diff --git a/README.md b/README.md
index 610fa42..d83658b 100644
--- a/README.md
+++ b/README.md
@@ -72,15 +72,19 @@ No requirements.
|------|------|
| [aws_eks_addon.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
| [aws_eks_addon.vpc-cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
+| [aws_iam_policy.kms_use](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role_policy_attachment.role-kms-use-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_eks_addon_version.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
| [aws_eks_addon_version.vpc-cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
| [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
| [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
+| [aws_iam_policy_document.kms_use](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [aws\_kms\_key\_arn](#input\_aws\_kms\_key\_arn) | n/a | `string` | `""` | no |
| [aws\_profile](#input\_aws\_profile) | n/a | `string` | `""` | no |
| [aws\_region](#input\_aws\_region) | n/a | `string` | n/a | yes |
| [eks\_cluster\_name](#input\_eks\_cluster\_name) | n/a | `string` | n/a | yes |
diff --git a/VERSION b/VERSION
index d917d3e..b1e80bb 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.1.2
+0.1.3
diff --git a/main.tf b/main.tf
index 074b6eb..7fef253 100644
--- a/main.tf
+++ b/main.tf
@@ -47,11 +47,43 @@ resource "aws_eks_addon" "ebs_csi" {
service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
}
resource "aws_eks_addon" "vpc-cni" {
- count = var.install_vpc_cni_addon ? 1 : 0
+ count = var.install_vpc_cni_addon ? 1 : 0
cluster_name = data.aws_eks_cluster.this.id
addon_name = "vpc-cni"
addon_version = data.aws_eks_addon_version.vpc-cni.version
resolve_conflicts = "OVERWRITE"
service_account_role_arn = module.vpc_cni_ipv4_irsa_role[0].iam_role_arn
+}
+
+### KMS key policy, when EBS encryption is enabled
+data "aws_iam_policy_document" "kms_use" {
+ count = var.aws_kms_key_arn != "" ? 1 : 0
+ statement {
+ sid = "allow-kms-key-use"
+ effect = "Allow"
+ actions = [
+ "kms:Encrypt",
+ "kms:Decrypt",
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
+ "kms:DescribeKey",
+ ]
+ resources = [
+ "${var.aws_kms_key_arn}"
+ ]
+ }
+}
+
+resource "aws_iam_policy" "kms_use" {
+ count = var.aws_kms_key_arn != "" ? 1 : 0
+ name = "kms-key-use"
+ description = "Policy to allow use of KMS Key"
+ policy = data.aws_iam_policy_document.kms_use[0].json
+}
+
+resource "aws_iam_role_policy_attachment" "role-kms-use-policy" {
+ count = var.aws_kms_key_arn != "" ? 1 : 0
+ role = module.ebs_csi_irsa_role.name
+ policy_arn = aws_iam_policy.kms_use[0].arn
}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index e6302c9..97e3ee9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -2,7 +2,7 @@ variable "aws_region" {
type = string
}
variable "aws_profile" {
- type = string
+ type = string
default = ""
}
@@ -11,6 +11,11 @@ variable "eks_cluster_name" {
}
variable "install_vpc_cni_addon" {
- type = bool
+ type = bool
default = false
+}
+
+variable "aws_kms_key_arn" {
+ type = string
+ default = ""
}
\ No newline at end of file