fix: Added policies for nodepool boot volume and block volume encryption (#461)

Signed-off-by: Srinivasa Nikhil Kota <srinivasa.nikhil.kota@oracle.com>

Author: KSN2510

modules/oke/iam.tf

@@ -34,3 +34,12 @@ resource "oci_identity_policy" "oke_kms" {
   statements     = [local.policy_statement]
   count          = var.use_encryption == true ? 1 : 0
 }
+
+resource "oci_identity_policy" "oke_volume_kms" {
+  provider       = oci.home
+  compartment_id = var.compartment_id
+  description    = "Policies for block volumes to access kms key"
+  name           = var.label_prefix == "none" ? "oke-volume-kms" : "${var.label_prefix}-oke-volume-kms"
+  statements     = local.oke_volume_kms_policy_statements
+  count          = var.node_pool_volume_kms_key_id == "" ? 0 : 1
+}

modules/oke/locals.tf

@@ -17,6 +17,12 @@ locals {
   # policy to allow dynamic group of all clusters to use kms 
   policy_statement = (var.use_encryption == true) ? "Allow dynamic-group ${oci_identity_dynamic_group.oke_kms_cluster[0].name} to use keys in compartment id ${var.compartment_id} where target.key.id = '${var.kms_key_id}'" : ""
 
+  # policy to allow block volumes inside oke to use kms
+  oke_volume_kms_policy_statements = [
+    "Allow service oke to use key-delegates in compartment id ${var.compartment_id} where target.key.id = '${var.node_pool_volume_kms_key_id}'",
+    "Allow service blockstorage to use keys in compartment id ${var.compartment_id} where target.key.id = '${var.node_pool_volume_kms_key_id}'"
+  ]
+
   # 1. get a list of available images for this cluster
   # 2. filter by version
   # 3. if more than 1 image found for this version, pick the latest