Skip to content

feat(kms): add Key Vault KMS encryption support for AKS clusters #945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xinWeiWei24 merged 57 commits into from
Dec 5, 2025
Merged

feat(kms): add Key Vault KMS encryption support for AKS clusters #945

xinWeiWei24 merged 57 commits into from
Dec 5, 2025

Conversation

@xinWeiWei24
Copy link
Collaborator

@xinWeiWei24 xinWeiWei24 commented Nov 26, 2025
edited
Loading

This commit introduces KMS support for AKS cluster creation, including:

  • Adding the key_vault_kms_config variable to define a Key Vault with multiple encryption keys.
  • Enabling explicit key selection per AKS cluster via the kms_key_name parameter.

When KMS is enabled for an AKS cluster, use a user-assigned identity and grant:

  • Key Vault Crypto User role to the Key Vault.
  • Key Vault Crypto Service Encryption User role to the Key Vault key.

@xinWeiWei24 xinWeiWei24 marked this pull request as ready for review November 26, 2025 04:27
Copilot AI review requested due to automatic review settings November 26, 2025 04:27
Copilot finished reviewing on behalf of xinWeiWei24 November 26, 2025 04:32
Copilot AI reviewed Nov 26, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Key Management Service (KMS) support for AKS clusters using Azure Key Vault encryption. The implementation enables users to configure a Key Vault with encryption keys and selectively enable KMS on individual AKS clusters for etcd encryption.

Key Changes:

  • New key_vault_kms_config variable to define Key Vault and encryption keys
  • Per-cluster KMS enablement via kms_key_name parameter in AKS configurations
  • User-assigned identity creation and RBAC role assignments for KMS-enabled clusters

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 13 comments.

Show a summary per file
File Description
modules/terraform/azure/variables.tf Added key_vault_kms_config variable with validation, and kms_key_name/key_vault_network_access parameters to AKS configs
modules/terraform/azure/main.tf Integrated key_vault module, updated provider with Key Vault features, passed KMS config to AKS/AKS-CLI modules
modules/terraform/azure/key-vault/versions.tf New module: defined Terraform and azurerm provider version requirements
modules/terraform/azure/key-vault/variables.tf New module: defined variables for Key Vault configuration with validation
modules/terraform/azure/key-vault/outputs.tf New module: exposed Key Vault ID and key mappings for use by AKS modules
modules/terraform/azure/key-vault/main.tf New module: implemented Key Vault creation, key generation, and RBAC role assignments
modules/terraform/azure/aks/variables.tf Added key_management_service variable with Key Vault configuration object
modules/terraform/azure/aks/main.tf Added user-assigned identity creation, KMS configuration block, and Key Vault role assignments
modules/terraform/azure/aks-cli/variables.tf Added key_management_service variable for CLI-based AKS clusters
modules/terraform/azure/aks-cli/main.tf Added KMS parameters to CLI command and Key Vault role assignments (has critical bug)
modules/terraform/azure/tests/test_aks_aad.tftest.hcl Changed test commands from plan to apply (unnecessary and inconsistent with repo patterns)

sumanthreddy29
sumanthreddy29 reviewed Nov 26, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Nov 26, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Nov 26, 2025
View reviewed changes
@xinWeiWei24
feat(kms): add Key Vault KMS encryption support for AKS clusters
24415b9 
- Add key_vault_kms_config variable to define Key Vault with multiple encryption keys
- Support explicit key selection per AKS cluster via kms_key_name parameter# Please enter the commit message for your changes. Lines starting
@xinWeiWei24
Remove dynamic variable in plan phase
8a0655a
@xinWeiWei24
Change the default value of key_vault_network_access to Public
9e88fcf
@xinWeiWei24
Use UserAssigned identity type when enable KMS
516f2c2
@xinWeiWei24
Add Key Vault Crypto Service Encryption User role to key and key vault
ef02196
@xinWeiWei24
Remove dynamic variable in plan stage
6b352f1
@xinWeiWei24
Add wrapKey and unwrapKey
579a4a3
@xinWeiWei24
Only add role to key vault
602d782
@xinWeiWei24
Delete key role dependancy
7d029de
@xinWeiWei24
Only wrap and unwrap
c6e7275
@xinWeiWei24
Add Key Vault Crypto User role to key and key vault
13124a0
@xinWeiWei24
fix bugs
a7608be
@xinWeiWei24
Use resource_id and add purge_soft_delete_on_destroy feature
fdf8720
@xinWeiWei24
Export key resource_id
546b335
@xinWeiWei24
Disable recover_soft_deleted_key_vaults
d6cbc8e
@xinWeiWei24
Generate key vault name randomly
180c6ab
@xinWeiWei24
Only generate lower characters
b0c57c8
sumanthreddy29
sumanthreddy29 reviewed Dec 2, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Dec 2, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Dec 2, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Dec 2, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Dec 2, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Dec 2, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Dec 2, 2025
View reviewed changes
@xinWeiWei24 xinWeiWei24 force-pushed the xinwei/support_kms branch 3 times, most recently from e6342b7 to 7ecc85b Compare December 3, 2025 01:10
sumanthreddy29
sumanthreddy29 reviewed Dec 3, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Dec 3, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Dec 3, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Dec 3, 2025
View reviewed changes
sumanthreddy29
sumanthreddy29 reviewed Dec 3, 2025
View reviewed changes
@xinWeiWei24 xinWeiWei24 merged commit 48ad257 into main Dec 5, 2025
51 checks passed
@xinWeiWei24 xinWeiWei24 deleted the xinwei/support_kms branch December 5, 2025 11:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sumanthreddy29 sumanthreddy29 sumanthreddy29 approved these changes

@alyssa1303 alyssa1303 Awaiting requested review from alyssa1303 alyssa1303 is a code owner

@anson627 anson627 Awaiting requested review from anson627 anson627 is a code owner

@vittoriasalim vittoriasalim Awaiting requested review from vittoriasalim vittoriasalim is a code owner

@wonderyl wonderyl Awaiting requested review from wonderyl wonderyl is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xinWeiWei24 @sumanthreddy29