feat: Add KMS policy to Velero IAM policy for CMK KMS keys #578
Conversation
|
Hi @bryantbiggs, any chance you could have a look at this one? |
| } | ||
|
|
||
| dynamic "statement" { | ||
| for_each = length(var.velero_s3_kms_key_arns) > 0 ? [1] : [] |
There was a problem hiding this comment.
I don't think this will work if you pass in computed values since those are unknown
There was a problem hiding this comment.
Thanks, I've updated to code that this should be computed values safe.
There was a problem hiding this comment.
no, toset() will not work either
There was a problem hiding this comment.
Thanks again, removed the toset, the idea was there to "ignore" duplicates in the case there were any in the arns.
There was a problem hiding this comment.
for this scenario, we can accept a list(string) of KMS key ARNs, but we should have a 2nd variable like velero_enable_kms that is a bool type to toggle on/off since we can't rely on length() or toset() due to computed values not being known
|
Closing this since those and any other policies can be added via |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
2 participants
Description
Adds and option to specify ARNs of KMS keys, for which additional policy blocks will be created containing actions to operate with these keys.
Motivation and Context
Using this module, if the
var.velero_s3_kms_key_arnsis set to an S3 bucket with default encryption set to customer managed KMS key (CMK), the backup will fail since the policy doesn't include statement with policies allowing operating this KMS keys (such askms:Encrypt,kms:Decryptetc.).This is similar to the cases of EBS (
var.ebs_csi_kms_cmk_ids) and S3 mountpoint (var.mountpoint_s3_csi_kms_arns) controllers IAM policies created by this module that contain similar blocks for the same reason.Breaking Changes
No breaking changes, the newly introduced
var.velero_s3_kms_key_arnsvariable has default of[]which doesn't change the behaviour of the current configuration.How Has This Been Tested?
examples/*to demonstrate and validate my change(s)examples/*projectspre-commit run -aon my pull request