Merge pull request #70 from rackspace-infrastructure-automation/v0.12…

…-root-encrypt

V0.12 root encrypt

README.md

@@ -6,7 +6,7 @@ This module creates one or more autorecovery instances.
 
 ```HCL
 module "ar" {
-  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery//?ref=v0.12.6"
+  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery//?ref=v0.12.8"
 
   ec2_os              = "amazon"
   subnets             = module.vpc.private_subnets
@@ -75,7 +75,10 @@ New variable `ssm_bootstrap_list` was added to allow setting the SSM association
 | eip\_allocation\_id\_list | A list of Allocation IDs of the EIPs you want to associate with the instance(s). This is one per instance. e.g. if you specify 2 for instance\_count then you must supply two allocation ids  here. | `list(string)` | `[]` | no |
 | enable\_ebs\_optimization | Use EBS Optimized? true or false | `bool` | `false` | no |
 | enable\_recovery\_alarms | Boolean parameter controlling if auto-recovery alarms should be created.  Recovery actions are not supported on all instance types and AMIs, especially those with ephemeral storage.  This parameter should be set to false for those cases. | `bool` | `true` | no |
-| encrypt\_secondary\_ebs\_volume | Encrypt EBS Volume? true or false | `bool` | `false` | no |
+| encrypt\_primary\_ebs\_volume | Encrypt root EBS Volume? true or false | `bool` | `false` | no |
+| encrypt\_primary\_ebs\_volume\_kms\_id | If `encrypt_primary_ebs_volume` is `true` you can optionally provide a KMS CMK ARN. | `string` | `""` | no |
+| encrypt\_secondary\_ebs\_volume | Encrypt secondary EBS Volume? true or false | `bool` | `false` | no |
+| encrypt\_secondary\_ebs\_volume\_kms\_id | If `encrypt_secondary_ebs_volume` is `true` you can optionally provide a KMS CMK ARN. | `string` | `""` | no |
 | environment | Application environment for which this network is being created. Preferred value are Development, Integration, PreProduction, Production, QA, Staging, or Test | `string` | `"Development"` | no |
 | final\_userdata\_commands | Commands to be given at the end of userdata for an instance. This should generally not include bootstrapping or ssm install. | `string` | `""` | no |
 | image\_id | The AMI ID to be used to build the EC2 Instance. If not provided, an AMI ID will be queried with an OS specified in variable ec2\_os. | `string` | `""` | no |

examples/custom_cw_agent_config.tf

@@ -18,7 +18,7 @@ module "vpc" {
 }
 
 module "ec2_ar_with_codedeploy" {
-  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.12.6"
+  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.12.8"
 
   ec2_os         = "rhel6"
   instance_count = 1

examples/managed.tf

@@ -13,7 +13,7 @@ data "aws_region" "current_region" {
 }
 
 module "ec2_ar" {
-  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.12.6"
+  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.12.8"
 
   backup_tag_value             = "False"
   detailed_monitoring          = true

examples/unmanaged.tf

@@ -16,7 +16,7 @@ module "sns" {
 }
 
 module "unmanaged_ar" {
-  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.12.6"
+  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.12.8"
 
   ec2_os              = "centos7"
   instance_count      = 1

main.tf

@@ -7,7 +7,7 @@
  *
  * ```HCL
  * module "ar" {
- *   source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery//?ref=v0.12.6"
+ *   source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery//?ref=v0.12.8"
  *
  *   ec2_os              = "amazon"
  *   subnets             = module.vpc.private_subnets
@@ -750,6 +750,8 @@ resource "aws_instance" "mod_ec2_instance_no_secondary_ebs" {
     volume_type = var.primary_ebs_volume_type
     volume_size = var.primary_ebs_volume_size
     iops        = var.primary_ebs_volume_iops
+    encrypted   = var.encrypt_primary_ebs_volume
+    kms_key_id  = var.encrypt_primary_ebs_volume && var.encrypt_primary_ebs_volume_kms_id != "" ? var.encrypt_primary_ebs_volume_kms_id : null
   }
 
   timeouts {
@@ -790,6 +792,8 @@ resource "aws_instance" "mod_ec2_instance_with_secondary_ebs" {
     volume_type = var.primary_ebs_volume_type
     volume_size = var.primary_ebs_volume_size
     iops        = var.primary_ebs_volume_iops
+    encrypted   = var.encrypt_primary_ebs_volume
+    kms_key_id  = var.encrypt_primary_ebs_volume && var.encrypt_primary_ebs_volume_kms_id != "" ? var.encrypt_primary_ebs_volume_kms_id : null
   }
 
   ebs_block_device {
@@ -798,6 +802,7 @@ resource "aws_instance" "mod_ec2_instance_with_secondary_ebs" {
     volume_size = var.secondary_ebs_volume_size
     iops        = var.secondary_ebs_volume_iops
     encrypted   = var.secondary_ebs_volume_existing_id == "" ? var.encrypt_secondary_ebs_volume : false
+    kms_key_id  = var.encrypt_secondary_ebs_volume && var.encrypt_secondary_ebs_volume_kms_id != "" ? var.encrypt_secondary_ebs_volume_kms_id : null
     snapshot_id = var.secondary_ebs_volume_existing_id
   }
 

tests/test1/main.tf

@@ -3,6 +3,15 @@ provider "aws" {
   version = "~> 2.7"
 }
 
+locals {
+  tags = {
+    Environment     = "Test"
+    Purpose         = "Testing aws-terraform-ec2_autorecovery"
+    ServiceProvider = "Rackspace"
+    Terraform       = "true"
+  }
+}
+
 resource "random_string" "res_name" {
   length  = 8
   upper   = false
@@ -29,9 +38,12 @@ module "internal_zone" {
 resource "aws_eip" "test_eip_1" {
   vpc = true
 
-  tags = {
-    Name = "-${random_string.res_name.result}-EC2-AR-Test1"
-  }
+  tags = merge(
+    local.tags,
+    {
+      Name = "-${random_string.res_name.result}-EC2-AR-Test1"
+    },
+  )
 }
 
 module "ec2_ar_centos7_with_codedeploy" {
@@ -70,19 +82,18 @@ module "ec2_ar_centos7_with_codedeploy" {
   tenancy                           = "default"
   ec2_os                            = "centos7"
 
-  tags = {
-    MyTag1 = "MyValue1"
-    MyTag2 = "MyValue2"
-    MyTag3 = "MyValue3"
-  }
+  tags = local.tags
 }
 
 resource "aws_eip" "test_eip_2" {
   vpc = true
 
-  tags = {
-    Name = "${random_string.res_name.result}-EC2-AR-BaseNetwork-Test1-2"
-  }
+  tags = merge(
+    local.tags,
+    {
+      Name = "${random_string.res_name.result}-EC2-AR-BaseNetwork-Test1-2"
+    },
+  )
 }
 
 module "ec2_ar_centos7_no_codedeploy" {
@@ -125,17 +136,9 @@ module "ec2_ar_centos7_no_codedeploy" {
   eip_allocation_id_count           = 1
   eip_allocation_id_list            = [aws_eip.test_eip_2.id]
 
-  ebs_volume_tags = {
-    MyTag1 = "MyValue1"
-    MyTag2 = "MyValue2"
-    MyTag3 = "MyValue3"
-  }
+  ebs_volume_tags = local.tags
 
-  tags = {
-    MyTag1 = "MyValue1"
-    MyTag2 = "MyValue2"
-    MyTag3 = "MyValue3"
-  }
+  tags = local.tags
 }
 
 module "ec2_ar_centos7_no_scaleft" {
@@ -164,11 +167,7 @@ module "ec2_ar_centos7_no_scaleft" {
   secondary_ebs_volume_type    = "gp2"
   encrypt_secondary_ebs_volume = false
 
-  ebs_volume_tags = {
-    MyTag1 = "MyValue1"
-    MyTag2 = "MyValue2"
-    MyTag3 = "MyValue3"
-  }
+  ebs_volume_tags = local.tags
 
   environment                       = "Development"
   instance_role_managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetRole", "arn:aws:iam::aws:policy/CloudWatchActionsEC2Access"]
@@ -185,11 +184,7 @@ module "ec2_ar_centos7_no_scaleft" {
   cw_cpu_high_period                = 60
 
 
-  tags = {
-    MyTag1 = "MyValue1"
-    MyTag2 = "MyValue2"
-    MyTag3 = "MyValue3"
-  }
+  tags = local.tags
 }
 
 module "ec2_ar_windows_with_codedeploy" {
@@ -229,11 +224,7 @@ module "ec2_ar_windows_with_codedeploy" {
   cw_cpu_high_evaluations           = 15
   cw_cpu_high_period                = 60
 
-  tags = {
-    MyTag1 = "MyValue1"
-    MyTag2 = "MyValue2"
-    MyTag3 = "MyValue3"
-  }
+  tags = local.tags
 }
 
 module "ec2_ar_windows_no_codedeploy" {
@@ -281,11 +272,7 @@ module "ec2_ar_windows_no_codedeploy" {
   cw_cpu_high_evaluations      = 15
   cw_cpu_high_period           = 60
 
-  tags = {
-    MyTag1 = "MyValue1"
-    MyTag2 = "MyValue2"
-    MyTag3 = "MyValue3"
-  }
+  tags = local.tags
 }
 
 module "ec2_ar_windows_no_scaleft" {
@@ -334,11 +321,7 @@ module "ec2_ar_windows_no_scaleft" {
   cw_cpu_high_evaluations      = 15
   cw_cpu_high_period           = 60
 
-  tags = {
-    MyTag1 = "MyValue1"
-    MyTag2 = "MyValue2"
-    MyTag3 = "MyValue3"
-  }
+  tags = local.tags
 }
 
 module "sns" {
@@ -373,24 +356,52 @@ module "zero_count_ar" {
   rackspace_managed  = false
 }
 
-module "ec2_nfs" {
-  source                    = "../../module"
-  ec2_os                    = "amazon2"
-  instance_count            = 1
-  subnets                   = module.vpc.private_subnets
-  security_groups           = [module.vpc.default_sg]
-  key_pair                  = "CircleCI"
-  instance_type             = "t2.micro"
-  name                      = "${random_string.res_name.result}-ar-nfs"
-  install_nfs               = true
-  primary_ebs_volume_size   = 60
-  primary_ebs_volume_iops   = 0
-  primary_ebs_volume_type   = "gp2"
-  secondary_ebs_volume_size = 60
-  secondary_ebs_volume_iops = 0
-  secondary_ebs_volume_type = "gp2"
+resource "aws_ebs_volume" "nfs" {
+  availability_zone = "us-west-2a"
+  size              = 60
+  encrypted         = true
+
+  tags = merge(
+    local.tags,
+    {
+      Name = "${random_string.res_name.result}-ar-nfs"
+    },
+  )
 }
 
+resource "aws_ebs_snapshot" "encrypted_nfs" {
+  volume_id = aws_ebs_volume.nfs.id
+
+  tags = merge(
+    local.tags,
+    {
+      Name = "${random_string.res_name.result}-ar-nfs"
+    },
+  )
+}
+
+module "ec2_nfs" {
+  source = "../../module"
+
+  ec2_os                           = "amazon2"
+  instance_count                   = 1
+  subnets                          = module.vpc.private_subnets
+  security_groups                  = [module.vpc.default_sg]
+  key_pair                         = "CircleCI"
+  instance_type                    = "t2.micro"
+  name                             = "${random_string.res_name.result}-ar-nfs"
+  install_nfs                      = true
+  primary_ebs_volume_size          = 60
+  primary_ebs_volume_iops          = 0
+  primary_ebs_volume_type          = "gp2"
+  encrypt_primary_ebs_volume       = true
+  secondary_ebs_volume_size        = 60
+  secondary_ebs_volume_iops        = 0
+  secondary_ebs_volume_type        = "gp2"
+  secondary_ebs_volume_existing_id = aws_ebs_snapshot.encrypted_nfs.id
+
+  tags = local.tags
+}
 
 module "ar_r53" {
   source = "../../module"
@@ -407,4 +418,5 @@ module "ar_r53" {
   notification_topic      = module.sns.topic_arn
   rackspace_managed       = false
 
+  tags = local.tags
 }

variables.tf

@@ -82,12 +82,30 @@ variable "enable_ebs_optimization" {
   default     = false
 }
 
+variable "encrypt_primary_ebs_volume" {
+  description = "Encrypt root EBS Volume? true or false"
+  type        = bool
+  default     = false
+}
+
+variable "encrypt_primary_ebs_volume_kms_id" {
+  description = "If `encrypt_primary_ebs_volume` is `true` you can optionally provide a KMS CMK ARN."
+  type        = string
+  default     = ""
+}
+
 variable "encrypt_secondary_ebs_volume" {
-  description = "Encrypt EBS Volume? true or false"
+  description = "Encrypt secondary EBS Volume? true or false"
   type        = bool
   default     = false
 }
 
+variable "encrypt_secondary_ebs_volume_kms_id" {
+  description = "If `encrypt_secondary_ebs_volume` is `true` you can optionally provide a KMS CMK ARN."
+  type        = string
+  default     = ""
+}
+
 variable "ec2_os" {
   description = "Intended Operating System/Distribution of Instance. Valid inputs are `amazon`, `amazon2`, `centos6`, `centos7`, `rhel6`, `rhel7`, `rhel8`, `ubuntu14`, `ubuntu16`, `ubuntu18`, `windows2012r2`, `windows2016`, `windows2019`"
   type        = string