feat: patch CMK module and updated EksIp6 module

2026-02-25 18:06:40 +08:00
parent df22fcf46b
commit acd42ff526
7 changed files with 115 additions and 68 deletions
@@ -68,39 +68,6 @@ module "vpc" {
 }

 # EKS resources
-module "CsiPodIdentity" {
-  source      = "../../modules/security_identity_compliance/iam-role-v2"
-  description = "EKSCSIDriverRole"
-  role-name   = "AmazonEBSCSIDriverRole"
-  trusted-entity = jsonencode(
-    {
-      "Version" : "2012-10-17",
-      "Statement" : [
-        {
-          "Effect" : "Allow",
-          "Principal" : {
-            "Service" : "pods.eks.amazonaws.com"
-          },
-          "Action" : [
-            "sts:AssumeRole",
-            "sts:TagSession"
-          ]
-        }
-      ]
-    }
-  )
-}
-
-# 2 policies are required for the ebs csi to work
-resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
-  for_each = toset([
-    "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
-    "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
-  ])
-  role       = module.CsiPodIdentity.name
-  policy_arn = each.value
-}
-
 locals {
  userdata = <<EOT
 MIME-Version: 1.0
@@ -147,6 +114,8 @@ resource "aws_launch_template" "node_lt" {
    ebs {
      volume_size = 20
      volume_type = "gp3"
+      encrypted   = true
+      kms_key_id  = module.KmsKeys.cmks.eksebs.arn
    }
  }
  # must not specify this # image_id  = data.aws_ami.eks_worker.id
@@ -190,21 +159,28 @@ module "eks" {
      source_security_group_id = module.bastion-sg.id
    }
  }
-  vpc_id                      = module.vpc.vpc_id
-  subnet_ids                  = module.vpc.private_subnets
-  ip_family                   = "ipv6"
-  create_cni_ipv6_iam_policy  = true
-  create_kms_key              = true
-  endpoint_private_access     = true
-  endpoint_public_access      = false
-  enable_irsa                 = false
-  create_cloudwatch_log_group = false
-  create_node_security_group  = true
+  vpc_id                                 = module.vpc.vpc_id
+  subnet_ids                             = module.vpc.private_subnets
+  ip_family                              = "ipv6"
+  create_cni_ipv6_iam_policy             = true
+  create_kms_key                         = false
+  create_cloudwatch_log_group            = true
+  cloudwatch_log_group_kms_key_id        = module.KmsKeys.cmks.log.arn
+  cloudwatch_log_group_retention_in_days = 14
+  endpoint_private_access                = true
+  endpoint_public_access                 = false
+  enable_irsa                            = false
+  create_node_security_group             = true
  # authentication_mode         = "API_AND_CONFIG_MAP" # use access entries and leave this to default
  upgrade_policy = {
    support_type = "STANDARD"
  }

+  encryption_config = {
+    resources        = ["secrets"]
+    provider_key_arn = module.KmsKeys.cmks.secret.arn
+  }
+
  addons = {
    coredns = {}
    eks-pod-identity-agent = {
@@ -294,4 +270,25 @@ resource "aws_security_group_rule" "eks_node_alb_ingress" {
  security_group_id = module.eks.node_security_group_id
  ipv6_cidr_blocks  = [module.vpc.vpc_ipv6_cidr_block]
  description       = "ALB to nginx pods port 80"
+}
+
+
+# CMK for encryption
+
+module "KmsKeys" {
+  source = "../modules/security_identity_compliance/CustomerManagedKmsKeys"
+
+  rotation_period_in_days = 180
+  enable_key_rotation     = true
+  deletion_window_in_days = 7
+  name-prefix             = "${var.environment}-${var.project}"
+  create_asg_role         = false
+  create-allpurpose-key   = false
+  create-backup-key       = false
+  create-database-key     = false
+  create-eksebs-key       = true
+  create-log-key          = true
+  create-notify-key       = false
+  create-secret-key       = true
+  create-storage-key      = false
 }