feat: Support for encrypted root disk in node_groups (#1428)

alzabo · web-flow · commit 6067290c0e97 · 2021-08-25T15:22:53.000+02:00
diff --git a/modules/node_groups/README.md b/modules/node_groups/README.md
@@ -23,6 +23,8 @@ The role ARN specified in `var.default_iam_role_arn` will be used by default. In
 | capacity\_type | Type of instance capacity to provision. Options are `ON_DEMAND` and `SPOT` | string | Provider default behavior |
 | create_launch_template | Create and use a default launch template | bool |  `false` |
 | desired\_capacity | Desired number of workers | number | `var.workers_group_defaults[asg_desired_capacity]` |
+| disk\_encrypted | Whether the root disk will be encrypyted. Requires `create_launch_template` to be `true` and `disk_kms_key_id` to be set | bool | false |
+| disk\_kms\_key\_id | KMS Key used to encrypt the root disk. Requires both `create_launch_template` and `disk_encrypted` to be `true` | string | "" |
 | disk\_size | Workers' disk size | number | Provider default behavior |
 | disk\_type | Workers' disk type. Require `create_launch_template` to be `true`| number | `gp3` |
 | ebs\_optimized | Enables/disables EBS optimization. Require `create_launch_template` to be `true` | bool | `true` if defined `instance\_types` are not present in `var.ebs\_optimized\_not\_supported` |
diff --git a/modules/node_groups/launch_template.tf b/modules/node_groups/launch_template.tf
@@ -35,6 +35,8 @@ resource "aws_launch_template" "workers" {
     ebs {
       volume_size           = lookup(each.value, "disk_size", null)
       volume_type           = lookup(each.value, "disk_type", null)
+      encrypted             = lookup(each.value, "disk_encrypted", null)
+      kms_key_id            = lookup(each.value, "disk_kms_key_id", null)
       delete_on_termination = true
     }
   }
diff --git a/modules/node_groups/locals.tf b/modules/node_groups/locals.tf
@@ -16,6 +16,8 @@ locals {
       kubelet_extra_args            = var.workers_group_defaults["kubelet_extra_args"]
       disk_size                     = var.workers_group_defaults["root_volume_size"]
       disk_type                     = var.workers_group_defaults["root_volume_type"]
+      disk_encrypted                = var.workers_group_defaults["root_encrypted"]
+      disk_kms_key_id               = var.workers_group_defaults["root_kms_key_id"]
       enable_monitoring             = var.workers_group_defaults["enable_monitoring"]
       eni_delete                    = var.workers_group_defaults["eni_delete"]
       public_ip                     = var.workers_group_defaults["public_ip"]

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,8 @@ resource "aws_launch_template" "workers" {`
`35`	`35`	`ebs {`
`36`	`36`	`volume_size = lookup(each.value, "disk_size", null)`
`37`	`37`	`volume_type = lookup(each.value, "disk_type", null)`
	`38`	`+ encrypted = lookup(each.value, "disk_encrypted", null)`
	`39`	`+ kms_key_id = lookup(each.value, "disk_kms_key_id", null)`
`38`	`40`	`delete_on_termination = true`
`39`	`41`	`}`
`40`	`42`	`}`