From a5e0fc2ec576c64c8d38dee34f3a59178a217b2d Mon Sep 17 00:00:00 2001 From: Zachary Blasczyk Date: Wed, 24 Jul 2024 11:13:59 -0500 Subject: [PATCH 1/2] fix: Use bucket KMS key arn if provided for W&B managed bucket, always use that key even if empty for customer provided buckets --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 74aa681b..45f04812 100644 --- a/main.tf +++ b/main.tf @@ -15,10 +15,10 @@ locals { default_kms_key = module.kms.key.arn clickhouse_kms_key = var.enable_clickhouse ? module.kms.clickhouse_key.arn : null - s3_kms_key_arn = length(var.bucket_kms_key_arn) > 0 ? var.bucket_kms_key_arn : local.default_kms_key database_kms_key_arn = length(var.database_kms_key_arn) > 0 ? var.database_kms_key_arn : local.default_kms_key database_performance_insights_kms_key_arn = length(var.database_performance_insights_kms_key_arn) > 0 ? var.database_performance_insights_kms_key_arn : local.default_kms_key use_external_bucket = var.bucket_name != "" + s3_kms_key_arn = local.use_external_bucket || var.bucket_kms_key_arn != "" ? var.bucket_kms_key_arn : local.default_kms_key use_internal_queue = local.use_external_bucket || var.use_internal_queue } From 9074c4b118a04d5fe6d36b67dff87dbd3dc408bf Mon Sep 17 00:00:00 2001 From: Zachary Blasczyk Date: Wed, 24 Jul 2024 12:05:44 -0500 Subject: [PATCH 2/2] fix: Always let the node role have access to the `default_kms_key` --- main.tf | 7 +++++-- modules/app_eks/iam-policy-docs.tf | 2 +- modules/app_eks/variables.tf | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/main.tf b/main.tf index 45f04812..64d74304 100644 --- a/main.tf +++ b/main.tf @@ -12,7 +12,6 @@ module "kms" { } locals { - default_kms_key = module.kms.key.arn clickhouse_kms_key = var.enable_clickhouse ? module.kms.clickhouse_key.arn : null database_kms_key_arn = length(var.database_kms_key_arn) > 0 ? var.database_kms_key_arn : local.default_kms_key @@ -141,7 +140,11 @@ module "app_eks" { map_roles = var.kubernetes_map_roles map_users = var.kubernetes_map_users - bucket_kms_key_arn = local.s3_kms_key_arn + bucket_kms_key_arns = compact([ + local.default_kms_key, + var.bucket_kms_key_arn != "" && var.bucket_kms_key_arn != null ? var.bucket_kms_key_arn : null + ]) + bucket_arn = data.aws_s3_bucket.file_storage.arn bucket_sqs_queue_arn = local.use_internal_queue ? null : data.aws_sqs_queue.file_storage.0.arn diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf index 4e7f27b4..83b6aa1e 100644 --- a/modules/app_eks/iam-policy-docs.tf +++ b/modules/app_eks/iam-policy-docs.tf @@ -35,7 +35,7 @@ data "aws_iam_policy_document" "node_kms" { "kms:DescribeKey" ] effect = "Allow" - resources = var.bucket_kms_key_arn == "" || var.bucket_kms_key_arn == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.node.name}"] : [var.bucket_kms_key_arn] + resources = var.bucket_kms_key_arns } } diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf index 64e6df6e..ff2d4ce6 100644 --- a/modules/app_eks/variables.tf +++ b/modules/app_eks/variables.tf @@ -3,9 +3,9 @@ variable "bucket_arn" { nullable = false } -variable "bucket_kms_key_arn" { +variable "bucket_kms_key_arns" { description = "The Amazon Resource Name of the KMS key with which S3 storage bucket objects will be encrypted." - type = string + type = list(string) } variable "fqdn" {