage bucket objects will be encrypted."
-  type        = string
+  type        = list(string)
 }
 
 variable "fqdn" {