Issue creating KMS key

[applike-ss]

For testing out tEKS i don't want to use KMS for ebs volume encryption, however the module insists on creating resources and fails.

This is the failing resource:

 # aws_kms_key.this will be created
  + resource "aws_kms_key" "this" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + description                        = "EKS Secret Encryption Key for my-foo-cluster"
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = false
      + policy                             = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "kms:*"
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::123456789012:root"
                        }
                      + Resource  = "*"
                      + Sid       = "Enable IAM User Permissions"
                    },
                  + {
                      + Action    = [
                          + "kms:ReEncrypt*",
                          + "kms:GenerateDataKey*",
                          + "kms:Encrypt",
                          + "kms:DescribeKey",
                          + "kms:Decrypt",
                        ]
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                        }
                      + Resource  = "*"
                      + Sid       = "Allow service-linked role use of the CMK"
                    },
                  + {
                      + Action    = "kms:CreateGrant"
                      + Condition = {
                          + Bool = {
                              + "kms:GrantIsForAWSResource" = [
                                  + "true",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                        }
                      + Resource  = "*"
                      + Sid       = "Allow attachment of persistent resources"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + tags                               = {
          + "Environment" = "foo"
          + "Owner"       = "me"
          + "Project"     = "teks"
        }
      + tags_all                           = {
          + "Environment" = "foo"
          + "Owner"       = "me"
          + "Project"     = "teks"
        }
    }

And this is the error message i get:

╷
│ Error: error creating KMS Key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
│ 
│   with aws_kms_key.this,
│   on main.tf line 1, in resource "aws_kms_key" "this":
│    1: resource "aws_kms_key" "this" {
│ 
╵

The role AWSServiceRoleForAutoScaling does not exist yet.

[ArchiFleKs]

Hi @applike-ss If you are managing a new account only via Terraform I think you should create the serviceRole in another module, with the help of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role

[ArchiFleKs]

@applike-ss You should also be able to disable the use of KMS and encryption all together for EBS CSI https://github.com/particuleio/terraform-kubernetes-addons/blob/main/modules/aws/aws-ebs-csi-driver.tf#L26, if not could you raise a bug in the addons module please ?

[applike-ss]

Hi @applike-ss If you are managing a new account only via Terraform I think you should create the serviceRole in another module, with the help of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role

with serviceRole you mean the role i let terragrunt assume? I don't see how that gives any more permissions than my current role - Or what is the point in doing that?

@applike-ss You should also be able to disable the use of KMS and encryption all together for EBS CSI https://github.com/particuleio/terraform-kubernetes-addons/blob/main/modules/aws/aws-ebs-csi-driver.tf#L26, if not could you raise a bug in the addons module please ?

I did disable encryption completely for my testing. However i assume that due to

teks/terragrunt/live/production/eu-west-1/clusters/demo/eks/terragrunt.hcl

Line 14 in f0a0d38

path = "../../../../../../dependency-blocks/encryption-config.hcl"

it always tries to create a kms key.

[ArchiFleKs]

Ok so it seems I misunderstood the issue. If you don't want to use kms with ebs-csi-driver you can put use_kms to false in addons-critical but then you need to remove the kms configuration in eks/terragrunt.hcl to not reference the encryption config and remove the encryption-config folder

[applike-ss]

thx, i will try that.

[applike-ss]

i removed the encryption config for now and it seems to work nicely this way, thanks