Merge pull request #230 from spavuluri/encryption-support

Adding EBS encryption options

Author: eemperor

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.0.3
+current_version = 2.1.0
 commit = True
 message = Bumps version to {new_version}
 tag = False
@@ -20,3 +20,4 @@ replace = Version: {new_version}
 [bumpversion:file:modules/win-instance/watchmaker-win-instance.template.cfn.yaml]
 search = Version: {current_version}
 replace = Version: {new_version}
+

modules/lx-autoscale/README.md

@@ -13,6 +13,7 @@ with an AWS CloudFormation template to deploy a Watchmaker Linux AutoScaling Gro
 | AppScriptShell | \(Optional\) Shell with which to execute the application script. Ignored if AppScriptUrl is blank | string | `"bash"` | no |
 | AppScriptUrl | \(Optional\) S3 URL to the application script in an S3 bucket \(s3://\). Leave blank to launch without an application script. If specified, an appropriate InstanceRole is required | string | `"null"` | no |
 | AppVolumeDevice | \(Optional\) Decision whether to mount an extra EBS volume. Leave as default \("false"\) to launch without an extra application volume | bool | `"false"` | no |
+| AppVolumeEncrypted | (Optional) Controls whether the EBS volume will be encrypted. | `bool` | `false` | no |
 | AppVolumeMountPath | \(Optional\) Filesystem path to mount the extra app volume. Ignored if AppVolumeDevice is false | string | `"/opt/data"` | no |
 | AppVolumeSize | \(Optional\) Size in GB of the EBS volume to create. Ignored if AppVolumeDevice is false | string | `"1"` | no |
 | AppVolumeSnapshotId | \(Optional\) EBS Snapshot ID from which to create the AppVolume. "AppVolumeSize" must be equal or greater than the size of the snapshot. Ignored if "AppVolumeDevice" is false | string | `"null"` | no |
@@ -46,6 +47,7 @@ with an AWS CloudFormation template to deploy a Watchmaker Linux AutoScaling Gro
 | PolicyBody | \(Optional\) String containing the stack policy body. Conflicts with PolicyUrl | string | `"null"` | no |
 | PolicyUrl | \(Optional\) URL to a file containing the stack policy. Conflicts with PolicyBody | string | `"null"` | no |
 | PypiIndexUrl | \(Optional\) URL to the PyPi Index | string | `"https://pypi.org/simple"` | no |
+| RootVolumeEncrypted | (Optional) Controls whether the root volume will be encrypted. | `bool` | `false` | no |
 | RootVolumeSize | \(Optional\) Root Volume Size in GB \*\*NOTE\*\* This value can be set larger than the default \(20GB\) but NOT smaller. If set larger than default value partition will need to be expanded manually. | string | `"20"` | no |
 | ScaleDownSchedule | \(Optional\) Scheduled Action in cron-format \(UTC\) to scale down to MinCapacity; ignored if empty or ScaleUpSchedule is unset \(E.g. "0 0 \* \* \*"\) | string | `"null"` | no |
 | ScaleUpSchedule | \(Optional\) Scheduled Action in cron-format \(UTC\) to scale up to MaxCapacity; ignored if empty or ScaleDownSchedule is unset \(E.g. "0 10 \* \* Mon-Fri"\) | string | `"null"` | no |
@@ -70,4 +72,3 @@ with an AWS CloudFormation template to deploy a Watchmaker Linux AutoScaling Gro
 | Name | Description |
 |------|-------------|
 | watchmaker-lx-autoscale | CloudFormation stack object for watchmaker-lx-autoscale |
-

modules/lx-autoscale/main.tf

@@ -23,6 +23,7 @@ resource "aws_cloudformation_stack" "watchmaker-lx-autoscale" {
     AppScriptUrl                = var.AppScriptUrl
     AppVolumeDevice             = var.AppVolumeDevice
     AppVolumeMountPath          = var.AppVolumeMountPath
+    AppVolumeEncrypted          = var.AppVolumeEncrypted
     AppVolumeSize               = var.AppVolumeSize
     AppVolumeSnapshotId         = var.AppVolumeSnapshotId
     AppVolumeType               = var.AppVolumeType
@@ -48,6 +49,7 @@ resource "aws_cloudformation_stack" "watchmaker-lx-autoscale" {
     NoUpdates                   = var.NoUpdates
     PatchGroup                  = var.PatchGroup
     PypiIndexUrl                = var.PypiIndexUrl
+    RootVolumeEncrypted         = var.RootVolumeEncrypted
     RootVolumeSize              = var.RootVolumeSize
     ScaleDownSchedule           = var.ScaleDownSchedule
     ScaleUpSchedule             = var.ScaleUpSchedule

modules/lx-autoscale/variables.tf

@@ -55,6 +55,12 @@ variable "PolicyUrl" {
   default     = null
 }
 
+variable "RootVolumeEncrypted" {
+  type        = bool
+  description = "(Optional) Controls whether the root volume will be encrypted"
+  default     = false
+}
+
 variable "RootVolumeSize" {
   type        = string
   description = "(Optional) Root Volume Size in GB **NOTE** This value can be set larger than the default (20GB) but NOT smaller. If set larger than default value partition will need to be expanded manually."
@@ -107,6 +113,12 @@ variable "AppVolumeDevice" {
   default     = false
 }
 
+variable "AppVolumeEncrypted" {
+  type        = bool
+  description = "(Optional) Controls whether the EBS volume will be encrypted"
+  default     = false
+}
+
 variable "AppVolumeMountPath" {
   type        = string
   description = "(Optional) Filesystem path to mount the extra app volume. Ignored if AppVolumeDevice is false"

modules/lx-autoscale/watchmaker-lx-autoscale.params.cfn.yaml

@@ -10,6 +10,8 @@
   ParameterValue: __APPSCRIPTURL__
 - ParameterKey: AppVolumeDevice
   ParameterValue: __APPVOLUMEDEVICE__
+- ParameterKey: AppVolumeEncrypted
+  ParameterValue: __APPVOLUMEENCRYPTED__
 - ParameterKey: AppVolumeMountPath
   ParameterValue: __APPVOLUMEMOUNTPATH__
 - ParameterKey: AppVolumeSize
@@ -58,6 +60,8 @@
   ParameterValue: __PATCHGROUP__
 - ParameterKey: PypiIndexUrl
   ParameterValue: __PYPIINDEXURL__
+- ParameterKey: RootVolumeEncrypted
+  ParameterValue: __ROOTVOLUMEENCRYPTED__
 - ParameterKey: RootVolumeSize
   ParameterValue: __ROOTVOLUMESIZE__
 - ParameterKey: SecurityGroupIds

modules/lx-autoscale/watchmaker-lx-autoscale.template.cfn.yaml

@@ -144,6 +144,7 @@ Metadata:
           - NoReboot
           - NoUpdates
           - PatchGroup
+          - RootVolumeEncrypted
           - RootVolumeSize
           - SecurityGroupIds
       - Label:
@@ -168,6 +169,7 @@ Metadata:
           default: EC2 Application EBS Volume
         Parameters:
           - AppVolumeDevice
+          - AppVolumeEncrypted
           - AppVolumeMountPath
           - AppVolumeSize
           - AppVolumeSnapshotId
@@ -205,7 +207,7 @@ Metadata:
         default: Force Cfn Init Update
       ToggleNewInstances:
         default: Force New Instances
-  Version: 2.0.3
+  Version: 2.1.0
 Outputs:
   ScaleDownScheduledAction:
     Condition: UseScheduledAction
@@ -268,6 +270,14 @@ Parameters:
       Decision whether to mount an extra EBS volume. Leave as default ("false")
       to launch without an extra application volume
     Type: String
+  AppVolumeEncrypted:
+    AllowedValues:
+      - 'false'
+      - 'true'
+    Default: 'false'
+    Description: >-
+      Controls whether to encrypt the EBS volume.
+    Type: String
   AppVolumeMountPath:
     AllowedPattern: /.*
     Default: /opt/data
@@ -441,6 +451,14 @@ Parameters:
     Default: 'https://pypi.org/simple'
     Description: URL to the PyPi Index
     Type: String
+  RootVolumeEncrypted:
+    AllowedValues:
+      - 'false'
+      - 'true'
+    Default: 'false'
+    Description: >-
+      Controls whether to encrypt the root volume.
+    Type: String
   RootVolumeSize:
     Default: "20"
     Description: >-
@@ -946,13 +964,15 @@ Resources:
             - local_Distro2RootDevice: !FindInMap [Distro2RootDevice, !Ref AmiDistro, DeviceName]
           Ebs:
             DeleteOnTermination: true
+            Encrypted: !Ref RootVolumeEncrypted
             VolumeSize: !Ref RootVolumeSize
             VolumeType: gp2
         - !If
           - CreateAppVolume
           - DeviceName: /dev/xvdf
             Ebs:
               DeleteOnTermination: true
+              Encrypted: !Ref AppVolumeEncrypted
               SnapshotId: !If
                 - UseAppVolumeSnapshot
                 - !Ref AppVolumeSnapshotId

modules/lx-instance/README.md

@@ -30,6 +30,7 @@ with an AWS CloudFormation template to deploy a Watchmaker Linux Instance.
 | AppScriptShell | (Optional) Shell with which to execute the application script. Ignored if AppScriptUrl is blank | `string` | `"bash"` | no |
 | AppScriptUrl | (Optional) S3 URL to the application script in an S3 bucket (s3://). Leave blank to launch without an application script. If specified, an appropriate InstanceRole is required | `string` | `null` | no |
 | AppVolumeDevice | (Optional) Decision whether to mount an extra EBS volume. Leave as default (false) to launch without an extra application volume | `bool` | `false` | no |
+| AppVolumeEncrypted | (Optional) Controls whether the EBS volume will be encrypted. When KmsKeyId is specified, EBS encryption will be done using that, otherwise encrypted using AWS managed CMK | `bool` | `false` | no |
 | AppVolumeMountPath | (Optional) Filesystem path to mount the extra app volume. Ignored if AppVolumeDevice is false | `string` | `"/opt/data"` | no |
 | AppVolumeSize | (Optional) Size in GB of the EBS volume to create. Ignored if AppVolumeDevice is false | `string` | `"1"` | no |
 | AppVolumeSnapshotId | (Optional) EBS Snapshot ID from which to create the AppVolume. "AppVolumeSize" must be equal or greater than the size of the snapshot. Ignored if "AppVolumeDevice" is false | `string` | `null` | no |
@@ -45,6 +46,7 @@ with an AWS CloudFormation template to deploy a Watchmaker Linux Instance.
 | IamRoleArn | (Optional) The ARN of an IAM role that AWS CloudFormation assumes to create the stack. If you don't specify a value, AWS CloudFormation uses the role that was previously associated with the stack. If no role is available, AWS CloudFormation uses a temporary session that is generated from your user credentials | `string` | `null` | no |
 | InstanceRole | (Optional) IAM instance role to apply to the instance | `string` | `null` | no |
 | InstanceType | (Optional) Amazon EC2 instance type | `string` | `"t2.micro"` | no |
+| KmsKeyId | (Optional) Identifier (key ID, key alias, ID ARN, or alias ARN) for a customer managed CMK under which the EBS volume is encrypted. If this is unspecified and encryption is requested, AWS managed CMK for EBS is used to encrypt the volume | `string` | `null` | no |
 | NoPublicIp | (Optional) Controls whether to assign the instance a public IP. Recommended to leave at true _unless_ launching in a public subnet | `bool` | `true` | no |
 | NoReboot | (Optional) Controls whether to reboot the instance as the last step of cfn-init execution | `bool` | `false` | no |
 | NoUpdates | (Optional) Controls whether to run yum update during a stack update (On the initial instance launch, Watchmaker _always_ installs updates) | `bool` | `false` | no |
@@ -55,6 +57,7 @@ with an AWS CloudFormation template to deploy a Watchmaker Linux Instance.
 | PolicyUrl | (Optional) URL to a file containing the stack policy. Conflicts with PolicyBody | `string` | `null` | no |
 | PrivateIp | (Optional) Set a static, primary private IP. Leave blank to auto-select a free IP | `string` | `null` | no |
 | PypiIndexUrl | (Optional) URL to the PyPi Index | `string` | `"https://pypi.org/simple"` | no |
+| RootVolumeEncrypted | (Optional) Controls whether the root volume will be encrypted. When KmsKeyId is specified, EBS encryption will be done using that, otherwise encrypted using AWS managed CMK | `bool` | `false` | no |
 | RootVolumeSize | (Optional) Root Volume Size in GB **NOTE** This value can be set larger than the default (20GB) but NOT smaller. If set larger than default value partition will need to be expanded manually. | `string` | `"20"` | no |
 | StackTags | (Optional) A map of tag keys/values to associate with this stack | `map(string)` | `{}` | no |
 | TimeoutInMinutes | (Optional) The amount of time that can pass before the stack status becomes CREATE\_FAILED | `string` | `"30"` | no |

modules/lx-instance/main.tf

@@ -22,6 +22,7 @@ resource "aws_cloudformation_stack" "watchmaker-lx-instance" {
     AppScriptShell          = var.AppScriptShell
     AppScriptUrl            = var.AppScriptUrl
     AppVolumeDevice         = var.AppVolumeDevice
+    AppVolumeEncrypted      = var.AppVolumeEncrypted
     AppVolumeMountPath      = var.AppVolumeMountPath
     AppVolumeSize           = var.AppVolumeSize
     AppVolumeSnapshotId     = var.AppVolumeSnapshotId
@@ -36,12 +37,14 @@ resource "aws_cloudformation_stack" "watchmaker-lx-instance" {
     InstanceRole            = var.InstanceRole
     InstanceType            = var.InstanceType
     KeyPairName             = var.KeyPairName
+    KmsKeyId                = var.KmsKeyId
     NoPublicIp              = var.NoPublicIp
     NoReboot                = var.NoReboot
     NoUpdates               = var.NoUpdates
     PatchGroup              = var.PatchGroup
     PrivateIp               = var.PrivateIp
     PypiIndexUrl            = var.PypiIndexUrl
+    RootVolumeEncrypted     = var.RootVolumeEncrypted
     RootVolumeSize          = var.RootVolumeSize
     SecurityGroupIds        = var.SecurityGroupIds
     SubnetId                = var.SubnetId

modules/lx-instance/variables.tf

@@ -55,6 +55,12 @@ variable "PolicyUrl" {
   default     = null
 }
 
+variable "RootVolumeEncrypted" {
+  type        = bool
+  description = "(Optional) Controls whether the root volume will be encrypted. When KmsKeyId is specified, EBS encryption will be done using that, otherwise encrypted using AWS managed CMK"
+  default     = false
+}
+
 variable "RootVolumeSize" {
   type        = string
   description = "(Optional) Root Volume Size in GB **NOTE** This value can be set larger than the default (20GB) but NOT smaller. If set larger than default value partition will need to be expanded manually."
@@ -107,6 +113,12 @@ variable "AppVolumeDevice" {
   default     = false
 }
 
+variable "AppVolumeEncrypted" {
+  type        = bool
+  description = "(Optional) Controls whether the EBS volume will be encrypted. When KmsKeyId is specified, EBS encryption will be done using that, otherwise encrypted using AWS managed CMK"
+  default     = false
+}
+
 variable "AppVolumeMountPath" {
   type        = string
   description = "(Optional) Filesystem path to mount the extra app volume. Ignored if AppVolumeDevice is false"
@@ -148,6 +160,12 @@ variable "InstanceRole" {
   default     = null
 }
 
+variable "KmsKeyId" {
+  type        = string
+  description = "(Optional) Identifier (key ID, key alias, ID ARN, or alias ARN) for a customer managed CMK under which the EBS volume is encrypted. If this is unspecified and encryption is requested, AWS managed CMK for EBS is used to encrypt the volume"
+  default     = null
+}
+
 variable "PrivateIp" {
   type        = string
   description = "(Optional) Set a static, primary private IP. Leave blank to auto-select a free IP"

modules/lx-instance/watchmaker-lx-instance.params.cfn.yaml

@@ -10,6 +10,8 @@
   ParameterValue: __APPSCRIPTURL__
 - ParameterKey: AppVolumeDevice
   ParameterValue: __APPVOLUMEDEVICE__
+- ParameterKey: AppVolumeEncrypted
+  ParameterValue: __APPVOLUMEENCRYPTED__
 - ParameterKey: AppVolumeMountPath
   ParameterValue: __APPVOLUMEMOUNTPATH__
 - ParameterKey: AppVolumeSize
@@ -34,6 +36,8 @@
   ParameterValue: __INSTANCETYPE__
 - ParameterKey: KeyPairName
   ParameterValue: __KEYPAIRNAME__
+- ParameterKey: KmsKeyId
+  ParameterValue: __KMSKEYID__
 - ParameterKey: NoPublicIp
   ParameterValue: __NOPUBLICIP__
 - ParameterKey: NoReboot
@@ -46,6 +50,8 @@
   ParameterValue: __PRIVATEIP__
 - ParameterKey: PypiIndexUrl
   ParameterValue: __PYPIINDEXURL__
+- ParameterKey: RootVolumeEncrypted
+  ParameterValue: __ROOTVOLUMEENCRYPTED__
 - ParameterKey: RootVolumeSize
   ParameterValue: __ROOTVOLUMESIZE__
 - ParameterKey: SecurityGroupIds