add policies

cattle-ops · Nov 27, 2024 · 68445a2 · 68445a2
1 parent bbb732c
commit 68445a2
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@
 # Terraform module for GitLab auto-scaling runners on AWS spot instances <!-- omit in toc -->
 
 💥 See [issue 819](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/819) on how to migrate to v7 smoothly.
+💥 See [pr 1204](https://github.com/cattle-ops/terraform-aws-gitlab-runner/pull/1204) on how to migrate to v8 smoothly.
 
 This [Terraform](https://www.terraform.io/) modules creates a [GitLab Runner](https://docs.gitlab.com/runner/). A blog post
 describes the original version of the runner. See the post at [040code](https://040code.github.io/2017/12/09/runners-on-the-spot/).

diff --git a/docker_autoscaler.tf b/docker_autoscaler.tf
@@ -88,6 +88,8 @@ resource "aws_launch_template" "this" {
       volume_type = var.runner_worker_docker_autoscaler_instance.volume_type
       iops        = contains(["gp3", "io1", "io2"], var.runner_worker_docker_autoscaler_instance.volume_type) ? var.runner_worker_docker_autoscaler_instance.volume_iops : null
       throughput  = var.runner_worker_docker_autoscaler_instance.volume_type == "gp3" ? var.runner_worker_docker_autoscaler_instance.volume_throughput : null
+      encrypted = true
+      kms_key_id = local.kms_key_arn
     }
   }
 

diff --git a/main.tf b/main.tf
@@ -388,6 +388,8 @@ resource "aws_launch_template" "fleet_gitlab_runner" {
       volume_type = var.runner_worker_docker_machine_instance.volume_type
       iops        = contains(["gp3", "io1", "io2"], var.runner_worker_docker_machine_instance.volume_type) ? var.runner_worker_docker_machine_instance.volume_iops : null
       throughput  = var.runner_worker_docker_machine_instance.volume_type == "gp3" ? var.runner_worker_docker_machine_instance.volume_throughput : null
+      encrypted = true
+      kms_key_id = local.kms_key_arn
     }
   }
 

diff --git a/policies/kms-policy.json b/policies/kms-policy.json
@@ -28,6 +28,45 @@
       "Resource": [
         "*"
       ]
+    },
+    {
+      "Sid": "Allow service-linked role use of the customer managed key",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::${account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
+        ]
+      },
+      "Action": [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "Allow access through EBS for all principals in the account that are authorized to use EBS",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:CreateGrant",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "kms:CallerAccount": "${account_id}",
+          "kms:ViaService": "ec2.${aws_region}.amazonaws.com"
+        }
+      }
     }
   ]
 }