feat: updated cmk module and created localstack example

2026-02-25 14:14:06 +08:00
parent 89069b105b
commit 52025a27d6
7 changed files with 110 additions and 6 deletions
@@ -44,7 +44,7 @@ resource "aws_kms_key" "storage" {
 # Key use for EBS volumes on EKS nodes
 resource "aws_kms_key" "eks_ebs" {
  count                              = var.create-eksebs-key ? 1 : 0
-  description                        = "CMK for use with ENS volumes on EKS nodes"
+  description                        = "CMK for use with EBS volumes on EKS nodes"
  enable_key_rotation                = var.enable_key_rotation
  rotation_period_in_days            = var.rotation_period_in_days
  is_enabled                         = var.is_enabled
@@ -307,9 +307,24 @@ data "aws_iam_policy_document" "rds" {
  }
 }

-data "aws_iam_role" "asg-service-linked-role" {
-  count = var.create-eksebs-key ? 1 : 0
-  name  = "AWSServiceRoleForAutoScaling"
+# create an ASG service linked role if not already exist
+data "aws_iam_roles" "autoscaling" {
+  count      = var.create_asg_role ? 0 : 1
+  name_regex = "^AWSServiceRoleForAutoScaling$"
+}
+
+resource "aws_iam_service_linked_role" "autoscaling" {
+  count            = var.create_asg_role ? 1 : 0
+  aws_service_name = "autoscaling.amazonaws.com"
+  description      = "Service-linked role for AutoScaling"
+}
+
+locals {
+  AsgServiceRoleArn = try(aws_iam_service_linked_role.autoscaling[0].arn, one(data.aws_iam_roles.autoscaling[0].arns))
+}
+
+output "debug" {
+  value = local.AsgServiceRoleArn
 }

 data "aws_iam_policy_document" "eksebs" {
@@ -320,7 +335,7 @@ data "aws_iam_policy_document" "eksebs" {
    effect = "Allow"
    principals {
      identifiers = [
-        data.aws_iam_role.asg-service-linked-role[0].arn
+        local.AsgServiceRoleArn
      ]
      type = "AWS"
    }
@@ -339,7 +354,7 @@ data "aws_iam_policy_document" "eksebs" {
    effect = "Allow"
    principals {
      identifiers = [
-        data.aws_iam_role.asg-service-linked-role[0].arn
+        local.AsgServiceRoleArn
      ]
      type = "AWS"
    }
@@ -110,6 +110,12 @@ variable "key_administrator_arn" {
  default     = null
 }

+variable "create_asg_role" {
+  description = "Create service linked role for autoscaling, required in key policy"
+  type        = bool
+  default     = true
+}
+
 ################################################################################
 # Grant
 ################################################################################