Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Customize name of aws_iam_policy.cluster_encryption #1927

Closed
romogo17 opened this issue Mar 8, 2022 · 6 comments · Fixed by #1928
Closed

Customize name of aws_iam_policy.cluster_encryption #1927

romogo17 opened this issue Mar 8, 2022 · 6 comments · Fixed by #1928

Comments

@romogo17
Copy link

romogo17 commented Mar 8, 2022

Hi team, in #1915 a new IAM Policy was added that grants the Cluster Role permissions on the KMS used for the cluster encryption

terraform-aws-eks/main.tf

Lines 230 to 254 in 27f99f0

resource "aws_iam_policy" "cluster_encryption" {
count = local.create_iam_role && var.attach_cluster_encryption_policy && length(var.cluster_encryption_config) > 0 ? 1 : 0
name_prefix = "${local.iam_role_name}-ClusterEncryption-"
description = "Cluster encryption policy to allow cluster role to utilize CMK provided"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ListGrants",
"kms:DescribeKey",
]
Effect = "Allow"
# TODO - does cluster_encryption_config need to be a list?!
Resource = [for config in var.cluster_encryption_config : config.provider_key_arn]
},
]
})
tags = var.tags
}

However, the name of this IAM Policy is always based on the role name
In my organization, there's an enforcement of different prefixes for both role and policy names.

Would it be possible to add cluster_encryption_policy_use_name_prefix and cluster_encryption_policy_name variables (in a similar fashion to how it works for the cluster role name) for this resource as well?

  name        = var.cluster_encryption_policy_use_name_prefix ? null : local.cluster_encryption_policy_name
  name_prefix = var.cluster_encryption_policy_use_name_prefix ? "${local.iam_role_name}-ClusterEncryption-" : null
@bryantbiggs
Copy link
Member

its a role policy (i.e. - inline policy) and its pretty common/standard to name it the same as the role. However, you should be able to get around this by setting attach_cluster_encryption_policy = false and then attaching a policy that meets your organizations naming requirements (odd requirement but hey - to each their own)

@romogo17
Copy link
Author

romogo17 commented Mar 8, 2022

isn't the resource for inline policies aws_iam_role_policy instead of aws_iam_policy?

@bryantbiggs
Copy link
Member

ah yes, you are correct - mobile for the win failure. let me see what we can do

@bryantbiggs bryantbiggs mentioned this issue Mar 8, 2022
Merged
1 task
@antonbabenko
Copy link
Member

This issue has been resolved in version 18.9.0 🎉

@romogo17
Copy link
Author

romogo17 commented Mar 9, 2022

Awesome guys. Thanks!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@antonbabenko @bryantbiggs @romogo17