feat(kms): add Key Vault KMS encryption support for AKS clusters

modules/terraform/azure/aks-cli/main.tf

@@ -9,6 +9,24 @@ locals {
     pool.name => pool
   }
 
+  key_management_service = (
+    var.aks_cli_config.kms_key_vault_name != null &&
+    var.aks_cli_config.kms_key_name != null
+    ) ? {
+    key_vault_id = try(
+      var.key_vaults[var.aks_cli_config.kms_key_vault_name].id,
+      error("Specified kms_key_vault_name '${var.aks_cli_config.kms_key_vault_name}' does not exist in Key Vaults: ${join(", ", keys(var.key_vaults))}")
+    )
+    key_vault_key_id = try(
+      var.key_vaults[var.aks_cli_config.kms_key_vault_name].keys[var.aks_cli_config.kms_key_name].id,
+      error("Specified kms_key_name '${var.aks_cli_config.kms_key_name}' does not exist in Key Vault '${var.aks_cli_config.kms_key_vault_name}' keys: ${join(", ", keys(var.key_vaults[var.aks_cli_config.kms_key_vault_name].keys))}")
+    )
+    key_vault_key_resource_id = try(
+      var.key_vaults[var.aks_cli_config.kms_key_vault_name].keys[var.aks_cli_config.kms_key_name].resource_id,
+      error("Specified kms_key_name '${var.aks_cli_config.kms_key_name}' does not exist in Key Vault '${var.aks_cli_config.kms_key_vault_name}' keys: ${join(", ", keys(var.key_vaults[var.aks_cli_config.kms_key_vault_name].keys))}")
+    )
+  } : null
+
   kubernetes_version = (
     var.aks_cli_config.kubernetes_version == null ?
     "" :
@@ -48,6 +66,17 @@ locals {
     ])
   )
 
+
+  kms_parameters = (
+    local.key_management_service == null || var.aks_cli_config.managed_identity_name == null ?
+    "" :
+    join(" ", [
+      "--enable-azure-keyvault-kms",
+      format("--azure-keyvault-kms-key-id %s", local.key_management_service.key_vault_key_id),
+      format("--azure-keyvault-kms-key-vault-network-access %s", var.aks_cli_config.key_vault_network_access)
+    ])
+  )
+
   subnet_id_parameter = (local.aks_subnet_id == null ?
     "" :
     format(
@@ -105,6 +134,7 @@ locals {
     "--no-ssh-key",
     local.kubernetes_version,
     local.optional_parameters,
+    local.kms_parameters,
     local.subnet_id_parameter,
     local.managed_identity_parameter,
     local.api_server_vnet_integration_parameter,
@@ -172,7 +202,9 @@ resource "terraform_data" "aks_cli" {
   depends_on = [
     terraform_data.enable_aks_cli_preview_extension,
     azurerm_role_assignment.network_contributor,
-    azurerm_role_assignment.network_contributor_api_server_subnet
+    azurerm_role_assignment.network_contributor_api_server_subnet,
+    azurerm_role_assignment.aks_key_service_encryption_user,
+    azurerm_role_assignment.aks_kv_service_encryption_user
   ]
 
   input = {
@@ -219,3 +251,17 @@ resource "terraform_data" "aks_nodepool_cli" {
     ])
   }
 }
+
+# Grant Key Vault Crypto Service Encryption User role for KMS encryption
+resource "azurerm_role_assignment" "aks_key_service_encryption_user" {
+  count                = local.key_management_service == null || var.aks_cli_config.managed_identity_name == null ? 0 : 1
+  scope                = local.key_management_service.key_vault_key_resource_id
+  role_definition_name = "Key Vault Crypto Service Encryption User"
+  principal_id         = azurerm_user_assigned_identity.userassignedidentity[0].principal_id
+}
+resource "azurerm_role_assignment" "aks_kv_service_encryption_user" {
+  count                = local.key_management_service == null || var.aks_cli_config.managed_identity_name == null ? 0 : 1
+  scope                = local.key_management_service.key_vault_id
+  role_definition_name = "Key Vault Crypto User"
+  principal_id         = azurerm_user_assigned_identity.userassignedidentity[0].principal_id
+}

modules/terraform/azure/aks-cli/variables.tf

@@ -28,6 +28,13 @@ variable "aks_cli_custom_config_path" {
   default     = null
 }
 
+variable "key_vaults" {
+  description = "Map of Key Vault configurations with keys"
+  type        = map(any)
+  default     = {}
+}
+
+
 variable "aks_cli_config" {
   type = object({
     role                              = string
@@ -59,11 +66,14 @@ variable "aks_cli_config" {
           value = string
         })), [])
     })), [])
-    optional_parameters = optional(list(object({  # Refer to https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-create(aks-preview) for available parameters
+    optional_parameters = optional(list(object({ # Refer to https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-create(aks-preview) for available parameters
       name  = string
       value = string
     })), [])
-    dry_run = optional(bool, false) # If true, only print the command without executing it. Useful for testing.
+    kms_key_name             = optional(string, null)
+    kms_key_vault_name       = optional(string, null)
+    key_vault_network_access = optional(string, "Public")
+    dry_run                  = optional(bool, false) # If true, only print the command without executing it. Useful for testing.
   })
 }
 

modules/terraform/azure/aks/main.tf

@@ -5,9 +5,34 @@ locals {
   role_assignment_list = var.aks_config.role_assignment_list
   subnets              = var.subnets
   dns_zone_ids         = try([for zone_name in var.aks_config.web_app_routing.dns_zone_names : var.dns_zones[zone_name]], null)
+  key_management_service = (
+    var.aks_config.kms_key_vault_name != null &&
+    var.aks_config.kms_key_name != null
+    ) ? {
+    key_vault_id = try(
+      var.key_vaults[var.aks_config.kms_key_vault_name].id,
+      error("Specified kms_key_vault_name '${var.aks_config.kms_key_vault_name}' does not exist in Key Vaults: ${join(", ", keys(var.key_vaults))}")
+    )
+    key_vault_key_id = try(
+      var.key_vaults[var.aks_config.kms_key_vault_name].keys[var.aks_config.kms_key_name].id,
+      error("Specified kms_key_name '${var.aks_config.kms_key_name}' does not exist in Key Vault '${var.aks_config.kms_key_vault_name}' keys: ${join(", ", keys(var.key_vaults[var.aks_config.kms_key_vault_name].keys))}")
+    )
+    key_vault_key_resource_id = try(
+      var.key_vaults[var.aks_config.kms_key_vault_name].keys[var.aks_config.kms_key_name].resource_id,
+      error("Specified kms_key_name '${var.aks_config.kms_key_name}' does not exist in Key Vault '${var.aks_config.kms_key_vault_name}' keys: ${join(", ", keys(var.key_vaults[var.aks_config.kms_key_vault_name].keys))}")
+    )
+  } : null
 }
 data "azurerm_client_config" "current" {}
 
+resource "azurerm_user_assigned_identity" "aks_identity" {
+  count               = local.key_management_service != null ? 1 : 0
+  location            = var.location
+  name                = "${local.name}-identity"
+  resource_group_name = var.resource_group_name
+  tags                = var.tags
+}
+
 resource "azurerm_kubernetes_cluster" "aks" {
   name                = local.name
   location            = var.location
@@ -20,6 +45,13 @@ resource "azurerm_kubernetes_cluster" "aks" {
     },
   )
   sku_tier = var.aks_config.sku_tier
+
+  # Wait for KMS role assignment to propagate
+  depends_on = [
+    azurerm_role_assignment.aks_key_service_encryption_user,
+    azurerm_role_assignment.aks_kv_service_encryption_user
+  ]
+
   default_node_pool {
     name                         = var.aks_config.default_node_pool.name
     node_count                   = var.aks_config.default_node_pool.node_count
@@ -45,7 +77,16 @@ resource "azurerm_kubernetes_cluster" "aks" {
     dns_service_ip      = var.aks_config.network_profile.dns_service_ip
   }
   identity {
-    type = "SystemAssigned"
+    type         = local.key_management_service != null ? "UserAssigned" : "SystemAssigned"
+    identity_ids = local.key_management_service != null ? [azurerm_user_assigned_identity.aks_identity[0].id] : []
+  }
+
+  dynamic "key_management_service" {
+    for_each = local.key_management_service == null ? [] : [local.key_management_service]
+    content {
+      key_vault_key_id         = key_management_service.value.key_vault_key_id
+      key_vault_network_access = var.aks_config.key_vault_network_access
+    }
   }
 
   dynamic "service_mesh_profile" {
@@ -138,10 +179,23 @@ resource "azurerm_role_assignment" "aks_on_subnet" {
 
   role_definition_name = each.key
   scope                = var.vnet_id
-  principal_id         = azurerm_kubernetes_cluster.aks.identity[0].principal_id
+  principal_id         = local.key_management_service != null ? azurerm_user_assigned_identity.aks_identity[0].principal_id : azurerm_kubernetes_cluster.aks.identity[0].principal_id
 }
 
 resource "local_file" "save_kube_config" {
   filename = "/tmp/${azurerm_kubernetes_cluster.aks.fqdn}"
   content  = azurerm_kubernetes_cluster.aks.kube_config_raw
 }
+
+resource "azurerm_role_assignment" "aks_key_service_encryption_user" {
+  count                = local.key_management_service == null ? 0 : 1
+  scope                = local.key_management_service.key_vault_key_resource_id
+  role_definition_name = "Key Vault Crypto Service Encryption User"
+  principal_id         = azurerm_user_assigned_identity.aks_identity[0].principal_id
+}
+resource "azurerm_role_assignment" "aks_kv_service_encryption_user" {
+  count                = local.key_management_service != null ? 1 : 0
+  scope                = local.key_management_service.key_vault_id
+  role_definition_name = "Key Vault Crypto User"
+  principal_id         = azurerm_user_assigned_identity.aks_identity[0].principal_id
+}

modules/terraform/azure/aks/variables.tf

@@ -66,6 +66,12 @@ variable "aks_aad_enabled" {
   default     = false
 }
 
+variable "key_vaults" {
+  description = "Map of Key Vault configurations with keys"
+  type        = map(any)
+  default     = {}
+}
+
 variable "aks_config" {
   type = object({
     role        = string
@@ -151,6 +157,9 @@ variable "aks_config" {
     web_app_routing = optional(object({
       dns_zone_names = list(string)
     }), null)
+    kms_key_name             = optional(string, null)
+    kms_key_vault_name       = optional(string, null)
+    key_vault_network_access = optional(string, "Public")
   })
 
   validation {

modules/terraform/azure/key-vault/main.tf

@@ -0,0 +1,52 @@
+data "azurerm_client_config" "current" {}
+
+resource "random_string" "kv_suffix" {
+  count   = var.key_vault_config != null ? 1 : 0
+  length  = 4
+  special = false
+  upper   = false
+  numeric = true
+}
+resource "azurerm_key_vault" "kv" {
+  count                      = var.key_vault_config != null ? 1 : 0
+  name                       = "${lower(var.key_vault_config.name)}-${random_string.kv_suffix[0].result}"
+  location                   = var.location
+  resource_group_name        = var.resource_group_name
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  sku_name                   = "standard"
+  rbac_authorization_enabled = true
+
+  tags = var.tags
+}
+
+resource "azurerm_key_vault_key" "kms_key" {
+  for_each = var.key_vault_config != null ? {
+    for key in var.key_vault_config.keys : key.key_name => key
+  } : {}
+
+  name         = each.value.key_name
+  key_vault_id = azurerm_key_vault.kv[0].id
+  key_type     = "RSA"
+  key_size     = 2048
+  key_opts     = ["encrypt", "decrypt", "wrapKey", "unwrapKey"]
+
+  depends_on = [
+    azurerm_role_assignment.current_user_crypto_officer
+  ]
+}
+
+# Grant current user/service principal Key Vault Crypto Officer role to create keys
+resource "azurerm_role_assignment" "current_user_crypto_officer" {
+  count                = var.key_vault_config != null ? 1 : 0
+  scope                = azurerm_key_vault.kv[0].id
+  role_definition_name = "Key Vault Crypto Officer"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
+# Grant Key Vault Contributor role for purge operations
+resource "azurerm_role_assignment" "kv_contributor" {
+  count                = var.key_vault_config != null ? 1 : 0
+  scope                = azurerm_key_vault.kv[0].id
+  role_definition_name = "Key Vault Contributor"
+  principal_id         = data.azurerm_client_config.current.object_id
+}

modules/terraform/azure/key-vault/outputs.tf

@@ -0,0 +1,13 @@
+output "key_vaults" {
+  description = "Key Vault with all its keys and their IDs"
+  value = {
+    id = try(azurerm_key_vault.kv[0].id, null)
+    keys = {
+      for key_path, key in azurerm_key_vault_key.kms_key :
+      key.name => {
+        id          = key.id
+        resource_id = key.resource_id
+      }
+    }
+  }
+}

modules/terraform/azure/key-vault/variables.tf

@@ -0,0 +1,37 @@
+variable "resource_group_name" {
+  description = "Name of the resource group"
+  type        = string
+}
+
+variable "location" {
+  description = "Azure region location"
+  type        = string
+}
+
+variable "tags" {
+  description = "Tags to apply to resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "key_vault_config" {
+  description = "Key Vault configuration for AKS KMS encryption"
+  type = object({
+    name = string # Key Vault name
+    keys = list(object({
+      key_name = string # Encryption key name
+    }))
+  })
+  default = null
+
+  validation {
+    condition = (
+      var.key_vault_config == null ? true : (
+        length(var.key_vault_config.name) >= 3 &&
+        length(var.key_vault_config.name) <= 20 &&
+        length(var.key_vault_config.keys) >= 1
+      )
+    )
+    error_message = "Key Vault name must be 3-20 characters (total 24 after adding 4-char random suffix), and at least one key must be defined."
+  }
+}

modules/terraform/azure/main.tf

@@ -26,7 +26,8 @@ locals {
 
   aks_cli_custom_config_path = "${path.cwd}/../../../scenarios/${var.scenario_type}/${var.scenario_name}/config/aks_custom_config.json"
 
-  all_subnets = merge([for network in var.network_config_list : module.virtual_network[network.role].subnets]...)
+  all_subnets    = merge([for network in var.network_config_list : module.virtual_network[network.role].subnets]...)
+  all_key_vaults = merge([for kv_name, kv in module.key_vault : { (kv_name) = kv.key_vaults }]...)
   updated_aks_config_list = length(var.aks_config_list) > 0 ? [
     for aks in var.aks_config_list : merge(
       aks,
@@ -54,10 +55,17 @@ locals {
   ] : []
 
   aks_cli_config_map = { for aks in local.updated_aks_cli_config_list : aks.role => aks }
+
+  key_vault_config_map = { for kv in var.key_vault_config_list : kv.name => kv }
 }
 
 provider "azurerm" {
-  features {}
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy    = true
+      recover_soft_deleted_key_vaults = false
+    }
+  }
 }
 
 module "public_ips" {
@@ -87,6 +95,16 @@ module "dns_zones" {
   tags                = local.tags
 }
 
+module "key_vault" {
+  for_each = local.key_vault_config_map
+
+  source              = "./key-vault"
+  resource_group_name = local.run_id
+  location            = local.region
+  key_vault_config    = each.value
+  tags                = local.tags
+}
+
 module "aks" {
   for_each = local.aks_config_map
 
@@ -104,6 +122,7 @@ module "aks" {
   network_policy      = local.aks_network_policy
   dns_zones           = try(module.dns_zones.dns_zone_ids, null)
   aks_aad_enabled     = local.aks_aad_enabled
+  key_vaults          = local.all_key_vaults
 }
 
 module "aks-cli" {
@@ -116,4 +135,6 @@ module "aks-cli" {
   tags                       = local.tags
   subnets_map                = local.all_subnets
   aks_cli_custom_config_path = local.aks_cli_custom_config_path
+  key_vaults                 = local.all_key_vaults
 }
+