diff --git a/examples/named_cluster/disk_encryption_set.tf b/examples/named_cluster/disk_encryption_set.tf index 4df49ea5..94f8252b 100644 --- a/examples/named_cluster/disk_encryption_set.tf +++ b/examples/named_cluster/disk_encryption_set.tf @@ -1,41 +1,3 @@ -data "azurerm_client_config" "current" {} - -resource "random_string" "key_vault_prefix" { - length = 6 - special = false - upper = false - numeric = false -} - -data "curl" "public_ip" { - count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0 - - http_method = "GET" - uri = "https://api.ipify.org?format=json" -} - -locals { - # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error - public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr -} - -resource "azurerm_key_vault" "des_vault" { - location = local.resource_group.location - name = "${random_string.key_vault_prefix.result}-des-keyvault" - resource_group_name = local.resource_group.name - sku_name = "premium" - tenant_id = data.azurerm_client_config.current.tenant_id - enabled_for_disk_encryption = true - purge_protection_enabled = true - soft_delete_retention_days = 7 - - network_acls { - bypass = "AzureServices" - default_action = "Deny" - ip_rules = [local.public_ip] - } -} - resource "azurerm_key_vault_key" "des_key" { key_opts = [ "decrypt", @@ -81,14 +43,3 @@ resource "azurerm_key_vault_access_policy" "des" { "UnwrapKey" ] } - -resource "azurerm_key_vault_access_policy" "current_user" { - key_vault_id = azurerm_key_vault.des_vault.id - object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) - tenant_id = data.azurerm_client_config.current.tenant_id - key_permissions = [ - "Get", - "Create", - "Delete", - ] -} \ No newline at end of file diff --git a/examples/named_cluster/key_vault.tf b/examples/named_cluster/key_vault.tf new file mode 100644 index 00000000..cab31aaa --- /dev/null +++ b/examples/named_cluster/key_vault.tf @@ -0,0 +1,48 @@ +data "azurerm_client_config" "current" {} + +resource "random_string" "key_vault_prefix" { + length = 6 + special = false + upper = false + numeric = false +} + +data "curl" "public_ip" { + count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0 + + http_method = "GET" + uri = "https://api.ipify.org?format=json" +} + +locals { + # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error + public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr +} + +resource "azurerm_key_vault" "des_vault" { + location = local.resource_group.location + name = "${random_string.key_vault_prefix.result}-des-keyvault" + resource_group_name = local.resource_group.name + sku_name = "premium" + tenant_id = data.azurerm_client_config.current.tenant_id + enabled_for_disk_encryption = true + purge_protection_enabled = true + soft_delete_retention_days = 7 + + network_acls { + bypass = "AzureServices" + default_action = "Deny" + ip_rules = [local.public_ip] + } +} + +resource "azurerm_key_vault_access_policy" "current_user" { + key_vault_id = azurerm_key_vault.des_vault.id + object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) + tenant_id = data.azurerm_client_config.current.tenant_id + key_permissions = [ + "Get", + "Create", + "Delete", + ] +} diff --git a/examples/named_cluster/kms.tf b/examples/named_cluster/kms.tf new file mode 100644 index 00000000..787b6439 --- /dev/null +++ b/examples/named_cluster/kms.tf @@ -0,0 +1,29 @@ +resource "azurerm_key_vault_key" "kms" { + name = "etcd-encryption" + key_vault_id = azurerm_key_vault.des_vault.id + key_type = "RSA" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + + depends_on = [ + azurerm_key_vault_access_policy.current_user + ] +} + +resource "azurerm_key_vault_access_policy" "kms" { + key_vault_id = azurerm_key_vault.des_vault.id + object_id = azurerm_user_assigned_identity.test.id + tenant_id = azurerm_user_assigned_identity.test.tenant_id + key_permissions = [ + "Decrypt", + "Encrypt", + ] +} diff --git a/examples/named_cluster/main.tf b/examples/named_cluster/main.tf index 282c1ee7..8c0c6579 100644 --- a/examples/named_cluster/main.tf +++ b/examples/named_cluster/main.tf @@ -46,6 +46,12 @@ resource "azurerm_log_analytics_workspace" "main" { sku = "PerGB2018" } +resource "azurerm_user_assigned_identity" "test" { + location = local.resource_group.location + name = "${random_id.prefix.hex}-control-plane" + resource_group_name = local.resource_group.name +} + module "aks_cluster_name" { source = "../.." @@ -77,4 +83,11 @@ module "aks_cluster_name" { rbac_aad = true rbac_aad_managed = true role_based_access_control_enabled = true + + # KMS encrption + identity_type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.test.id] + key_vault_kms_enabled = true + key_vault_kms_key_id = azurerm_key_vault_key.kms.id + } diff --git a/examples/startup/disk_encryption_set.tf b/examples/startup/disk_encryption_set.tf index 4df49ea5..94f8252b 100644 --- a/examples/startup/disk_encryption_set.tf +++ b/examples/startup/disk_encryption_set.tf @@ -1,41 +1,3 @@ -data "azurerm_client_config" "current" {} - -resource "random_string" "key_vault_prefix" { - length = 6 - special = false - upper = false - numeric = false -} - -data "curl" "public_ip" { - count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0 - - http_method = "GET" - uri = "https://api.ipify.org?format=json" -} - -locals { - # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error - public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr -} - -resource "azurerm_key_vault" "des_vault" { - location = local.resource_group.location - name = "${random_string.key_vault_prefix.result}-des-keyvault" - resource_group_name = local.resource_group.name - sku_name = "premium" - tenant_id = data.azurerm_client_config.current.tenant_id - enabled_for_disk_encryption = true - purge_protection_enabled = true - soft_delete_retention_days = 7 - - network_acls { - bypass = "AzureServices" - default_action = "Deny" - ip_rules = [local.public_ip] - } -} - resource "azurerm_key_vault_key" "des_key" { key_opts = [ "decrypt", @@ -81,14 +43,3 @@ resource "azurerm_key_vault_access_policy" "des" { "UnwrapKey" ] } - -resource "azurerm_key_vault_access_policy" "current_user" { - key_vault_id = azurerm_key_vault.des_vault.id - object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) - tenant_id = data.azurerm_client_config.current.tenant_id - key_permissions = [ - "Get", - "Create", - "Delete", - ] -} \ No newline at end of file diff --git a/examples/startup/key_vault.tf b/examples/startup/key_vault.tf new file mode 100644 index 00000000..2b213aaf --- /dev/null +++ b/examples/startup/key_vault.tf @@ -0,0 +1,49 @@ +data "azurerm_client_config" "current" {} + +resource "random_string" "key_vault_prefix" { + length = 6 + special = false + upper = false + numeric = false +} + +data "curl" "public_ip" { + count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0 + + http_method = "GET" + uri = "https://api.ipify.org?format=json" +} + +locals { + # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error + public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr +} + +resource "azurerm_key_vault" "des_vault" { + location = local.resource_group.location + name = "${random_string.key_vault_prefix.result}-des-keyvault" + resource_group_name = local.resource_group.name + sku_name = "premium" + tenant_id = data.azurerm_client_config.current.tenant_id + enabled_for_disk_encryption = true + purge_protection_enabled = true + soft_delete_retention_days = 7 + enable_rbac_authorization = true + + network_acls { + bypass = "AzureServices" + default_action = "Deny" + ip_rules = [local.public_ip] + } +} + +resource "azurerm_key_vault_access_policy" "current_user" { + key_vault_id = azurerm_key_vault.des_vault.id + object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) + tenant_id = data.azurerm_client_config.current.tenant_id + key_permissions = [ + "Get", + "Create", + "Delete", + ] +} diff --git a/examples/startup/kms.tf b/examples/startup/kms.tf new file mode 100644 index 00000000..85b7cbcc --- /dev/null +++ b/examples/startup/kms.tf @@ -0,0 +1,27 @@ +resource "azurerm_key_vault_key" "kms" { + name = "${var.cluster_name}-etcd-encryption" + key_vault_id = azurerm_key_vault.kv_storage_byok.id + key_type = "RSA" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + + depends_on = [azurerm_role_assignment.kv_admin] +} + +resource "azurerm_key_vault_access_policy" "kms" { + key_vault_id = azurerm_key_vault.des_vault.id + object_id = azurerm_user_assigned_identity.test.id + tenant_id = azurerm_user_assigned_identity.test.tenant_id + key_permissions = [ + "Decrypt", + "Encrypt", + ] +} diff --git a/examples/startup/main.tf b/examples/startup/main.tf index 3cbe5f14..e3be9d28 100644 --- a/examples/startup/main.tf +++ b/examples/startup/main.tf @@ -31,6 +31,12 @@ resource "azurerm_subnet" "test" { enforce_private_link_endpoint_network_policies = true } +resource "azurerm_user_assigned_identity" "test" { + location = local.resource_group.location + name = "${random_id.prefix.hex}-control-plane" + resource_group_name = local.resource_group.name +} + module "aks" { source = "../.." @@ -84,6 +90,12 @@ module "aks" { sku_tier = "Paid" vnet_subnet_id = azurerm_subnet.test.id + # KMS encrption + identity_type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.test.id] + key_vault_kms_enabled = true + key_vault_kms_key_id = azurerm_key_vault_key.kms.id + agents_labels = { "node1" : "label1" } diff --git a/examples/without_monitor/disk_encryption_set.tf b/examples/without_monitor/disk_encryption_set.tf index 4df49ea5..94f8252b 100644 --- a/examples/without_monitor/disk_encryption_set.tf +++ b/examples/without_monitor/disk_encryption_set.tf @@ -1,41 +1,3 @@ -data "azurerm_client_config" "current" {} - -resource "random_string" "key_vault_prefix" { - length = 6 - special = false - upper = false - numeric = false -} - -data "curl" "public_ip" { - count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0 - - http_method = "GET" - uri = "https://api.ipify.org?format=json" -} - -locals { - # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error - public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr -} - -resource "azurerm_key_vault" "des_vault" { - location = local.resource_group.location - name = "${random_string.key_vault_prefix.result}-des-keyvault" - resource_group_name = local.resource_group.name - sku_name = "premium" - tenant_id = data.azurerm_client_config.current.tenant_id - enabled_for_disk_encryption = true - purge_protection_enabled = true - soft_delete_retention_days = 7 - - network_acls { - bypass = "AzureServices" - default_action = "Deny" - ip_rules = [local.public_ip] - } -} - resource "azurerm_key_vault_key" "des_key" { key_opts = [ "decrypt", @@ -81,14 +43,3 @@ resource "azurerm_key_vault_access_policy" "des" { "UnwrapKey" ] } - -resource "azurerm_key_vault_access_policy" "current_user" { - key_vault_id = azurerm_key_vault.des_vault.id - object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) - tenant_id = data.azurerm_client_config.current.tenant_id - key_permissions = [ - "Get", - "Create", - "Delete", - ] -} \ No newline at end of file diff --git a/examples/without_monitor/key_vault.tf b/examples/without_monitor/key_vault.tf new file mode 100644 index 00000000..cab31aaa --- /dev/null +++ b/examples/without_monitor/key_vault.tf @@ -0,0 +1,48 @@ +data "azurerm_client_config" "current" {} + +resource "random_string" "key_vault_prefix" { + length = 6 + special = false + upper = false + numeric = false +} + +data "curl" "public_ip" { + count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0 + + http_method = "GET" + uri = "https://api.ipify.org?format=json" +} + +locals { + # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error + public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr +} + +resource "azurerm_key_vault" "des_vault" { + location = local.resource_group.location + name = "${random_string.key_vault_prefix.result}-des-keyvault" + resource_group_name = local.resource_group.name + sku_name = "premium" + tenant_id = data.azurerm_client_config.current.tenant_id + enabled_for_disk_encryption = true + purge_protection_enabled = true + soft_delete_retention_days = 7 + + network_acls { + bypass = "AzureServices" + default_action = "Deny" + ip_rules = [local.public_ip] + } +} + +resource "azurerm_key_vault_access_policy" "current_user" { + key_vault_id = azurerm_key_vault.des_vault.id + object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) + tenant_id = data.azurerm_client_config.current.tenant_id + key_permissions = [ + "Get", + "Create", + "Delete", + ] +} diff --git a/examples/without_monitor/kms.tf b/examples/without_monitor/kms.tf new file mode 100644 index 00000000..85b7cbcc --- /dev/null +++ b/examples/without_monitor/kms.tf @@ -0,0 +1,27 @@ +resource "azurerm_key_vault_key" "kms" { + name = "${var.cluster_name}-etcd-encryption" + key_vault_id = azurerm_key_vault.kv_storage_byok.id + key_type = "RSA" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + + depends_on = [azurerm_role_assignment.kv_admin] +} + +resource "azurerm_key_vault_access_policy" "kms" { + key_vault_id = azurerm_key_vault.des_vault.id + object_id = azurerm_user_assigned_identity.test.id + tenant_id = azurerm_user_assigned_identity.test.tenant_id + key_permissions = [ + "Decrypt", + "Encrypt", + ] +} diff --git a/examples/without_monitor/main.tf b/examples/without_monitor/main.tf index f4c54155..4ff616e1 100644 --- a/examples/without_monitor/main.tf +++ b/examples/without_monitor/main.tf @@ -31,6 +31,12 @@ resource "azurerm_subnet" "test" { enforce_private_link_endpoint_network_policies = true } +resource "azurerm_user_assigned_identity" "test" { + location = local.resource_group.location + name = "${random_id.prefix.hex}-control-plane" + resource_group_name = local.resource_group.name +} + module "aks_without_monitor" { source = "../.." @@ -46,4 +52,11 @@ module "aks_without_monitor" { rbac_aad = true rbac_aad_managed = true role_based_access_control_enabled = true + + # KMS encrption + identity_type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.test.id] + key_vault_kms_enabled = true + key_vault_kms_key_id = azurerm_key_vault_key.kms.id + }