removed kms

nebius · Oct 31, 2023 · 5ee70ac · 5ee70ac
1 parent ada0d49
commit 5ee70ac
Show file tree

Hide file tree

Showing 4 changed files with 0 additions and 37 deletions.
diff --git a/README.md b/README.md
@@ -154,8 +154,6 @@ No modules.
 | [random_string.unique_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [nebius_iam_service_account.master](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/iam_service_account) | resource |
 | [nebius_iam_service_account.node_account](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/iam_service_account) | resource |
-| [nebius_kms_symmetric_key.kms_key](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/kms_symmetric_key) | resource |
-| [nebius_kms_symmetric_key_iam_binding.encrypter_decrypter](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/kms_symmetric_key_iam_binding) | resource |
 | [nebius_kubernetes_cluster.kube_cluster](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/kubernetes_cluster) | resource |
 | [nebius_kubernetes_node_group.kube_node_groups](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/kubernetes_node_group) | resource |
 | [nebius_resourcemanager_folder_iam_member.node_account](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/resourcemanager_folder_iam_member) | resource |
@@ -184,15 +182,12 @@ No modules.
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of a specific Kubernetes cluster. | `string` | `"k8s-cluster"` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes cluster version | `string` | `"1.23"` | no |
 | <a name="input_container_runtime_type"></a> [container\_runtime\_type](#input\_container\_runtime\_type) | Kubernetes Node Group container runtime type | `string` | `"containerd"` | no |
-| <a name="input_create_kms"></a> [create\_kms](#input\_create\_kms) | Flag for enabling or disabling KMS key creation. | `bool` | `true` | no |
 | <a name="input_custom_egress_rules"></a> [custom\_egress\_rules](#input\_custom\_egress\_rules) | Map definition of custom security egress rules.<br><br>Example:<pre>custom_egress_rules = {<br>  "rule1" = {<br>    protocol       = "ANY"<br>    description    = "rule-1"<br>    v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]<br>    from_port      = 8090<br>    to_port        = 8099<br>  },<br>  "rule2" = {<br>    protocol       = "UDP"<br>    description    = "rule-2"<br>    v4_cidr_blocks = ["10.0.1.0/24"]<br>    from_port      = 8090<br>    to_port        = 8099<br>  }<br>}</pre> | `any` | `{}` | no |
 | <a name="input_custom_ingress_rules"></a> [custom\_ingress\_rules](#input\_custom\_ingress\_rules) | Map definition of custom security ingress rules.<br><br>Example:<pre>custom_ingress_rules = {<br>  "rule1" = {<br>    protocol = "TCP"<br>    description = "rule-1"<br>    v4_cidr_blocks = ["0.0.0.0/0"]<br>    from_port = 3000<br>    to_port = 32767<br>  },<br>  "rule2" = {<br>    protocol = "TCP"<br>    description = "rule-2"<br>    v4_cidr_blocks = ["0.0.0.0/0"]<br>    port = 443<br>  },<br>  "rule3" = {<br>    protocol = "TCP"<br>    description = "rule-3"<br>    predefined_target = "self_security_group"<br>    from_port         = 0<br>    to_port           = 65535<br>  }<br>}</pre> | `any` | `{}` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the Kubernetes cluster. | `string` | `"Nebius Managed K8S cluster"` | no |
 | <a name="input_enable_cilium_policy"></a> [enable\_cilium\_policy](#input\_enable\_cilium\_policy) | Flag for enabling or disabling Cilium CNI. | `bool` | `false` | no |
 | <a name="input_enable_default_rules"></a> [enable\_default\_rules](#input\_enable\_default\_rules) | Manages creation of default security rules.<br><br>Default security rules:<br> - Allow all incoming traffic from any protocol.<br> - Allows master-to-node and node-to-node communication inside a security group.<br> - Allows pod-to-pod and service-to-service communication.<br> - Allows debugging ICMP packets from internal subnets.<br> - Allows incomming traffic from the Internet to the NodePort port range.<br> - Allows all outgoing traffic. Nodes can connect to Nebius Container Registry, Nebius Object Storage, Docker Hub, etc.<br> - Allow access to Kubernetes API via port 6443 from the subnet.<br> - Allow access to Kubernetes API via port 443 from the subnet.<br> - Allow access to worker nodes via SSH from the allowed IP range. | `bool` | `true` | no |
 | <a name="input_folder_id"></a> [folder\_id](#input\_folder\_id) | The ID of the folder that the Kubernetes cluster belongs to. | `string` | `null` | no |
-| <a name="input_kms_key"></a> [kms\_key](#input\_kms\_key) | KMS symmetric key parameters. | `any` | `{}` | no |
-| <a name="input_master_auto_upgrade"></a> [master\_auto\_upgrade](#input\_master\_auto\_upgrade) | Boolean flag that specifies if master can be upgraded automatically. | `bool` | `true` | no |
 | <a name="input_master_labels"></a> [master\_labels](#input\_master\_labels) | Set of key/value label pairs to assign Kubernetes master nodes. | `map(string)` | `{}` | no |
 | <a name="input_master_locations"></a> [master\_locations](#input\_master\_locations) | List of locations where the cluster will be created. If the list contains only one<br>location, a zonal cluster will be created; if there are three locations, this will create a regional cluster.<br><br>Note: The master locations list may only have ONE or THREE locations. | <pre>list(object({<br>    zone      = string<br>    subnet_id = string<br>  }))</pre> | n/a | yes |
 | <a name="input_master_logging"></a> [master\_logging](#input\_master\_logging) | (Optional) Master logging options. | `map(any)` | <pre>{<br>  "enabled": true,<br>  "enabled_autoscaler": true,<br>  "enabled_events": true,<br>  "enabled_kube_apiserver": true,<br>  "folder_id": null<br>}</pre> | no |
@@ -250,9 +245,6 @@ No modules.
 | [random_string.unique_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [nebius_iam_service_account.master](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/iam_service_account) | resource |
 | [nebius_iam_service_account.node_account](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/iam_service_account) | resource |
-| [nebius_kms_symmetric_key.kms_key](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/kms_symmetric_key) | resource |
-| [nebius_kms_symmetric_key_iam_binding.encrypter_decrypter](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/kms_symmetric_key_iam_binding) | resource |
-| [nebius_kubernetes_cluster.kube_cluster](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/kubernetes_cluster) | resource |
 | [nebius_kubernetes_node_group.kube_node_groups](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/kubernetes_node_group) | resource |
 | [nebius_resourcemanager_folder_iam_member.node_account](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/resourcemanager_folder_iam_member) | resource |
 | [nebius_resourcemanager_folder_iam_member.sa_calico_network_policy_role](https://registry.terraform.io/providers/nebius-cloud/nebius/latest/docs/resources/resourcemanager_folder_iam_member) | resource |
@@ -280,14 +272,12 @@ No modules.
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of a specific Kubernetes cluster. | `string` | `"k8s-cluster"` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes cluster version | `string` | `"1.23"` | no |
 | <a name="input_container_runtime_type"></a> [container\_runtime\_type](#input\_container\_runtime\_type) | Kubernetes Node Group container runtime type | `string` | `"containerd"` | no |
-| <a name="input_create_kms"></a> [create\_kms](#input\_create\_kms) | Flag for enabling / disabling KMS key creation. | `bool` | `true` | no |
 | <a name="input_custom_egress_rules"></a> [custom\_egress\_rules](#input\_custom\_egress\_rules) | A map definition of custom security egress rules.<br><br>Example:<pre>custom_egress_rules = {<br>  "rule1" = {<br>    protocol       = "ANY"<br>    description    = "rule-1"<br>    v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]<br>    from_port      = 8090<br>    to_port        = 8099<br>  },<br>  "rule2" = {<br>    protocol       = "UDP"<br>    description    = "rule-2"<br>    v4_cidr_blocks = ["10.0.1.0/24"]<br>    from_port      = 8090<br>    to_port        = 8099<br>  }<br>}</pre> | `any` | `{}` | no |
 | <a name="input_custom_ingress_rules"></a> [custom\_ingress\_rules](#input\_custom\_ingress\_rules) | A map definition of custom security ingress rules.<br><br>Example:<pre>custom_ingress_rules = {<br>  "rule1" = {<br>    protocol = "TCP"<br>    description = "rule-1"<br>    v4_cidr_blocks = ["0.0.0.0/0"]<br>    from_port = 3000<br>    to_port = 32767<br>  },<br>  "rule2" = {<br>    protocol = "TCP"<br>    description = "rule-2"<br>    v4_cidr_blocks = ["0.0.0.0/0"]<br>    port = 443<br>  },<br>  "rule3" = {<br>    protocol = "TCP"<br>    description = "rule-3"<br>    predefined_target = "self_security_group"<br>    from_port         = 0<br>    to_port           = 65535<br>  }<br>}</pre> | `any` | `{}` | no |
 | <a name="input_description"></a> [description](#input\_description) | A description of the Kubernetes cluster. | `string` | `"nebius Managed K8S cluster"` | no |
 | <a name="input_enable_cilium_policy"></a> [enable\_cilium\_policy](#input\_enable\_cilium\_policy) | Flag for enabling / disabling Cilium CNI. | `bool` | `false` | no |
 | <a name="input_enable_default_rules"></a> [enable\_default\_rules](#input\_enable\_default\_rules) | Controls creation of default security rules.<br><br>Default security rules:<br> - allow all incoming traffic from ANY protocol<br> - allows master-node and node-node communication inside a security group<br> - allows pod-pod and service-service communication<br> - allows debugging ICMP packets from internal subnets<br> - allows incomming traffic from the Internet to the NodePort port range<br> - allows all outgoing traffic. Nodes can connect to nebius Container Registry, nebius Object Storage, Docker Hub, and so on<br> - allow access to Kubernetes API via port 6443 from subnet<br> - allow access to Kubernetes API via port 443 from subnet<br> - allow access to worker nodes via SSH from allowed IPs range | `bool` | `true` | no |
 | <a name="input_folder_id"></a> [folder\_id](#input\_folder\_id) | The ID of the folder that the Kubernetes cluster belongs to. | `string` | `null` | no |
-| <a name="input_kms_key"></a> [kms\_key](#input\_kms\_key) | KMS symmetric key parameters. | `any` | `{}` | no |
 | <a name="input_master_auto_upgrade"></a> [master\_auto\_upgrade](#input\_master\_auto\_upgrade) | Boolean flag that specifies if master can be upgraded automatically. | `bool` | `true` | no |
 | <a name="input_master_labels"></a> [master\_labels](#input\_master\_labels) | A set of key/value label pairs to assign Kubernetes master nodes. | `map(string)` | `{}` | no |
 | <a name="input_master_locations"></a> [master\_locations](#input\_master\_locations) | List of locations where cluster will be created. If list contains only ONE<br>location, will be created Zonal cluster, if THREE - Regional cluster.<br><br>NOTE: Master locations list must have only ONE or THREE locations! | <pre>list(object({<br>    zone      = string<br>    subnet_id = string<br>  }))</pre> | n/a | yes |

diff --git a/examples/example-1-zonal-with-2-ng/main.tf b/examples/example-1-zonal-with-2-ng/main.tf
@@ -20,10 +20,6 @@ module "kube" {
   ]
 
 
-  kms_key = {
-    name = "kube-regional-kms-key"
-  }
-
   master_labels = {
     environment = "dev"
     owner       = "example"

diff --git a/main.tf b/main.tf
@@ -9,10 +9,6 @@ locals {
 
   master_locations = length(var.master_locations) > 1 ? [] : var.master_locations
 
-  # Resources names with Unique ID
-  kms_key_name         = lookup(var.kms_key, "name", "k8s-kms-key")
-  kms_key_name_with_id = "${local.kms_key_name}-${random_string.unique_id.result}"
-
   security_groups_list = concat(var.security_groups_ids_list, var.enable_default_rules == true ? [
     nebius_vpc_security_group.k8s_main_sg[0].id,
     nebius_vpc_security_group.k8s_master_whitelist_sg[0].id,
@@ -46,12 +42,6 @@ resource "nebius_kubernetes_cluster" "kube_cluster" {
   node_service_account_id  = nebius_iam_service_account.node_account.id
   network_policy_provider  = var.enable_cilium_policy ? null : var.network_policy_provider
 
-  dynamic "kms_provider" {
-    for_each = var.create_kms ? compact([try(nebius_kms_symmetric_key.kms_key[local.kms_key_name_with_id].id, null)]) : []
-    content {
-      key_id = kms_provider.value
-    }
-  }
 
   dynamic "network_implementation" {
     for_each = var.enable_cilium_policy ? ["cilium"] : []

diff --git a/variables.tf b/variables.tf
@@ -333,19 +333,6 @@ variable "container_runtime_type" {
   }
 }
 
-# KMS key
-variable "create_kms" {
-  description = "Flag for enabling or disabling KMS key creation."
-  type        = bool
-  default     = false # changed from y 
-}
-
-variable "kms_key" {
-  description = "KMS symmetric key parameters."
-  type        = any
-  default     = {}
-}
-
 # Security group
 variable "enable_default_rules" {
   description = <<-EOF