Amazon supports using encrypted root EBS volumes [1]. So instead of copying the AMI and encrypting in the process we can use the encypted EBS volumes instead which saves us making the AMI copy during install.
The change also allows the user to provide KMS key to the terraform instead of the default KMS key.
Using this change the instance boots with public RHCOS AMI, and the EBS volume is encrypted with default KMS key for the account and region.
```console
[4:42:15] ➜ installer git:(ami_no_copy) ✗ AWS_PROFILE=openshift-dev aws ec2 describe-volumes --region ca-central-1 --volume-ids vol-09ceb58bc9ac93602
{
"Volumes": [
{
"Attachments": [
{
"AttachTime": "2020-03-13T23:30:09.000Z",
"Device": "/dev/xvda",
"InstanceId": "i-0bdec7b64f2b9a607",
"State": "attached",
"VolumeId": "vol-09ceb58bc9ac93602",
"DeleteOnTermination": true
}
],
"AvailabilityZone": "ca-central-1b",
"CreateTime": "2020-03-13T23:30:09.789Z",
"Encrypted": true,
"KmsKeyId": "arn:aws:kms:ca-central-1:<REDACTED>:key/1ffbfa61-7250-42de-9a75-cac64a8f0e4d",
"Size": 120,
"SnapshotId": "snap-0c8421bbe06f5f69d",
"State": "in-use",
"VolumeId": "vol-09ceb58bc9ac93602",
"Iops": 360,
"Tags": [
{
"Key": "kubernetes.io/cluster/adahiya-1-djk4q",
"Value": "owned"
},
{
"Key": "Name",
"Value": "adahiya-1-djk4q-master-1-vol"
}
],
"VolumeType": "gp2"
}
]
}
[4:42:28] ➜ installer git:(ami_no_copy) ✗ AWS_PROFILE=openshift-dev aws ec2 describe-instances --region ca-central-1 --instance-ids i-0bdec7b64f2b9a607
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0d235b4920e9def96",
"InstanceId": "i-0bdec7b64f2b9a607",
"InstanceType": "m4.xlarge",
"LaunchTime": "2020-03-13T23:30:09.000Z",
...
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"AttachTime": "2020-03-13T23:30:09.000Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-09ceb58bc9ac93602"
}
}
],
...
"Tags": [
{
"Key": "Name",
"Value": "adahiya-1-djk4q-master-1"
},
{
"Key": "kubernetes.io/cluster/adahiya-1-djk4q",
"Value": "owned"
}
],
...
}
]
}
[4:44:31] ➜ installer git:(ami_no_copy) ✗
```
the bootstrap host is always encrypted with either the default KMS key or using the user specified KMS key.
[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html