diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d5886a6d..071427d7 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.77.0
+ rev: v1.77.1
hooks:
- id: terraform_fmt
- id: terraform_validate
diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf
index 5f26def2..9ebdf882 100644
--- a/examples/iam-role-for-service-accounts-eks/main.tf
+++ b/examples/iam-role-for-service-accounts-eks/main.tf
@@ -137,6 +137,7 @@ module "external_secrets_irsa_role" {
attach_external_secrets_policy = true
external_secrets_ssm_parameter_arns = ["arn:aws:ssm:*:*:parameter/foo"]
external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"]
+ external_secrets_kms_key_arns = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]
oidc_providers = {
ex = {
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
index c62d1b11..5161264d 100644
--- a/modules/iam-role-for-service-accounts-eks/README.md
+++ b/modules/iam-role-for-service-accounts-eks/README.md
@@ -204,6 +204,7 @@ No modules.
| [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no |
| [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
| [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | [
"arn:aws:route53:::hostedzone/*"
]
| no |
+| [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | [
"arn:aws:kms:*:*:key/*"
]
| no |
| [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | [
"arn:aws:secretsmanager:*:*:secret:*"
]
| no |
| [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | [
"arn:aws:ssm:*:*:parameter/*"
]
| no |
| [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no |
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
index 20be7c5a..4e028ff2 100644
--- a/modules/iam-role-for-service-accounts-eks/policies.tf
+++ b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -458,6 +458,13 @@ data "aws_iam_policy_document" "external_secrets" {
]
resources = var.external_secrets_secrets_manager_arns
}
+
+ statement {
+ actions = [
+ "kms:Decrypt"
+ ]
+ resources = var.external_secrets_kms_key_arns
+ }
}
resource "aws_iam_policy" "external_secrets" {
diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf
index 1eae9778..2b5df935 100644
--- a/modules/iam-role-for-service-accounts-eks/variables.tf
+++ b/modules/iam-role-for-service-accounts-eks/variables.tf
@@ -164,6 +164,12 @@ variable "external_secrets_secrets_manager_arns" {
default = ["arn:aws:secretsmanager:*:*:secret:*"]
}
+variable "external_secrets_kms_key_arns" {
+ description = "List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets"
+ type = list(string)
+ default = ["arn:aws:kms:*:*:key/*"]
+}
+
# FSx Lustre CSI
variable "attach_fsx_lustre_csi_policy" {
description = "Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role"