From 17030b3bdb997b8d5c64ec19b48e94da12f1be84 Mon Sep 17 00:00:00 2001 From: Abhinav Dahiya Date: Fri, 13 Mar 2020 17:02:26 -0700 Subject: [PATCH] aws: allow users to set the KMS key id for encrypting EBS volumes Users can provide the KMS Key ARN which should be used to encrypt the EBS volumes otherwise the default KMS key for the region will be used. --- docs/user/aws/customization.md | 6 ++++++ pkg/asset/machines/aws/machines.go | 2 ++ pkg/types/aws/machinepool.go | 9 +++++++++ 3 files changed, 17 insertions(+) diff --git a/docs/user/aws/customization.md b/docs/user/aws/customization.md index 2258127aab..c63e73c685 100644 --- a/docs/user/aws/customization.md +++ b/docs/user/aws/customization.md @@ -20,6 +20,9 @@ Beyond the [platform-agnostic `install-config.yaml` properties](../customization This is only valid for `type` `io1`. * `size` (optional integer): Size of the root volume in gibibytes (GiB). * `type` (optional string): The [type of volume][volume-type]. + * `kmsKeyARN` (optional string): The [ARN of KMS key][ebs-kms-key] that should be used to encrypt the EBS volume. + When no key is specified by user, the account's [default KMS Key][kms-key-default] for the region will be used. + Example ARN values are: `arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` or `arn:aws:kms:us-east-1:111122223333:alias/my-key` * `type` (optional string): The [EC2 instance type][instance-type]. * `zones` (optional array of strings): The availability zones used for machines in the pool. @@ -68,6 +71,7 @@ compute: iops: 4000 size: 500 type: io1 + kmsKeyARN: arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab type: c5.9xlarge zones: - us-west-2c @@ -83,5 +87,7 @@ sshKey: ssh-ed25519 AAAA... [availablity-zones]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html [instance-type]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html +[kms-key-default]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetEbsDefaultKmsKeyId.html +[kms-key]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html [volume-iops]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html [volume-type]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html diff --git a/pkg/asset/machines/aws/machines.go b/pkg/asset/machines/aws/machines.go index ba05751a98..5dbdd60d54 100644 --- a/pkg/asset/machines/aws/machines.go +++ b/pkg/asset/machines/aws/machines.go @@ -97,6 +97,8 @@ func provider(clusterID string, region string, subnet string, instanceType strin VolumeType: pointer.StringPtr(root.Type), VolumeSize: pointer.Int64Ptr(int64(root.Size)), Iops: pointer.Int64Ptr(int64(root.IOPS)), + Encrypted: pointer.BoolPtr(true), + KMSKey: awsprovider.AWSResourceReference{ARN: pointer.StringPtr(root.KMSKeyARN)}, }, }, }, diff --git a/pkg/types/aws/machinepool.go b/pkg/types/aws/machinepool.go index 9e118fecc7..8453f8e984 100644 --- a/pkg/types/aws/machinepool.go +++ b/pkg/types/aws/machinepool.go @@ -37,6 +37,9 @@ func (a *MachinePool) Set(required *MachinePool) { if required.EC2RootVolume.Type != "" { a.EC2RootVolume.Type = required.EC2RootVolume.Type } + if required.EC2RootVolume.KMSKeyARN != "" { + a.EC2RootVolume.KMSKeyARN = required.EC2RootVolume.KMSKeyARN + } } // EC2RootVolume defines the storage for an ec2 instance. @@ -48,4 +51,10 @@ type EC2RootVolume struct { Size int `json:"size"` // Type defines the type of the volume. Type string `json:"type"` + + // The KMS key that will be used to encrypt the EBS volume. + // If no key is provided the default KMS key for the account will be used. + // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetEbsDefaultKmsKeyId.html + // +optional + KMSKeyARN string `json:"kmsKeyARN,omitempty"` }