-
Notifications
You must be signed in to change notification settings - Fork 2
/
policies.tf
98 lines (88 loc) · 2.47 KB
/
policies.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
data "aws_iam_policy_document" "eks_assume_role_policy" {
statement {
sid = "EKSClusterAssumeRole"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["eks.${data.aws_partition.current.dns_suffix}"]
}
}
}
data "aws_iam_policy_document" "ec2_assume_role_policy" {
statement {
sid = "EKSNodeAssumeRole"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.${data.aws_partition.current.dns_suffix}"]
}
}
}
# This policy is required for the KMS key used for EKS root volumes, so the cluster is allowed to enc/dec/attach encrypted EBS volumes
data "aws_iam_policy_document" "kms_ebs" {
# Required for EKS
#checkov:skip=CKV_AWS_109:The is a resource policy
#checkov:skip=CKV_AWS_111:The is a resource policy
#checkov:skip=CKV_AWS_356:Ensure IAM policies limit resource access
statement {
sid = "Allow service-linked role use of the CMK"
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = ["*"]
principals {
type = "AWS"
identifiers = [
local.asg_role, # required for the ASG to manage encrypted volumes for nodes
aws_iam_role.cluster.arn, # required for the cluster / persistentvolume-controller to create encrypted PVCs
]
}
}
statement {
sid = "Allow attachment of persistent resources"
actions = ["kms:CreateGrant"]
resources = ["*"]
principals {
type = "AWS"
identifiers = [
local.asg_role, # required for the ASG to manage encrypted volumes for nodes
aws_iam_role.cluster.arn, # required for the cluster / persistentvolume-controller to create encrypted PVCs
]
}
condition {
test = "Bool"
variable = "kms:GrantIsForAWSResource"
values = ["true"]
}
}
}
# Allow EBS CSI to use EBS key
data "aws_iam_policy_document" "kms_csi_ebs" {
statement {
actions = [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant",
]
condition {
test = "Bool"
variable = "kms:GrantIsForAWSResource"
values = ["true"]
}
resources = [module.kms_ebs.key_arn]
}
statement {
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
]
resources = [module.kms_ebs.key_arn]
}
}