1. How to enable EKS Secrets encryption?


    Enabling secrets encryption in EKS requires you to integrate AWS Key Management Service (KMS) with the EKS cluster. Here's how you can do this with Pulumi:

    You need to create a KMS Key which will be used to encrypt secrets. This key needs to be a aws.kms.Key resource. The aws.iam.RolePolicy and aws.iam.Role resources are required to allow the EKS cluster to use the KMS key. Finally, the EKS cluster is created using the aws.eks.Cluster resource.

    Here's an example:

    import * as aws from "@pulumi/aws"; import * as awsx from "@pulumi/awsx"; const roleName = "my-eks-kms-key"; // Create an AWS KMS Key for EKS to encrypt secrets const key = new aws.kms.Key("my-key"); // Create a new IAM service role for the EKS cluster so that it can manage AWS services on your behalf const eksRole = new aws.iam.Role("my-eksRole", { assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "eks.amazonaws.com" }) }); // Attach a policy to the Role to allow the EKS cluster to use the KMS key new aws.iam.RolePolicy("my-rolePolicy", { role: eksRole.id, policy: { Version: "2012-10-17", Statement: [{ Effect: "Allow", Action: "kms:Decrypt", Resource: key.arn }] } }, { dependsOn: [key, eksRole] }); // Create an EKS cluster const cluster = new aws.eks.Cluster("my-cluster", { roleArn: eksRole.arn, // Enable Secrets Encryption and point to the KMS Key encryptionConfig: [{ provider: { keyArn: key.arn }, resources: ["secrets"] }], vpcConfig: { publicAccessCidrs: [""], securityGroupIds: [sg.id], subnetIds: [subnet.id] } }, { dependsOn: eksRole }); // Export the clusters' kubeconfig. export const kubeconfig = cluster.kubeconfig;

    In this program, you are creating a Key Management Service (KMS) Key, and assigning permissions to the EKS service role to use the key for decryption. This key is then used as the provider for the secrets encryption in the EKS cluster. The EKS cluster is defined with a role and a VPC configuration specifying security details.

    Remember, the actual security group IDs and subnet IDs would need to match your real VPC setup. You would also need to manage and provision the KMS key correctly to ensure secure access. You can read more about the resources used here:

    • aws.kms.Key: Represents a KMS Key resource, a cryptographic key that you create in AWS Key Management Service (KMS).
    • aws.iam.Role: Defines an IAM Role.
    • aws.eks.Cluster: Represents an EKS cluster in AWS. This manages the EKS control plane resources.
    • aws.iam.RolePolicy: Manages an IAM role policy.