data/aws: Encrypt the AMI used by the bootstrap and master machines

This is a quick hack to get encrypted masters.  Ideally we'd want to
deregister these on bootstrap-teardown, but handling that nicely will
be easier after some cleanups from [1].  As it stands, we'll
deregister this as part of the general cluster teardown.

[1]: openshift#1148

data/data/aws/main.tf

@@ -11,7 +11,7 @@ provider "aws" {
 module "bootstrap" {
  source = "./bootstrap"
 
- ami = "${var.aws_ec2_ami_override}"
+ ami = "${aws_ami_copy.main.id}"
  instance_type = "${var.aws_bootstrap_instance_type}"
  cluster_id = "${var.cluster_id}"
  ignition = "${var.ignition_bootstrap}"
@@ -40,7 +40,7 @@ module "masters" {
  subnet_ids = "${module.vpc.private_subnet_ids}"
  target_group_arns = "${module.vpc.aws_lb_target_group_arns}"
  target_group_arns_length = "${module.vpc.aws_lb_target_group_arns_length}"
- ec2_ami = "${var.aws_ec2_ami_override}"
+ ec2_ami = "${aws_ami_copy.main.id}"
  user_data_ign = "${var.ignition_master}"
 }
 
@@ -77,3 +77,12 @@ module "vpc" {
 
  tags = "${local.tags}"
 }
+
+resource "aws_ami_copy" "main" {
+ name = "${var.cluster_id}-master"
+ source_ami_id = "${var.aws_ami}"
+ source_ami_region = "${var.aws_ami_region}"
+ encrypted = true
+
+ tags = "${local.tags}"
+}

data/data/aws/variables-aws.tf

@@ -17,10 +17,14 @@ variable "aws_master_instance_type" {
  description = "Instance type for the master node(s). Example: `m4.large`."
 }
 
-variable "aws_ec2_ami_override" {
+variable "aws_ami" {
  type = "string"
- description = "(optional) AMI override for all nodes. Example: `ami-foobar123`."
- default = ""
+ description = "AMI for all nodes. An encrypted copy of this AMI will be used. Example: `ami-foobar123`."
+}
+
+variable "aws_ami_region" {
+ type = "string"
+ description = "Region from which the source AMI should be copied. Example: `us-east-1`."
 }
 
 variable "aws_extra_tags" {

pkg/destroy/aws/aws.go

@@ -455,6 +455,8 @@ func deleteEC2(session *session.Session, arn arn.ARN, logger logrus.FieldLogger)
  return deleteEC2DHCPOptions(client, id, logger)
  case "elastic-ip":
  return deleteEC2ElasticIP(client, id, logger)
+ case "image":
+ return deleteEC2Image(client, id, logger)
  case "instance":
  return deleteEC2Instance(client, iam.New(session), id, logger)
  case "internet-gateway":
@@ -491,6 +493,21 @@ func deleteEC2DHCPOptions(client *ec2.EC2, id string, logger logrus.FieldLogger)
  return nil
 }
 
+func deleteEC2Image(client *ec2.EC2, id string, logger logrus.FieldLogger) error {
+ _, err := client.DeregisterImage(&ec2.DeregisterImageInput{
+ ImageId: &id,
+ })
+ if err != nil {
+ if err.(awserr.Error).Code() == "InvalidAMIID.NotFound" {
+ return nil
+ }
+ return err
+ }
+
+ logger.Info("Deleted")
+ return nil
+}
+
 func deleteEC2ElasticIP(client *ec2.EC2, id string, logger logrus.FieldLogger) error {
  _, err := client.ReleaseAddress(&ec2.ReleaseAddressInput{
  AllocationId: aws.String(id),

pkg/tfvars/aws/aws.go

@@ -11,7 +11,8 @@ import (
 )
 
 type config struct {
- EC2AMIOverride string `json:"aws_ec2_ami_override,omitempty"`
+ AMI string `json:"aws_ami"`
+ AMIRegion string `json:"aws_ami_region"`
  ExtraTags map[string]string `json:"aws_extra_tags,omitempty"`
  BootstrapInstanceType string `json:"aws_bootstrap_instance_type,omitempty"`
  MasterInstanceType string `json:"aws_master_instance_type,omitempty"`
@@ -54,7 +55,8 @@ func TFVars(masterConfig *v1beta1.AWSMachineProviderConfig) ([]byte, error) {
  cfg := &config{
  Region: masterConfig.Placement.Region,
  ExtraTags: tags,
- EC2AMIOverride: *masterConfig.AMI.ID,
+ AMI: *masterConfig.AMI.ID,
+ AMIRegion: masterConfig.Placement.Region,
  BootstrapInstanceType: fmt.Sprintf("%s.large", instanceClass),
  MasterInstanceType: masterConfig.InstanceType,
  Size: *rootVolume.EBS.VolumeSize,