WIP: data/aws: Encrypt the AMI used by the bootstrap and master machines

This is a quick hack to get encrypted masters. Ideally we'd want to deregister these on bootstrap-teardown, but handling that nicely will be easier after some cleanups from [1]. As it stands, we'll need to deregister this as part of the general cluster teardown (hence the WIP). [1]: openshift#1148
wking · Feb 25, 2019 · 4964ce8 · 4964ce8
1 parent c6d7da2
commit 4964ce8
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/data/data/aws/main.tf b/data/data/aws/main.tf
@@ -11,7 +11,7 @@ provider "aws" {
 module "bootstrap" {
   source = "./bootstrap"
 
-  ami                      = "${var.aws_ec2_ami_override}"
+  ami                      = "${aws_ami_copy.main.id}"
   instance_type            = "${var.aws_bootstrap_instance_type}"
   cluster_id               = "${var.cluster_id}"
   ignition                 = "${var.ignition_bootstrap}"
@@ -40,7 +40,7 @@ module "masters" {
   subnet_ids               = "${module.vpc.private_subnet_ids}"
   target_group_arns        = "${module.vpc.aws_lb_target_group_arns}"
   target_group_arns_length = "${module.vpc.aws_lb_target_group_arns_length}"
-  ec2_ami                  = "${var.aws_ec2_ami_override}"
+  ec2_ami                  = "${aws_ami_copy.main.id}"
   user_data_ign            = "${var.ignition_master}"
 }
 
@@ -77,3 +77,12 @@ module "vpc" {
 
   tags = "${local.tags}"
 }
+
+resource "aws_ami_copy" "main" {
+  name              = "${var.cluster_id}-master"
+  source_ami_id     = "${var.aws_ami}"
+  source_ami_region = "${var.aws_ami_region}"
+  encrypted         = true
+
+  tags = "${local.tags}"
+}
diff --git a/data/data/aws/variables-aws.tf b/data/data/aws/variables-aws.tf
@@ -17,10 +17,14 @@ variable "aws_master_instance_type" {
   description = "Instance type for the master node(s). Example: `m4.large`."
 }
 
-variable "aws_ec2_ami_override" {
+variable "aws_ami" {
   type        = "string"
-  description = "(optional) AMI override for all nodes. Example: `ami-foobar123`."
-  default     = ""
+  description = "AMI for all nodes.  An encrypted copy of this AMI will be used.  Example: `ami-foobar123`."
+}
+
+variable "aws_ami_region" {
+  type        = "string"
+  description = "Region from which the source AMI should be copied.  Example: `us-east-1`."
 }
 
 variable "aws_extra_tags" {

diff --git a/pkg/tfvars/aws/aws.go b/pkg/tfvars/aws/aws.go
@@ -11,7 +11,8 @@ import (
 )
 
 type config struct {
-	EC2AMIOverride        string            `json:"aws_ec2_ami_override,omitempty"`
+	AMI                   string            `json:"aws_ami"`
+	AMIRegion             string            `json:"aws_ami_region"`
 	ExtraTags             map[string]string `json:"aws_extra_tags,omitempty"`
 	BootstrapInstanceType string            `json:"aws_bootstrap_instance_type,omitempty"`
 	MasterInstanceType    string            `json:"aws_master_instance_type,omitempty"`
@@ -54,7 +55,8 @@ func TFVars(masterConfig *v1beta1.AWSMachineProviderConfig) ([]byte, error) {
 	cfg := &config{
 		Region:                masterConfig.Placement.Region,
 		ExtraTags:             tags,
-		EC2AMIOverride:        *masterConfig.AMI.ID,
+		AMI:                   *masterConfig.AMI.ID,
+		AMIRegion:             masterConfig.Placement.Region,
 		BootstrapInstanceType: fmt.Sprintf("%s.large", instanceClass),
 		MasterInstanceType:    masterConfig.InstanceType,
 		Size:                  *rootVolume.EBS.VolumeSize,