nebari-dev · joneszc · Sep 16, 2024 · Sep 17, 2024 · Sep 17, 2024 · Sep 17, 2024
diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py
@@ -182,6 +182,7 @@ class AWSInputVars(schema.Base):
     eks_endpoint_access: Optional[
         Literal["private", "public", "public_and_private"]
     ] = "public"
+    eks_kms_arn: Optional[str] = None
     node_groups: List[AWSNodeGroupInputVars]
     availability_zones: List[str]
     vpc_cidr_block: str
@@ -504,6 +505,7 @@ class AmazonWebServicesProvider(schema.Base):
     eks_endpoint_access: Optional[
         Literal["private", "public", "public_and_private"]
     ] = "public"
+    eks_kms_arn: Optional[str] = None
     existing_subnet_ids: Optional[List[str]] = None
     existing_security_group_id: Optional[str] = None
     vpc_cidr_block: str = "10.10.0.0/16"
@@ -849,6 +851,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
                 name=self.config.escaped_project_name,
                 environment=self.config.namespace,
                 eks_endpoint_access=self.config.amazon_web_services.eks_endpoint_access,
+                eks_kms_arn=self.config.amazon_web_services.eks_kms_arn,
                 existing_subnet_ids=self.config.amazon_web_services.existing_subnet_ids,
                 existing_security_group_id=self.config.amazon_web_services.existing_security_group_id,
                 region=self.config.amazon_web_services.region,

diff --git a/src/_nebari/stages/infrastructure/template/aws/main.tf b/src/_nebari/stages/infrastructure/template/aws/main.tf
@@ -99,6 +99,7 @@ module "kubernetes" {
 
   endpoint_public_access  = var.eks_endpoint_access == "private" ? false : true
   endpoint_private_access = var.eks_endpoint_access == "public" ? false : true
+  eks_kms_arn             = var.eks_kms_arn
   public_access_cidrs     = var.eks_public_access_cidrs
   permissions_boundary    = var.permissions_boundary
 }
diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf
@@ -14,8 +14,20 @@ resource "aws_eks_cluster" "main" {
     public_access_cidrs     = var.public_access_cidrs
   }
 
+  # Only set encryption_config if eks_kms_arn is not null
+  dynamic "encryption_config" {
+    for_each = var.eks_kms_arn != null ? [1] : []
+    content {
+      provider {
+        key_arn = var.eks_kms_arn
+      }
+      resources = ["secrets"]
+    }
+  }
+
   depends_on = [
     aws_iam_role_policy_attachment.cluster-policy,
+    aws_iam_role_policy_attachment.cluster_encryption,
   ]
 
   tags = merge({ Name = var.name }, var.tags)

diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/policy.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/policy.tf
@@ -32,6 +32,34 @@ resource "aws_iam_role_policy_attachment" "cluster-policy" {
   role       = aws_iam_role.cluster.name
 }
 
+data "aws_iam_policy_document" "cluster_encryption" {
+  count = var.eks_kms_arn != null ? 1 : 0
+  statement {
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ListGrants",
+      "kms:DescribeKey"
+    ]
+    resources = [var.eks_kms_arn]
+  }
+}
+
+resource "aws_iam_policy" "cluster_encryption" {
+  count       = var.eks_kms_arn != null ? 1 : 0
+  name        = "${var.name}-eks-encryption-policy"
+  description = "IAM policy for EKS cluster encryption"
+  policy      = data.aws_iam_policy_document.cluster_encryption[count.index].json
+}
+
+# Grant the EKS Cluster role KMS permissions if a key-arn is specified
+resource "aws_iam_role_policy_attachment" "cluster_encryption" {
+  count = var.eks_kms_arn != null ? 1 : 0
+
+  policy_arn = aws_iam_policy.cluster_encryption[count.index].arn
+  role       = aws_iam_role.cluster.name
+}
+
 # =======================================================
 # Kubernetes Node Group Policies
 # =======================================================

diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf
@@ -72,6 +72,12 @@ variable "endpoint_private_access" {
   default = false
 }
 
+variable "eks_kms_arn" {
+  description = "kms key arn for EKS cluster encryption_config"
+  type        = string
+  default     = null
+}
+
 variable "public_access_cidrs" {
   type    = list(string)
   default = ["0.0.0.0/0"]

diff --git a/src/_nebari/stages/infrastructure/template/aws/variables.tf b/src/_nebari/stages/infrastructure/template/aws/variables.tf
@@ -69,6 +69,12 @@ variable "eks_endpoint_private_access" {
   default = false
 }
 
+variable "eks_kms_arn" {
+  description = "kms key arn for EKS cluster encryption_config"
+  type        = string
+  default     = null
+}
+
 variable "eks_public_access_cidrs" {
   type    = list(string)
   default = ["0.0.0.0/0"]