From 798cfbb74ab32a0af74c02f63c1297f865f87624 Mon Sep 17 00:00:00 2001 From: RFN <37929910+nicosuter@users.noreply.github.com> Date: Sat, 4 Apr 2026 18:20:56 +0200 Subject: [PATCH] s3 perms --- main.tf | 13 +++--- modules/aws/eks-addons/trainings-irsa.tf | 51 +++++++++++++++--------- modules/aws/eks-addons/variables.tf | 6 +++ 3 files changed, 45 insertions(+), 25 deletions(-) diff --git a/main.tf b/main.tf index 5013601..f5bc7f8 100644 --- a/main.tf +++ b/main.tf @@ -27,8 +27,8 @@ terraform { locals { # Append --profile only when a named profile is explicitly set. - _profile_args = var.aws_profile != null ? ["--profile", var.aws_profile] : [] - eks_token_args = concat(["eks", "get-token", "--cluster-name", module.eks.cluster_name, "--region", var.region], local._profile_args) + _profile_args = var.aws_profile != null ? ["--profile", var.aws_profile] : [] + eks_token_args = concat(["eks", "get-token", "--cluster-name", module.eks.cluster_name, "--region", var.region], local._profile_args) } # Configure the AWS Provider @@ -121,7 +121,7 @@ module "eks" { # Node Group Configuration node_disk_size = var.node_disk_size - cluster_access = var.cluster_access + cluster_access = var.cluster_access api_server_allowed_cidrs = var.api_server_allowed_cidrs @@ -153,7 +153,7 @@ module "ecr" { name_prefix = var.cluster_name repository_names = var.ecr_repository_names github_repositories = var.ecr_github_repositories - ecr_push_iam_users = ["github-cicd"] + ecr_push_iam_users = ["github-cicd"] tags = var.tags } @@ -176,11 +176,12 @@ module "eks_addons" { node_iam_role_name = module.eks.node_iam_role_name # S3 ARNs have no account/region component (arn:aws:s3:::), so they # can be constructed from known variables — keeping for_each keys plan-time-known. - s3_bucket_arns = concat( + s3_bucket_arns = concat( ["arn:aws:s3:::${var.ml_data_bucket_name}"], var.s3_bucket_arns, ) - gpu_node_max_lifetime = var.gpu_node_max_lifetime + s3_bucket_kms_key_arns = module.s3_ml_data.kms_key_arn != null ? [module.s3_ml_data.kms_key_arn] : [] + gpu_node_max_lifetime = var.gpu_node_max_lifetime # ArgoCD argocd_enabled = var.argocd_enabled diff --git a/modules/aws/eks-addons/trainings-irsa.tf b/modules/aws/eks-addons/trainings-irsa.tf index 1d93836..8c2f08b 100644 --- a/modules/aws/eks-addons/trainings-irsa.tf +++ b/modules/aws/eks-addons/trainings-irsa.tf @@ -36,28 +36,41 @@ resource "aws_iam_role_policy" "training_s3" { policy = jsonencode({ Version = "2012-10-17" - Statement = [ - { - Sid = "ObjectAccess" - Effect = "Allow" - Action = [ - "s3:GetObject", - "s3:PutObject", - "s3:AbortMultipartUpload", - "s3:DeleteObject", - ] - Resource = [for arn in var.s3_bucket_arns : "${arn}/*"] - }, - { - Sid = "BucketAccess" + Statement = concat( + [ + { + Sid = "ObjectAccess" + Effect = "Allow" + Action = [ + "s3:GetObject", + "s3:PutObject", + "s3:AbortMultipartUpload", + "s3:DeleteObject", + ] + Resource = [for arn in var.s3_bucket_arns : "${arn}/*"] + }, + { + Sid = "BucketAccess" + Effect = "Allow" + Action = [ + "s3:ListBucket", + "s3:GetBucketLocation", + ] + Resource = var.s3_bucket_arns + }, + ], + length(var.s3_bucket_kms_key_arns) > 0 ? [{ + Sid = "KmsAccess" Effect = "Allow" Action = [ - "s3:ListBucket", - "s3:GetBucketLocation", + "kms:Decrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:DescribeKey", ] - Resource = var.s3_bucket_arns - }, - ] + Resource = var.s3_bucket_kms_key_arns + }] : [] + ) }) } diff --git a/modules/aws/eks-addons/variables.tf b/modules/aws/eks-addons/variables.tf index 677bb27..ea4c367 100644 --- a/modules/aws/eks-addons/variables.tf +++ b/modules/aws/eks-addons/variables.tf @@ -31,6 +31,12 @@ variable "s3_bucket_arns" { default = [] } +variable "s3_bucket_kms_key_arns" { + description = "KMS key ARNs for encrypted S3 buckets accessible to training pods via IRSA. Leave empty when bucket encryption does not use a customer-managed KMS key." + type = list(string) + default = [] +} + variable "node_tier" { description = "Compute tier inherited from the EKS module." type = string