chore: Update examples with KMS

examples/named_cluster/disk_encryption_set.tf

@@ -1,41 +1,3 @@
-data "azurerm_client_config" "current" {}
-
-resource "random_string" "key_vault_prefix" {
-  length  = 6
-  special = false
-  upper   = false
-  numeric = false
-}
-
-data "curl" "public_ip" {
-  count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0
-
-  http_method = "GET"
-  uri         = "https://api.ipify.org?format=json"
-}
-
-locals {
-  # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
-  public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
-}
-
-resource "azurerm_key_vault" "des_vault" {
-  location                    = local.resource_group.location
-  name                        = "${random_string.key_vault_prefix.result}-des-keyvault"
-  resource_group_name         = local.resource_group.name
-  sku_name                    = "premium"
-  tenant_id                   = data.azurerm_client_config.current.tenant_id
-  enabled_for_disk_encryption = true
-  purge_protection_enabled    = true
-  soft_delete_retention_days  = 7
-
-  network_acls {
-    bypass         = "AzureServices"
-    default_action = "Deny"
-    ip_rules       = [local.public_ip]
-  }
-}
-
 resource "azurerm_key_vault_key" "des_key" {
   key_opts = [
     "decrypt",
@@ -81,14 +43,3 @@ resource "azurerm_key_vault_access_policy" "des" {
     "UnwrapKey"
   ]
 }
-
-resource "azurerm_key_vault_access_policy" "current_user" {
-  key_vault_id = azurerm_key_vault.des_vault.id
-  object_id    = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id)
-  tenant_id    = data.azurerm_client_config.current.tenant_id
-  key_permissions = [
-    "Get",
-    "Create",
-    "Delete",
-  ]
-}

examples/named_cluster/key_vault.tf

@@ -0,0 +1,48 @@
+data "azurerm_client_config" "current" {}
+
+resource "random_string" "key_vault_prefix" {
+  length  = 6
+  special = false
+  upper   = false
+  numeric = false
+}
+
+data "curl" "public_ip" {
+  count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0
+
+  http_method = "GET"
+  uri         = "https://api.ipify.org?format=json"
+}
+
+locals {
+  # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
+  public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
+}
+
+resource "azurerm_key_vault" "des_vault" {
+  location                    = local.resource_group.location
+  name                        = "${random_string.key_vault_prefix.result}-des-keyvault"
+  resource_group_name         = local.resource_group.name
+  sku_name                    = "premium"
+  tenant_id                   = data.azurerm_client_config.current.tenant_id
+  enabled_for_disk_encryption = true
+  purge_protection_enabled    = true
+  soft_delete_retention_days  = 7
+
+  network_acls {
+    bypass         = "AzureServices"
+    default_action = "Deny"
+    ip_rules       = [local.public_ip]
+  }
+}
+
+resource "azurerm_key_vault_access_policy" "current_user" {
+  key_vault_id = azurerm_key_vault.des_vault.id
+  object_id    = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id)
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  key_permissions = [
+    "Get",
+    "Create",
+    "Delete",
+  ]
+}

examples/named_cluster/kms.tf

@@ -0,0 +1,29 @@
+resource "azurerm_key_vault_key" "kms" {
+  name         = "etcd-encryption"
+  key_vault_id = azurerm_key_vault.des_vault.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  depends_on = [
+    azurerm_key_vault_access_policy.current_user
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "kms" {
+  key_vault_id = azurerm_key_vault.des_vault.id
+  object_id    = azurerm_user_assigned_identity.test.id
+  tenant_id    = azurerm_user_assigned_identity.test.tenant_id
+  key_permissions = [
+    "Decrypt",
+    "Encrypt",
+  ]
+}

examples/named_cluster/main.tf

@@ -46,6 +46,12 @@ resource "azurerm_log_analytics_workspace" "main" {
   sku                 = "PerGB2018"
 }
 
+resource "azurerm_user_assigned_identity" "test" {
+  location            = local.resource_group.location
+  name                = "${random_id.prefix.hex}-control-plane" # The resource name must begin with a letter or a number and with a length between 3 to 128. Can contain '-' and '_'.
+  resource_group_name = local.resource_group.name
+}
+
 module "aks_cluster_name" {
   source = "../.."
 

examples/startup/disk_encryption_set.tf

@@ -1,41 +1,3 @@
-data "azurerm_client_config" "current" {}
-
-resource "random_string" "key_vault_prefix" {
-  length  = 6
-  special = false
-  upper   = false
-  numeric = false
-}
-
-data "curl" "public_ip" {
-  count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0
-
-  http_method = "GET"
-  uri         = "https://api.ipify.org?format=json"
-}
-
-locals {
-  # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
-  public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
-}
-
-resource "azurerm_key_vault" "des_vault" {
-  location                    = local.resource_group.location
-  name                        = "${random_string.key_vault_prefix.result}-des-keyvault"
-  resource_group_name         = local.resource_group.name
-  sku_name                    = "premium"
-  tenant_id                   = data.azurerm_client_config.current.tenant_id
-  enabled_for_disk_encryption = true
-  purge_protection_enabled    = true
-  soft_delete_retention_days  = 7
-
-  network_acls {
-    bypass         = "AzureServices"
-    default_action = "Deny"
-    ip_rules       = [local.public_ip]
-  }
-}
-
 resource "azurerm_key_vault_key" "des_key" {
   key_opts = [
     "decrypt",
@@ -81,14 +43,3 @@ resource "azurerm_key_vault_access_policy" "des" {
     "UnwrapKey"
   ]
 }
-
-resource "azurerm_key_vault_access_policy" "current_user" {
-  key_vault_id = azurerm_key_vault.des_vault.id
-  object_id    = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id)
-  tenant_id    = data.azurerm_client_config.current.tenant_id
-  key_permissions = [
-    "Get",
-    "Create",
-    "Delete",
-  ]
-}

examples/startup/key_vault.tf

@@ -0,0 +1,49 @@
+data "azurerm_client_config" "current" {}
+
+resource "random_string" "key_vault_prefix" {
+  length  = 6
+  special = false
+  upper   = false
+  numeric = false
+}
+
+data "curl" "public_ip" {
+  count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0
+
+  http_method = "GET"
+  uri         = "https://api.ipify.org?format=json"
+}
+
+locals {
+  # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
+  public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
+}
+
+resource "azurerm_key_vault" "des_vault" {
+  location                    = local.resource_group.location
+  name                        = "${random_string.key_vault_prefix.result}-des-keyvault"
+  resource_group_name         = local.resource_group.name
+  sku_name                    = "premium"
+  tenant_id                   = data.azurerm_client_config.current.tenant_id
+  enabled_for_disk_encryption = true
+  purge_protection_enabled    = true
+  soft_delete_retention_days  = 7
+  enable_rbac_authorization   = true
+
+  network_acls {
+    bypass         = "AzureServices"
+    default_action = "Deny"
+    ip_rules       = [local.public_ip]
+  }
+}
+
+resource "azurerm_key_vault_access_policy" "current_user" {
+  key_vault_id = azurerm_key_vault.des_vault.id
+  object_id    = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id)
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  key_permissions = [
+    "Get",
+    "Create",
+    "Delete",
+  ]
+}

examples/startup/kms.tf

@@ -0,0 +1,27 @@
+resource "azurerm_key_vault_key" "kms" {
+  name         = "${var.cluster_name}-etcd-encryption"
+  key_vault_id = azurerm_key_vault.kv_storage_byok.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  depends_on = [azurerm_role_assignment.kv_admin]
+}
+
+resource "azurerm_key_vault_access_policy" "kms" {
+  key_vault_id = azurerm_key_vault.des_vault.id
+  object_id    = azurerm_user_assigned_identity.test.id
+  tenant_id    = azurerm_user_assigned_identity.test.tenant_id
+  key_permissions = [
+    "Decrypt",
+    "Encrypt",
+  ]
+}

examples/startup/main.tf

@@ -31,6 +31,12 @@ resource "azurerm_subnet" "test" {
   enforce_private_link_endpoint_network_policies = true
 }
 
+resource "azurerm_user_assigned_identity" "test" {
+  location            = local.resource_group.location
+  name                = "${random_id.prefix.hex}-control-plane" # The resource name must begin with a letter or a number and with a length between 3 to 128. Can contain '-' and '_'.
+  resource_group_name = local.resource_group.name
+}
+
 module "aks" {
   source = "../.."
 
@@ -84,6 +90,12 @@ module "aks" {
   sku_tier                          = "Paid"
   vnet_subnet_id                    = azurerm_subnet.test.id
 
+  # KMS encrption
+  identity_type         = "UserAssigned"
+  identity_ids          = [azurerm_user_assigned_identity.test.id]
+  key_vault_kms_enabled = true
+  key_vault_kms_key_id  = azurerm_key_vault_key.kms.id
+
   agents_labels = {
     "node1" : "label1"
   }

examples/without_monitor/disk_encryption_set.tf

@@ -1,41 +1,3 @@
-data "azurerm_client_config" "current" {}
-
-resource "random_string" "key_vault_prefix" {
-  length  = 6
-  special = false
-  upper   = false
-  numeric = false
-}
-
-data "curl" "public_ip" {
-  count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0
-
-  http_method = "GET"
-  uri         = "https://api.ipify.org?format=json"
-}
-
-locals {
-  # We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
-  public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
-}
-
-resource "azurerm_key_vault" "des_vault" {
-  location                    = local.resource_group.location
-  name                        = "${random_string.key_vault_prefix.result}-des-keyvault"
-  resource_group_name         = local.resource_group.name
-  sku_name                    = "premium"
-  tenant_id                   = data.azurerm_client_config.current.tenant_id
-  enabled_for_disk_encryption = true
-  purge_protection_enabled    = true
-  soft_delete_retention_days  = 7
-
-  network_acls {
-    bypass         = "AzureServices"
-    default_action = "Deny"
-    ip_rules       = [local.public_ip]
-  }
-}
-
 resource "azurerm_key_vault_key" "des_key" {
   key_opts = [
     "decrypt",
@@ -81,14 +43,3 @@ resource "azurerm_key_vault_access_policy" "des" {
     "UnwrapKey"
   ]
 }
-
-resource "azurerm_key_vault_access_policy" "current_user" {
-  key_vault_id = azurerm_key_vault.des_vault.id
-  object_id    = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id)
-  tenant_id    = data.azurerm_client_config.current.tenant_id
-  key_permissions = [
-    "Get",
-    "Create",
-    "Delete",
-  ]
-}