feat: Add Velero kms keys policy (#44)

tropnikovvl · web-flow · commit f60f7b3c188a · 2025-10-14T08:12:43.000-05:00
diff --git a/README.md b/README.md
@@ -566,6 +566,7 @@ No modules.
 | <a name="input_trust_policy_conditions"></a> [trust\_policy\_conditions](#input\_trust\_policy\_conditions) | A list of conditions to add to the role trust policy | <pre>list(object({<br/>    test     = string<br/>    values   = list(string)<br/>    variable = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_trust_policy_statements"></a> [trust\_policy\_statements](#input\_trust\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for the role trust policy | <pre>list(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string)<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      values   = list(string)<br/>      variable = string<br/>    })))<br/>  }))</pre> | `null` | no |
 | <a name="input_use_name_prefix"></a> [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether the role name and policy name(s) are used as a prefix | `string` | `true` | no |
+| <a name="input_velero_kms_arns"></a> [velero\_kms\_arns](#input\_velero\_kms\_arns) | KMS key ARNs to allow Velero to manage encrypted s3 buckets | `list(string)` | `[]` | no |
 | <a name="input_velero_policy_name"></a> [velero\_policy\_name](#input\_velero\_policy\_name) | Custom name of the Velero IAM policy | `string` | `null` | no |
 | <a name="input_velero_s3_bucket_arns"></a> [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to list | `list(string)` | `[]` | no |
 | <a name="input_velero_s3_bucket_path_arns"></a> [velero\_s3\_bucket\_path\_arns](#input\_velero\_s3\_bucket\_path\_arns) | S3 path ARNs to allow Velero to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true` | `list(string)` | `[]` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -509,6 +509,7 @@ module "velero_pod_identity" {
   attach_velero_policy       = true
   velero_s3_bucket_arns      = ["arn:aws:s3:::velero-backups"]
   velero_s3_bucket_path_arns = ["arn:aws:s3:::velero-backups/example/*"]
+  velero_kms_arns            = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]
 
   # Pod Identity Associations
   association_defaults = {
diff --git a/variables.tf b/variables.tf
@@ -555,3 +555,9 @@ variable "velero_s3_bucket_path_arns" {
   type        = list(string)
   default     = []
 }
+
+variable "velero_kms_arns" {
+  description = "KMS key ARNs to allow Velero to manage encrypted s3 buckets"
+  type        = list(string)
+  default     = []
+}
diff --git a/velero.tf b/velero.tf
@@ -44,6 +44,22 @@ data "aws_iam_policy_document" "velero" {
     ]
     resources = coalescelist(var.velero_s3_bucket_arns, ["arn:${local.partition}:s3:::*"])
   }
+
+  dynamic "statement" {
+    for_each = length(var.velero_kms_arns) > 0 ? [1] : []
+
+    content {
+      actions = [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey",
+      ]
+
+      resources = var.velero_kms_arns
+    }
+  }
 }
 
 locals {
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -77,6 +77,7 @@ module "wrapper" {
   trust_policy_conditions                                  = try(each.value.trust_policy_conditions, var.defaults.trust_policy_conditions, [])
   trust_policy_statements                                  = try(each.value.trust_policy_statements, var.defaults.trust_policy_statements, null)
   use_name_prefix                                          = try(each.value.use_name_prefix, var.defaults.use_name_prefix, true)
+  velero_kms_arns                                          = try(each.value.velero_kms_arns, var.defaults.velero_kms_arns, [])
   velero_policy_name                                       = try(each.value.velero_policy_name, var.defaults.velero_policy_name, null)
   velero_s3_bucket_arns                                    = try(each.value.velero_s3_bucket_arns, var.defaults.velero_s3_bucket_arns, [])
   velero_s3_bucket_path_arns                               = try(each.value.velero_s3_bucket_path_arns, var.defaults.velero_s3_bucket_path_arns, [])
