From 6db11d5908ff3e41a291e534598e6216af8eeb49 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Wed, 7 Aug 2019 20:56:55 -0700 Subject: [PATCH] Enable AWS root block device encryption by default * terraform-provider-aws v2.23.0 allows AWS root block devices to enable encryption by default. * Require updating terraform-provider-aws to v2.23.0 or higher * Enable root EBS device encryption by default for controller instances and worker instances in auto-scaling groups For comparison: * Google Cloud persistent disks have been encrypted by default for years * Azure managed disk encryption is not ready yet (#486) --- CHANGES.md | 5 +++++ aws/container-linux/kubernetes/controllers.tf | 1 + aws/container-linux/kubernetes/versions.tf | 2 +- aws/container-linux/kubernetes/workers/workers.tf | 1 + aws/fedora-coreos/kubernetes/controllers.tf | 1 + aws/fedora-coreos/kubernetes/versions.tf | 2 +- aws/fedora-coreos/kubernetes/workers/workers.tf | 1 + 7 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 6c6768d6..70b62cda 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -4,6 +4,11 @@ Notable changes between versions. ## Latest +#### AWS + +* Enable root block device encryption by default ([#527](https://github.com/poseidon/typhoon/pull/527)) + * Require `terraform-provider-aws` v2.23+ (**action required**) + #### Addons * Update kube-state-metrics from v1.7.1 to v1.7.2 diff --git a/aws/container-linux/kubernetes/controllers.tf b/aws/container-linux/kubernetes/controllers.tf index c0553eb9..75e28c83 100644 --- a/aws/container-linux/kubernetes/controllers.tf +++ b/aws/container-linux/kubernetes/controllers.tf @@ -31,6 +31,7 @@ resource "aws_instance" "controllers" { volume_type = var.disk_type volume_size = var.disk_size iops = var.disk_iops + encrypted = true } # network diff --git a/aws/container-linux/kubernetes/versions.tf b/aws/container-linux/kubernetes/versions.tf index 62ed9ebf..5f5ac8a2 100644 --- a/aws/container-linux/kubernetes/versions.tf +++ b/aws/container-linux/kubernetes/versions.tf @@ -3,7 +3,7 @@ terraform { required_version = "~> 0.12.0" required_providers { - aws = "~> 2.7" + aws = "~> 2.23" ct = "~> 0.3" template = "~> 2.1" null = "~> 2.1" diff --git a/aws/container-linux/kubernetes/workers/workers.tf b/aws/container-linux/kubernetes/workers/workers.tf index d470b540..5effb789 100644 --- a/aws/container-linux/kubernetes/workers/workers.tf +++ b/aws/container-linux/kubernetes/workers/workers.tf @@ -56,6 +56,7 @@ resource "aws_launch_configuration" "worker" { volume_type = var.disk_type volume_size = var.disk_size iops = var.disk_iops + encrypted = true } # network diff --git a/aws/fedora-coreos/kubernetes/controllers.tf b/aws/fedora-coreos/kubernetes/controllers.tf index 821ad648..97e792d8 100644 --- a/aws/fedora-coreos/kubernetes/controllers.tf +++ b/aws/fedora-coreos/kubernetes/controllers.tf @@ -31,6 +31,7 @@ resource "aws_instance" "controllers" { volume_type = var.disk_type volume_size = var.disk_size iops = var.disk_iops + encrypted = true } # network diff --git a/aws/fedora-coreos/kubernetes/versions.tf b/aws/fedora-coreos/kubernetes/versions.tf index 5694dd11..83532feb 100644 --- a/aws/fedora-coreos/kubernetes/versions.tf +++ b/aws/fedora-coreos/kubernetes/versions.tf @@ -3,7 +3,7 @@ terraform { required_version = "~> 0.12.0" required_providers { - aws = "~> 2.7" + aws = "~> 2.23" ct = "~> 0.4" template = "~> 2.1" null = "~> 2.1" diff --git a/aws/fedora-coreos/kubernetes/workers/workers.tf b/aws/fedora-coreos/kubernetes/workers/workers.tf index f59e114f..4ea1dec0 100644 --- a/aws/fedora-coreos/kubernetes/workers/workers.tf +++ b/aws/fedora-coreos/kubernetes/workers/workers.tf @@ -56,6 +56,7 @@ resource "aws_launch_configuration" "worker" { volume_type = var.disk_type volume_size = var.disk_size iops = var.disk_iops + encrypted = true } # network