Amazon EKS now supports adding KMS envelope encryption to existing clusters

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Amazon Elastic Kubernetes Service (EKS) now allows you to implement envelope encryption of Kubernetes secrets using AWS Key Management Service (KMS) keys for existing EKS clusters.

New or Affected Resource(s)

• aws_eks_cluster

Adding encryption_config to an existing cluster no longer recreates the cluster.

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

Announcement.
API Reference.

Requires AWS SDK v1.37.20:

• build(deps): bump github.com/aws/aws-sdk-go from 1.37.4 to 1.37.24 #17934

[voidlily]

AWS SDK has been updated so this change should now be doable

[mlopez-eb]

When I add the blocks:

resource "aws_kms_key" "eks" {
  description = "EKS Secret Encryption Key"
}

and

cluster_encryption_config = [
  {
    provider_key_arn = aws_kms_key.eks.arn
    resources        = ["secrets"]
  }
]

I get the following error:
Error: Get "http://localhost/api/v1/namespaces/kube-system/configmaps/aws-auth": dial tcp [::1]:80: connect: connection refused
As soon as I comment out the second block, my Terraform plan completes successfully.

[github-actions]

This functionality has been released in v3.47.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.