xpk/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/terraform-aws-modules/terraform-aws-eks.git synced 2025-09-09 19:32:58 +08:00
Code Activity

fix: Correct encryption configuration enable logic; avoid creating Auto Mode policy when Auto Mode is not enabled (#3439)

Browse Source
This commit is contained in:
Bryant Biggs
2025-07-25 07:19:45 -05:00
committed by GitHub
parent 41d31db4e2
commit 6b8a3d9477
3 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -411,7 +411,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Determines whether to create an OpenID Connect Provider for EKS to enable IRSA | `bool` | `true` | no | | <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Determines whether to create an OpenID Connect Provider for EKS to enable IRSA | `bool` | `true` | no |
| <a name="input_enable_kms_key_rotation"></a> [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no | | <a name="input_enable_kms_key_rotation"></a> [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no |
| <a name="input_enabled_log_types"></a> [enabled\_log\_types](#input\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | <pre>[<br/> "audit",<br/> "api",<br/> "authenticator"<br/>]</pre> | no | | <a name="input_enabled_log_types"></a> [enabled\_log\_types](#input\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | <pre>[<br/> "audit",<br/> "api",<br/> "authenticator"<br/>]</pre> | no |
| <a name="input_encryption_config"></a> [encryption\_config](#input\_encryption\_config) | Configuration block with encryption configuration for the cluster | <pre>object({<br/> provider_key_arn = optional(string)<br/> resources = optional(list(string))<br/> })</pre> | <pre>{<br/> "resources": [<br/> "secrets"<br/> ]<br/>}</pre> | no | | <a name="input_encryption_config"></a> [encryption\_config](#input\_encryption\_config) | Configuration block with encryption configuration for the cluster | <pre>object({<br/> provider_key_arn = optional(string)<br/> resources = optional(list(string), ["secrets"])<br/> })</pre> | `{}` | no |
| <a name="input_encryption_policy_description"></a> [encryption\_policy\_description](#input\_encryption\_policy\_description) | Description of the cluster encryption policy created | `string` | `"Cluster encryption policy to allow cluster role to utilize CMK provided"` | no | | <a name="input_encryption_policy_description"></a> [encryption\_policy\_description](#input\_encryption\_policy\_description) | Description of the cluster encryption policy created | `string` | `"Cluster encryption policy to allow cluster role to utilize CMK provided"` | no |
| <a name="input_encryption_policy_name"></a> [encryption\_policy\_name](#input\_encryption\_policy\_name) | Name to use on cluster encryption policy created | `string` | `null` | no | | <a name="input_encryption_policy_name"></a> [encryption\_policy\_name](#input\_encryption\_policy\_name) | Name to use on cluster encryption policy created | `string` | `null` | no |
| <a name="input_encryption_policy_path"></a> [encryption\_policy\_path](#input\_encryption\_policy\_path) | Cluster encryption policy path | `string` | `null` | no | | <a name="input_encryption_policy_path"></a> [encryption\_policy\_path](#input\_encryption\_policy\_path) | Cluster encryption policy path | `string` | `null` | no |
main.tf
+4 -4
View File
@@ -24,7 +24,7 @@ locals {
role_arn = try(aws_iam_role.this[0].arn, var.iam_role_arn) role_arn = try(aws_iam_role.this[0].arn, var.iam_role_arn)
create_outposts_local_cluster = var.outpost_config != null create_outposts_local_cluster = var.outpost_config != null
enable_encryption_config = length(var.encryption_config) > 0 && !local.create_outposts_local_cluster enable_encryption_config = var.encryption_config != null && !local.create_outposts_local_cluster
auto_mode_enabled = try(var.compute_config.enabled, false) auto_mode_enabled = try(var.compute_config.enabled, false)
} }
@@ -590,7 +590,7 @@ resource "aws_iam_policy" "cluster_encryption" {
} }
data "aws_iam_policy_document" "custom" { data "aws_iam_policy_document" "custom" {
count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0 count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0
dynamic "statement" { dynamic "statement" {
for_each = var.enable_auto_mode_custom_tags ? [1] : [] for_each = var.enable_auto_mode_custom_tags ? [1] : []
@@ -724,7 +724,7 @@ data "aws_iam_policy_document" "custom" {
} }
resource "aws_iam_policy" "custom" { resource "aws_iam_policy" "custom" {
count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0 count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0
name = var.iam_role_use_name_prefix ? null : local.iam_role_name name = var.iam_role_use_name_prefix ? null : local.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
@@ -737,7 +737,7 @@ resource "aws_iam_policy" "custom" {
} }
resource "aws_iam_role_policy_attachment" "custom" { resource "aws_iam_role_policy_attachment" "custom" {
count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0 count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0
policy_arn = aws_iam_policy.custom[0].arn policy_arn = aws_iam_policy.custom[0].arn
role = aws_iam_role.this[0].name role = aws_iam_role.this[0].name
variables.tf
+2 -4
View File
@@ -165,11 +165,9 @@ variable "encryption_config" {
description = "Configuration block with encryption configuration for the cluster" description = "Configuration block with encryption configuration for the cluster"
type = object({ type = object({
provider_key_arn = optional(string) provider_key_arn = optional(string)
resources = optional(list(string)) resources = optional(list(string), ["secrets"])
}) })
default = { default = {}
resources = ["secrets"]
}
} }
variable "attach_encryption_policy" { variable "attach_encryption_policy" {