Skip to content

Commit bfaa70d

Browse files
Bryce Lowebryantbiggs
Bryce Lowe
and
bryantbiggs
authored
feat: Allow removing KMS and SSM permissions from EKS IRSA external secrets policy (#550)
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
1 parent f0f2aed commit bfaa70d

File tree

2 files changed

+31
-10
lines changed

2 files changed

+31
-10
lines changed

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
repos:
22
- repo: https://github.com/antonbabenko/pre-commit-terraform
3-
rev: v1.96.3
3+
rev: v1.99.0
44
hooks:
55
- id: terraform_fmt
66
- id: terraform_wrapper_module_for_each

modules/iam-role-for-service-accounts-eks/policies.tf

Lines changed: 30 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,7 @@ data "aws_iam_policy_document" "cluster_autoscaler" {
110110
dynamic "statement" {
111111
# TODO - remove *_ids at next breaking change
112112
for_each = toset(coalescelist(var.cluster_autoscaler_cluster_ids, var.cluster_autoscaler_cluster_names))
113+
113114
content {
114115
actions = [
115116
"autoscaling:SetDesiredCapacity",
@@ -306,6 +307,7 @@ data "aws_iam_policy_document" "ebs_csi" {
306307

307308
dynamic "statement" {
308309
for_each = length(var.ebs_csi_kms_cmk_ids) > 0 ? [1] : []
310+
309311
content {
310312
actions = [
311313
"kms:CreateGrant",
@@ -325,6 +327,7 @@ data "aws_iam_policy_document" "ebs_csi" {
325327

326328
dynamic "statement" {
327329
for_each = length(var.ebs_csi_kms_cmk_ids) > 0 ? [1] : []
330+
328331
content {
329332
actions = [
330333
"kms:Encrypt",
@@ -455,6 +458,7 @@ data "aws_iam_policy_document" "mountpoint_s3_csi" {
455458

456459
dynamic "statement" {
457460
for_each = length(var.mountpoint_s3_csi_kms_arns) > 0 ? [1] : []
461+
458462
content {
459463
actions = [
460464
"kms:GenerateDataKey",
@@ -539,12 +543,17 @@ data "aws_iam_policy_document" "external_secrets" {
539543
resources = ["*"]
540544
}
541545

542-
statement {
543-
actions = [
544-
"ssm:GetParameter",
545-
"ssm:GetParameters",
546-
]
547-
resources = var.external_secrets_ssm_parameter_arns
546+
dynamic "statement" {
547+
for_each = length(var.external_secrets_ssm_parameter_arns) > 0 ? [1] : []
548+
549+
content {
550+
actions = [
551+
"ssm:GetParameter",
552+
"ssm:GetParameters",
553+
]
554+
555+
resources = var.external_secrets_ssm_parameter_arns
556+
}
548557
}
549558

550559
statement {
@@ -562,13 +571,18 @@ data "aws_iam_policy_document" "external_secrets" {
562571
resources = var.external_secrets_secrets_manager_arns
563572
}
564573

565-
statement {
566-
actions = ["kms:Decrypt"]
567-
resources = var.external_secrets_kms_key_arns
574+
dynamic "statement" {
575+
for_each = length(var.external_secrets_kms_key_arns) > 0 ? [1] : []
576+
577+
content {
578+
actions = ["kms:Decrypt"]
579+
resources = var.external_secrets_kms_key_arns
580+
}
568581
}
569582

570583
dynamic "statement" {
571584
for_each = var.external_secrets_secrets_manager_create_permission ? [1] : []
585+
572586
content {
573587
actions = [
574588
"secretsmanager:CreateSecret",
@@ -581,9 +595,11 @@ data "aws_iam_policy_document" "external_secrets" {
581595

582596
dynamic "statement" {
583597
for_each = var.external_secrets_secrets_manager_create_permission ? [1] : []
598+
584599
content {
585600
actions = ["secretsmanager:DeleteSecret"]
586601
resources = var.external_secrets_secrets_manager_arns
602+
587603
condition {
588604
test = "StringEquals"
589605
variable = "secretsmanager:ResourceTag/managed-by"
@@ -631,6 +647,7 @@ data "aws_iam_policy_document" "fsx_lustre_csi" {
631647
statement {
632648
actions = ["iam:CreateServiceLinkedRole"]
633649
resources = ["*"]
650+
634651
condition {
635652
test = "StringLike"
636653
variable = "iam:AWSServiceName"
@@ -1201,6 +1218,7 @@ data "aws_iam_policy_document" "appmesh_controller" {
12011218
"iam:CreateServiceLinkedRole"
12021219
]
12031220
resources = ["arn:${local.partition}:iam::*:role/aws-service-role/appmesh.${local.dns_suffix}/AWSServiceRoleForAppMesh"]
1221+
12041222
condition {
12051223
test = "StringLike"
12061224
variable = "iam:AWSServiceName"
@@ -1459,6 +1477,7 @@ data "aws_iam_policy_document" "vpc_cni" {
14591477
# arn:${local.partition}:iam::aws:policy/AmazonEKS_CNI_Policy
14601478
dynamic "statement" {
14611479
for_each = var.vpc_cni_enable_ipv4 ? [1] : []
1480+
14621481
content {
14631482
sid = "IPV4"
14641483
actions = [
@@ -1482,6 +1501,7 @@ data "aws_iam_policy_document" "vpc_cni" {
14821501
# https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
14831502
dynamic "statement" {
14841503
for_each = var.vpc_cni_enable_ipv6 ? [1] : []
1504+
14851505
content {
14861506
sid = "IPV6"
14871507
actions = [
@@ -1498,6 +1518,7 @@ data "aws_iam_policy_document" "vpc_cni" {
14981518
# https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-setup
14991519
dynamic "statement" {
15001520
for_each = var.vpc_cni_enable_cloudwatch_logs ? [1] : []
1521+
15011522
content {
15021523
sid = "CloudWatchLogs"
15031524
actions = [

0 commit comments

Comments
 (0)