diff --git a/docs/user/aws/customization.md b/docs/user/aws/customization.md index 2258127aab..c63e73c685 100644 --- a/docs/user/aws/customization.md +++ b/docs/user/aws/customization.md @@ -20,6 +20,9 @@ Beyond the [platform-agnostic `install-config.yaml` properties](../customization This is only valid for `type` `io1`. * `size` (optional integer): Size of the root volume in gibibytes (GiB). * `type` (optional string): The [type of volume][volume-type]. + * `kmsKeyARN` (optional string): The [ARN of KMS key][ebs-kms-key] that should be used to encrypt the EBS volume. + When no key is specified by user, the account's [default KMS Key][kms-key-default] for the region will be used. + Example ARN values are: `arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` or `arn:aws:kms:us-east-1:111122223333:alias/my-key` * `type` (optional string): The [EC2 instance type][instance-type]. * `zones` (optional array of strings): The availability zones used for machines in the pool. @@ -68,6 +71,7 @@ compute: iops: 4000 size: 500 type: io1 + kmsKeyARN: arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab type: c5.9xlarge zones: - us-west-2c @@ -83,5 +87,7 @@ sshKey: ssh-ed25519 AAAA... [availablity-zones]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html [instance-type]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html +[kms-key-default]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetEbsDefaultKmsKeyId.html +[kms-key]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html [volume-iops]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html [volume-type]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html diff --git a/pkg/asset/machines/aws/machines.go b/pkg/asset/machines/aws/machines.go index ba05751a98..5dbdd60d54 100644 --- a/pkg/asset/machines/aws/machines.go +++ b/pkg/asset/machines/aws/machines.go @@ -97,6 +97,8 @@ func provider(clusterID string, region string, subnet string, instanceType strin VolumeType: pointer.StringPtr(root.Type), VolumeSize: pointer.Int64Ptr(int64(root.Size)), Iops: pointer.Int64Ptr(int64(root.IOPS)), + Encrypted: pointer.BoolPtr(true), + KMSKey: awsprovider.AWSResourceReference{ARN: pointer.StringPtr(root.KMSKeyARN)}, }, }, }, diff --git a/pkg/types/aws/machinepool.go b/pkg/types/aws/machinepool.go index 9e118fecc7..8453f8e984 100644 --- a/pkg/types/aws/machinepool.go +++ b/pkg/types/aws/machinepool.go @@ -37,6 +37,9 @@ func (a *MachinePool) Set(required *MachinePool) { if required.EC2RootVolume.Type != "" { a.EC2RootVolume.Type = required.EC2RootVolume.Type } + if required.EC2RootVolume.KMSKeyARN != "" { + a.EC2RootVolume.KMSKeyARN = required.EC2RootVolume.KMSKeyARN + } } // EC2RootVolume defines the storage for an ec2 instance. @@ -48,4 +51,10 @@ type EC2RootVolume struct { Size int `json:"size"` // Type defines the type of the volume. Type string `json:"type"` + + // The KMS key that will be used to encrypt the EBS volume. + // If no key is provided the default KMS key for the account will be used. + // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetEbsDefaultKmsKeyId.html + // +optional + KMSKeyARN string `json:"kmsKeyARN,omitempty"` }