Update Terraform variables to enable host-level encryption

.ado/pipelines/config/variables-values-e2e.yaml

@@ -6,6 +6,11 @@ variables:
 - name:  'prefix'
   value: 'mce2e'          # <===== CHANGE THIS! Must not be longer than 6 characters! Needs to be a unique prefix
 
+# Host-encryption for compute resources (needs to be enabled on subscription-level)
+# https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli
+- name: 'enableHostEncryption'
+  value: 'true'           # <===== CHANGE THIS! Set to 'true' to enable host encryption
+
 # The first value in 'stampLocations' is the primary region used for global services.
 # IMPORTANT! Changing the primary region (first value) is a BREAKING change and will destroy CosmosDB and Front Door.
 # Check which regions are valid. There is a list in /src/infra/README.md

.ado/pipelines/config/variables-values-int.yaml

@@ -6,6 +6,11 @@ variables:
 - name:  'prefix'
   value: 'mcint'          # <===== CHANGE THIS! Must not be longer than 6 characters! Needs to be a unique prefix
 
+# Host-encryption for compute resources (needs to be enabled on subscription-level)
+# https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli
+- name: 'enableHostEncryption'
+  value: 'true'           # <===== CHANGE THIS! Set to 'true' to enable host encryption
+
 # The first value in 'stampLocations' is the primary region used for global services.
 # IMPORTANT! Changing the primary region (first value) is a BREAKING change and will destroy CosmosDB and Front Door.
 - name: 'stampLocations'

.ado/pipelines/config/variables-values-prod.yaml

@@ -6,7 +6,11 @@ variables:
 - name:  'prefix'
   value: 'afprod'          # <===== CHANGE THIS! Must not be longer than 6 characters! Needs to be a unique prefix
 
-
+# Host-encryption for compute resources (needs to be enabled on subscription-level)
+# https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli
+- name: 'enableHostEncryption'
+  value: 'true'           # <===== CHANGE THIS! Set to 'true' to enable host encryption
+
 # The first value in 'stampLocations' is the primary region used for global services.
 # IMPORTANT! Changing the primary region (first value) is a BREAKING change and will destroy CosmosDB and Front Door.
 - name: 'stampLocations'

.ado/pipelines/templates/steps-terraform-apply.yaml

@@ -33,6 +33,7 @@ steps:
       terraform plan -input=false -out=tf_plan \
                      -var=environment="$(environment)" \
                      -var=prefix="${{ parameters.customPrefix }}" \
+                     -var=aks_enable_host_encryption="$(enableHostEncryption)" \
                      -var-file="variables-$(environment).tfvars" \
                      ${{ parameters.customAttributes }}
 

docs/reference-implementation/Getting-Started-CLI.md

@@ -206,12 +206,13 @@ Modify the respective file for the environment which you want to deploy. At leas
 
 | Required to modify | Key | Description | Sample value |
 | --- | --- | --- | --- |
-| **YES** | prefix | Custom prefix used for Azure resources. **Must not be longer than 6 characters!** | mye2e |
-| **YES** | contactEmail | E-mail alias used for alerting. **Be careful which address you put in here as it will potentially receive a lot of notification emails** | alwaysonappnet@example.com |
-| NO | terraformResourceGroup | Resource Group where the Terraform state Storage account will be deployed | terraformstate-rg |
-| NO | stampLocations | List of locations (Azure Regions) where this environment will be deployed into. You can keep the default to start with.  | ["northeurope", "eastus2"] |
-| NO | envDnsZoneRG | OPTIONAL: Name of the Azure Resource group which holds the Azure DNS Zone for your custom domain. Not required if you do not plan to use a custom DNS name | mydns-rg |
-| NO | envDomainName | OPTIONAL: Name of the Azure DNS Zone. Not required if you do not plan to use a custom DNS name | example.com |
+| **YES** | `prefix` | Custom prefix used for Azure resources. **Must not be longer than 6 characters!** | `mye2e` |
+| **YES** | `contactEmail` | E-mail alias used for alerting. **Be careful which address you put in here as it will potentially receive a lot of notification emails** | `alwaysonappnet@example.com` |
+| NO | `terraformResourceGroup` | Resource Group where the Terraform state Storage account will be deployed | `terraformstate-rg` |
+| NO | `stampLocations` | List of locations (Azure Regions) where this environment will be deployed into. You can keep the default to start with.  | `["northeurope", "eastus2"]` |
+| NO | `envDnsZoneRG` | OPTIONAL: Name of the Azure Resource group which holds the Azure DNS Zone for your custom domain. Not required if you do not plan to use a custom DNS name | `mydns-rg` |
+| NO | `envDomainName` | OPTIONAL: Name of the Azure DNS Zone. Not required if you do not plan to use a custom DNS name | `example.com` |
+| NO | `enableHostEncryption` | Enable or disable host-encryption for compute resources (needs to be enabled per-subscription) | `true` |
 
 **After modifying the file, make sure to commit and push the changes to your Git repository.**
 

docs/reference-implementation/Getting-Started.md

@@ -185,12 +185,13 @@ Modify the respective file for the environment which you want to deploy. At leas
 
 | Required to modify | Key | Description | Sample value |
 | --- | --- | --- | --- |
-| **YES** | prefix | Custom prefix used for Azure resources. **Must not be longer than 6 characters!** | mye2e |
-| **YES** | contactEmail | E-mail alias used for alerting. **Be careful which address you put in here as it will potentially receive a lot of notification emails** | `alwaysonappnet@example.com` |
-| NO | terraformResourceGroup | Resource Group where the Terraform state Storage account will be deployed | terraformstate-rg |
-| NO | stampLocations | List of locations (Azure Regions) where this environment will be deployed into. You can keep the default to start with.  | ["northeurope", "eastus2"] |
-| NO | envDnsZoneRG | OPTIONAL: Name of the Azure Resource group which holds the Azure DNS Zone for your custom domain. Not required if you do not plan to use a custom DNS name | mydns-rg |
-| NO | envDomainName | OPTIONAL: Name of the Azure DNS Zone. Not required if you do not plan to use a custom DNS name | example.com |
+| **YES** | `prefix` | Custom prefix used for Azure resources. **Must not be longer than 6 characters!** | `mye2e` |
+| **YES** | `contactEmail` | E-mail alias used for alerting. **Be careful which address you put in here as it will potentially receive a lot of notification emails** | `alwaysonappnet@example.com` |
+| NO | `terraformResourceGroup` | Resource Group where the Terraform state Storage account will be deployed | `terraformstate-rg` |
+| NO | `stampLocations` | List of locations (Azure Regions) where this environment will be deployed into. You can keep the default to start with.  | `["northeurope", "eastus2"]` |
+| NO | `envDnsZoneRG` | OPTIONAL: Name of the Azure Resource group which holds the Azure DNS Zone for your custom domain. Not required if you do not plan to use a custom DNS name | `mydns-rg` |
+| NO | `envDomainName` | OPTIONAL: Name of the Azure DNS Zone. Not required if you do not plan to use a custom DNS name | example.com |
+| NO | `enableHostEncryption` | Enable or disable host-encryption for compute resources (needs to be enabled per-subscription) | `true` |
 
 **After modifying the file, make sure to commit and push the changes to your Git repository.**
 

docs/reference-implementation/Troubleshooting.md

@@ -83,13 +83,15 @@ Location: SwedenCentral, Current Limit: 100, Current Usage: 96, Additional Requi
 │  }
 ```
 
-**Description:** Host encryption needs to be enabled at subscription-level when `aks_enable_host_encryption` is set to `true` in `variables-<env>.tf`.
+**Description:** Host encryption needs to be enabled at subscription-level when `enableHostEncryption` is set to `true` in `variables-values-<env>.yaml` in `.ado/pipelines/config`.
 
 **Solution:**
 
 Host encryption needs to be enabled at subscription-level: [Use the Azure CLI to enable end-to-end encryption using encryption at host
 ](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli)
 
+If you don't want to use Host-encryption, you can disable it by setting `enableHostEncryption` to `false` in `variables-values-<env>.yaml` in `.ado/pipelines/config`.
+
 ---
 
 **Error:**

src/infra/workload/releaseunit/variables-e2e.tfvars

@@ -1,9 +1,6 @@
 # Variable file for E2E env
 vnet_address_space = "10.1.0.0/18" # /18 allows for up to 4 stamps
 
-# host encryption needs to be enabled at subscription-level https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli
-aks_enable_host_encryption = true # https://learn.microsoft.com/en-us/azure/aks/enable-host-encryption
-
 aks_system_node_pool_sku_size          = "Standard_D2s_v3" # Adjust as needed for your workload
 aks_system_node_pool_autoscale_minimum = 2
 aks_system_node_pool_autoscale_maximum = 3

src/infra/workload/releaseunit/variables-int.tfvars

@@ -1,9 +1,6 @@
 # Variable file for INT env
 vnet_address_space = "10.1.0.0/18" # /18 allows for up to 4 stamps
 
-# host encryption needs to be enabled at subscription-level https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli
-aks_enable_host_encryption = true # https://learn.microsoft.com/en-us/azure/aks/enable-host-encryption
-
 aks_system_node_pool_sku_size          = "Standard_D2s_v3" # Adjust as needed for your workload
 aks_system_node_pool_autoscale_minimum = 2
 aks_system_node_pool_autoscale_maximum = 6

src/infra/workload/releaseunit/variables-prod.tfvars

@@ -1,9 +1,6 @@
 # Variable file for PROD env
 vnet_address_space = "10.1.0.0/16" # /16 allows for up to 16 stamps
 
-# host encryption needs to be enabled at subscription-level https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli
-aks_enable_host_encryption = true # https://learn.microsoft.com/en-us/azure/aks/enable-host-encryption
-
 aks_system_node_pool_sku_size          = "Standard_D2s_v3" # Adjust as needed for your workload
 aks_system_node_pool_autoscale_minimum = 3
 aks_system_node_pool_autoscale_maximum = 6