Skip to content

Commit

Permalink
[DOM-55148] Use SSE-KMS as default in Flyte S3 buckets
Browse files Browse the repository at this point in the history
[DOM-55148] Use SSE-KMS as default in Flyte S3 buckets
  • Loading branch information
ddl-rliu authored Mar 8, 2024
1 parent 5ef2917 commit 4c10ac3
Show file tree
Hide file tree
Showing 7 changed files with 56 additions and 7 deletions.
3 changes: 3 additions & 0 deletions modules/flyte/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ No modules.
| [aws_s3_bucket_policy.flyte_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.flye_metadata_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.flyte_data_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.flyte_dataplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand All @@ -48,7 +49,9 @@ No modules.
| <a name="input_compute_namespace"></a> [compute\_namespace](#input\_compute\_namespace) | Name of Domino compute namespace for this deploy | `string` | n/a | yes |
| <a name="input_eks_info"></a> [eks\_info](#input\_eks\_info) | cluster = {<br> specs {<br> name = Cluster name.<br> account\_id = AWS account id where the cluster resides.<br> }<br> oidc = {<br> arn = OIDC provider ARN.<br> url = OIDC provider url.<br> cert = {<br> thumbprint\_list = OIDC cert thumbprints.<br> url = OIDC cert URL.<br> }<br> } | <pre>object({<br> cluster = object({<br> specs = object({<br> name = string<br> account_id = string<br> })<br> oidc = object({<br> arn = string<br> url = string<br> cert = object({<br> thumbprint_list = list(string)<br> url = string<br> })<br> })<br> })<br> })</pre> | n/a | yes |
| <a name="input_force_destroy_on_deletion"></a> [force\_destroy\_on\_deletion](#input\_force\_destroy\_on\_deletion) | Whether to force destroy flyte s3 buckets on deletion | `bool` | `true` | no |
| <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | key\_id = KMS key id.<br> key\_arn = KMS key arn.<br> enabled = KMS key is enabled | <pre>object({<br> key_id = string<br> key_arn = string<br> enabled = bool<br> })</pre> | n/a | yes |
| <a name="input_platform_namespace"></a> [platform\_namespace](#input\_platform\_namespace) | Name of Domino platform namespace for this deploy | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
| <a name="input_serviceaccount_names"></a> [serviceaccount\_names](#input\_serviceaccount\_names) | Service account names for Flyte | <pre>object({<br> datacatalog = optional(string, "datacatalog")<br> flyteadmin = optional(string, "flyteadmin")<br> flytepropeller = optional(string, "flytepropeller")<br> })</pre> | `{}` | no |

## Outputs
Expand Down
16 changes: 16 additions & 0 deletions modules/flyte/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,14 @@ data "aws_iam_policy_document" "flyte_controlplane" {
"s3:ListBucket",
]
}
statement {
effect = "Allow"
resources = ["arn:${data.aws_partition.current.partition}:kms:${var.region}:${data.aws_caller_identity.aws_account.account_id}:key/*"]
actions = [
"kms:GenerateDataKey",
"kms:Decrypt",
]
}
}

resource "aws_iam_policy" "flyte_controlplane" {
Expand Down Expand Up @@ -89,6 +97,14 @@ data "aws_iam_policy_document" "flyte_dataplane" {
"s3:ListBucket"
]
}
statement {
effect = "Allow"
resources = ["arn:${data.aws_partition.current.partition}:kms:${var.region}:${data.aws_caller_identity.aws_account.account_id}:key/*"]
actions = [
"kms:GenerateDataKey",
"kms:Decrypt",
]
}
}

resource "aws_iam_policy" "flyte_dataplane" {
Expand Down
3 changes: 2 additions & 1 deletion modules/flyte/main.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
data "aws_partition" "current" {}
data "aws_caller_identity" "aws_account" {}

locals {
deploy_id = var.eks_info.cluster.specs.name
oidc_provider_arn = var.eks_info.cluster.oidc.arn
oidc_provider_url = var.eks_info.cluster.oidc.cert.url
}
}
13 changes: 10 additions & 3 deletions modules/flyte/s3.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
locals {
s3_server_side_encryption = var.kms_info.enabled ? "aws:kms" : "AES256"
kms_key_arn = var.kms_info.enabled ? var.kms_info.key_arn : null
}

resource "aws_s3_bucket" "flyte_metadata" {
bucket = "${local.deploy_id}-flyte-metadata"
force_destroy = var.force_destroy_on_deletion
Expand Down Expand Up @@ -37,7 +42,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "flye_metadata_enc
bucket = aws_s3_bucket.flyte_metadata.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
sse_algorithm = local.s3_server_side_encryption
kms_master_key_id = local.kms_key_arn
}
bucket_key_enabled = false
}
Expand Down Expand Up @@ -88,7 +94,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "flyte_data_encryp
bucket = aws_s3_bucket.flyte_data.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
sse_algorithm = local.s3_server_side_encryption
kms_master_key_id = local.kms_key_arn
}
bucket_key_enabled = false
}
Expand All @@ -98,4 +105,4 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "flyte_data_encryp
rule,
]
}
}
}
25 changes: 24 additions & 1 deletion modules/flyte/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -57,4 +57,27 @@ variable "serviceaccount_names" {
})

default = {}
}
}

variable "kms_info" {
description = <<EOF
key_id = KMS key id.
key_arn = KMS key arn.
enabled = KMS key is enabled
EOF
type = object({
key_id = string
key_arn = string
enabled = bool
})
}

variable "region" {
type = string
description = "AWS region for the deployment"
nullable = false
validation {
condition = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af|il)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
error_message = "The provided region must follow the format of AWS region names, e.g., us-west-2, us-gov-west-1."
}
}
2 changes: 1 addition & 1 deletion modules/flyte/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,4 @@ terraform {
version = "~> 5.0"
}
}
}
}
1 change: 0 additions & 1 deletion modules/irsa/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,3 @@ output "external_dns" {
external_dns_use_eks_idp = var.use_cluster_odc_idp
} : null
}

0 comments on commit 4c10ac3

Please sign in to comment.