Support ebs encryption pr 1.x (#609)

* Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2.

* Setting more sane default instance sizes.

* Adding more EBS options for ASGs.

* Setting encryption to match AMI settings.

* Setting encryption to match AMI settings.

* We also need to dynamically set the ASGs own encrypt_boot var.

* We need to merge the new branch changes before we can rebuild the docs.

* Fixing merge command in CI.

* Not sure toc.sh is actually executing.

* Refactoring encrypt EBS flags to avoid detected loop condition in vars.

* Safer CI, only adds .md files.

* Trying to figure out CI logic for building docs.

* Trying to figure out CI logic for building docs.

* Trying to figure out CI logic for building docs.

* Trying adding a git pull.

* Setting git pull config options.

* Reordering things.

* Adding --allow-unrelated-histories to the git pull.

* Trying a feature branch approach.

* Forcing the GitHub action to fetch all git history.

* Bad whitespace, naughty whitespace.

* Trying a different PR action.

* Do not merge the branch in, we only want the markdown changes.

* Keeping the documentation branch clean.

* We need to push a detached HEAD.

* Do we need the checkout at all?

* Adding a docs pull.

Author: gregharvey

.github/workflows/ce-provision-build-docs.yml

@@ -17,33 +17,36 @@ jobs:
       - name: Checkout code
         if: ${{ github.event.pull_request.head.ref != 'documentation' }}
         uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
 
       # Configures global Git variables for committing
       - name: Configure Git
         run: |
           git config --global user.email "sysadm@codeenigma.com"
           git config --global user.name "Code Enigma CI"
+          git config --global pull.rebase false
 
       # Builds the docs
       - name: Build documentation
-        if: ${{ github.event.pull_request.head.ref != 'documentation' }}
+        if: ${{ github.event.pull_request.head.ref != 'documentation' && github.event.pull_request.base.ref == '1.x' }}
         run: |
           git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}
           git fetch
-          git checkout documentation
-          contribute/toc.sh
-          git add docs
-          git add roles
-          git diff --quiet && git diff --staged --quiet || git commit -am 'GitHub Actions - Rebuilt documentation.' && git push origin documentation
+          /bin/sh ./contribute/toc.sh
+          find . -name "*.md" | xargs git add
+          git diff --quiet && git diff --staged --quiet || git commit -am 'GitHub Actions - Rebuilt documentation.'
+          git pull origin documentation
+          git push origin HEAD:documentation
         shell: bash
 
       # Create docs pull request
       - name: Create a documentation pull request
         if: ${{ github.event.pull_request.head.ref != 'documentation' && github.event.pull_request.base.ref == '1.x' }}
-        uses: devops-infra/action-pull-request@v0.4.2
+        uses: repo-sync/pull-request@v2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           source_branch: documentation
-          target_branch: ${{ github.event.pull_request.base.ref }}
-          title: Documentation update.
-          body: "**Automated pull request** created by GitHub Actions because of a documentation update."
+          destination_branch: ${{ github.event.pull_request.base.ref }}
+          pr_title: Documentation update.
+          pr_body: "**Automated pull request** created by GitHub Actions because of a documentation update."

roles/aws/aws_ami/defaults/main.yml

@@ -2,7 +2,7 @@
 aws_ami:
   aws_profile: "{{ _aws_profile }}"
   region: "{{ _aws_region }}"
-  instance_type: t2.micro
+  instance_type: t3.micro
   virtualization_type: hvm
   root_device_type: ebs
   name_filter: "debian-10-amd64-*"

roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml

@@ -14,12 +14,14 @@ aws_ec2_autoscale_cluster:
     - az: c
       cidr_block: "10.0.3.128/26"
       public_subnet: public-c
-  instance_type: t2.micro
+  instance_type: t3.micro
   key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key.
   ami_owner: self # Default to self-created image.
-  root_volume_size: 40
+  root_volume_size: 30
+  root_volume_type: gp2 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html
+  root_volume_delete_on_termination: true
   ebs_optimized: true
-  encrypt_boot: false # Whether to encrypt the EBS volumes or not.
+  encrypt_boot: false # Whether to encrypt the EBS volumes or not, passed to the aws_ami role and to EBS volumes when instances are built
   ami_playbook_file: "{{ playbook_dir }}/ami.yml"
   ami_refresh: true # Whether to build a new AMI or not.
   asg_refresh: true # Whether to build a new ASG or not.
@@ -91,7 +93,7 @@ aws_ec2_autoscale_cluster:
   # Associated RDS instance.
   rds:
     rds: false # wether to create an instance.
-    db_instance_class: db.m5.large
+    db_instance_class: db.t3.medium
     #db_cluster_identifier: example-aurora-cluster
     engine: mariadb
     aurora_reader: false

roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml

@@ -168,6 +168,9 @@
     volumes:
       - device_name: /dev/xvda
         volume_size: "{{ aws_ec2_autoscale_cluster.root_volume_size }}"
+        volume_type: "{{ aws_ec2_autoscale_cluster.root_volume_type }}"
+        encrypted: "{{ aws_ec2_autoscale_cluster.encrypt_boot }}"
+        delete_on_termination: "{{ aws_ec2_autoscale_cluster.root_volume_delete_on_termination }}"
   register: _aws_ec2_lc_created
   when:
     - aws_ec2_autoscale_cluster.asg_refresh

roles/aws/aws_ec2_with_eip/defaults/main.yml

@@ -2,7 +2,7 @@
 aws_ec2_with_eip:
   aws_profile: "{{ _aws_profile }}"
   region: "{{ _aws_region }}"
-  instance_type: t2.micro
+  instance_type: t3.micro
   key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key.
   ami_name: "{{ _domain_name }}" # The name of an AMI image to use. Image must exists in the same region.
   ami_owner: self # Default to self-created image.
@@ -11,10 +11,13 @@ aws_ec2_with_eip:
   vpc_subnet_profile: core # if you are looking up subnets we need a Profile tag to search against
   # An IAM Role name to associate with the instance.
   iam_role_name: "example"
-  state: started
+  state: running
   termination_protection: false # set to true to disable termination and avoid accidents
   instance_name: "{{ _domain_name }}"
   root_volume_size: 80
+  root_volume_type: gp2 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html
+  root_volume_encrypted: "{{ aws_ami.encrypt_boot }}" # in most cases this should match encrypt_boot in the aws_ami role
+  root_volume_delete_on_termination: true
   ebs_optimized: true
   security_groups: []
   tags:

roles/aws/aws_ec2_with_eip/tasks/main.yml

@@ -99,7 +99,9 @@
       - device_name: /dev/xvda
         ebs:
           volume_size: "{{ aws_ec2_with_eip.root_volume_size }}"
-          delete_on_termination: true
+          delete_on_termination: "{{ aws_ec2_with_eip.root_volume_delete_on_termination }}"
+          volume_type: "{{ aws_ec2_with_eip.root_volume_type }}"
+          encrypted: "{{ aws_ec2_with_eip.root_volume_encrypted }}"
   register: aws_ec2_with_eip_instances
 
 - name: Check if we have an existing EIP.

roles/aws/aws_rds/defaults/main.yml

@@ -7,7 +7,7 @@ aws_rds:
     - subnet-bbbbbbbb
   name: example
   tags: {}
-  db_instance_class: db.m5.large
+  db_instance_class: db.t3.medium
   state: present
   description: example
   engine: mariadb