From eda10865584f03f9fc43151bc9f828dcc1b9d605 Mon Sep 17 00:00:00 2001 From: Marco Kilchhofer Date: Mon, 23 Jan 2023 13:45:50 +0100 Subject: [PATCH] chore: Update examples with KMS --- examples/named_cluster/disk_encryption_set.tf | 49 ------------------- examples/named_cluster/key_vault.tf | 48 ++++++++++++++++++ examples/named_cluster/kms.tf | 29 +++++++++++ examples/named_cluster/main.tf | 4 ++ 4 files changed, 81 insertions(+), 49 deletions(-) create mode 100644 examples/named_cluster/key_vault.tf create mode 100644 examples/named_cluster/kms.tf diff --git a/examples/named_cluster/disk_encryption_set.tf b/examples/named_cluster/disk_encryption_set.tf index 4df49ea5..94f8252b 100644 --- a/examples/named_cluster/disk_encryption_set.tf +++ b/examples/named_cluster/disk_encryption_set.tf @@ -1,41 +1,3 @@ -data "azurerm_client_config" "current" {} - -resource "random_string" "key_vault_prefix" { - length = 6 - special = false - upper = false - numeric = false -} - -data "curl" "public_ip" { - count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0 - - http_method = "GET" - uri = "https://api.ipify.org?format=json" -} - -locals { - # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error - public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr -} - -resource "azurerm_key_vault" "des_vault" { - location = local.resource_group.location - name = "${random_string.key_vault_prefix.result}-des-keyvault" - resource_group_name = local.resource_group.name - sku_name = "premium" - tenant_id = data.azurerm_client_config.current.tenant_id - enabled_for_disk_encryption = true - purge_protection_enabled = true - soft_delete_retention_days = 7 - - network_acls { - bypass = "AzureServices" - default_action = "Deny" - ip_rules = [local.public_ip] - } -} - resource "azurerm_key_vault_key" "des_key" { key_opts = [ "decrypt", @@ -81,14 +43,3 @@ resource "azurerm_key_vault_access_policy" "des" { "UnwrapKey" ] } - -resource "azurerm_key_vault_access_policy" "current_user" { - key_vault_id = azurerm_key_vault.des_vault.id - object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) - tenant_id = data.azurerm_client_config.current.tenant_id - key_permissions = [ - "Get", - "Create", - "Delete", - ] -} \ No newline at end of file diff --git a/examples/named_cluster/key_vault.tf b/examples/named_cluster/key_vault.tf new file mode 100644 index 00000000..cab31aaa --- /dev/null +++ b/examples/named_cluster/key_vault.tf @@ -0,0 +1,48 @@ +data "azurerm_client_config" "current" {} + +resource "random_string" "key_vault_prefix" { + length = 6 + special = false + upper = false + numeric = false +} + +data "curl" "public_ip" { + count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0 + + http_method = "GET" + uri = "https://api.ipify.org?format=json" +} + +locals { + # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error + public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr +} + +resource "azurerm_key_vault" "des_vault" { + location = local.resource_group.location + name = "${random_string.key_vault_prefix.result}-des-keyvault" + resource_group_name = local.resource_group.name + sku_name = "premium" + tenant_id = data.azurerm_client_config.current.tenant_id + enabled_for_disk_encryption = true + purge_protection_enabled = true + soft_delete_retention_days = 7 + + network_acls { + bypass = "AzureServices" + default_action = "Deny" + ip_rules = [local.public_ip] + } +} + +resource "azurerm_key_vault_access_policy" "current_user" { + key_vault_id = azurerm_key_vault.des_vault.id + object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id) + tenant_id = data.azurerm_client_config.current.tenant_id + key_permissions = [ + "Get", + "Create", + "Delete", + ] +} diff --git a/examples/named_cluster/kms.tf b/examples/named_cluster/kms.tf new file mode 100644 index 00000000..787b6439 --- /dev/null +++ b/examples/named_cluster/kms.tf @@ -0,0 +1,29 @@ +resource "azurerm_key_vault_key" "kms" { + name = "etcd-encryption" + key_vault_id = azurerm_key_vault.des_vault.id + key_type = "RSA" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + + depends_on = [ + azurerm_key_vault_access_policy.current_user + ] +} + +resource "azurerm_key_vault_access_policy" "kms" { + key_vault_id = azurerm_key_vault.des_vault.id + object_id = azurerm_user_assigned_identity.test.id + tenant_id = azurerm_user_assigned_identity.test.tenant_id + key_permissions = [ + "Decrypt", + "Encrypt", + ] +} diff --git a/examples/named_cluster/main.tf b/examples/named_cluster/main.tf index 282c1ee7..d997780b 100644 --- a/examples/named_cluster/main.tf +++ b/examples/named_cluster/main.tf @@ -77,4 +77,8 @@ module "aks_cluster_name" { rbac_aad = true rbac_aad_managed = true role_based_access_control_enabled = true + + # KMS etcd encryption + kms_enabled = true + kms_key_vault_key_id = azurerm_key_vault_key.kms.id }