Terraform-aws-eks: EBS volume encryption

Created on 22 Jun 2019  路  12Comments  路  Source: terraform-aws-modules/terraform-aws-eks

I'm submitting a...

  • [ ] bug report
  • [ ] feature request
  • [x] support request
  • [ ] kudos, thank you, warm fuzzy

What is the current behavior?

I'm trying to spin up an EKS cluster and have all volumes encrypted. The KMS key already exists beforehand. Is it because we are using the default EKS AMI? The root volume spins up unencrypted, and it doesn't have a name (it's just blank).

If this is a bug, how to reproduce? Please include a code sample if relevant.

locals {
   cluster_name    = "xxxxx"
   cluster_version = "1.13"
   vpc_id          = "vpc-xxxxx"
   subnets         = ["subnet-xxxxx", "subnet-xxxxx"]

   tags = {
     "Environment" = "dev"
     "Terraform"   = "true"
   }

   manage_aws_auth       = false
   write_aws_auth_config = false

   worker_groups = [
     {
       name                   = "worker"
       instance_type          = "m5.large"
       additional_userdata    = "yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm"
       key_name               = "dev"
       asg_desired_capacity   = "1"
       asg_max_size           = "1"
       asg_min_size           = "1"
       ami_id                 = "ami-08c4955bcc43b124e"
       root_block_device_name = "${local.cluster_name}"
       root_encrypted         = true
       root_kms_key_id        = "dev"
     },
   ]
  • Affected module version: eks (latest version)
  • OS: macOS
  • Terraform version: 0.12
stale
Source
picture heydonovan

Most helpful comment

Hmm, @heydonovan i believe you need to use worker_groups_launch_template instead as that's the one that lets you provide the encryption

However recently AWS announced https://www.terraform.io/docs/providers/aws/r/ebs_encryption_by_default.html which we could add, that might apply to the worker_groups as well

picture russki on 24 Jul 2019
👍4

All 12 comments

The root volume spins up unencrypted, and it doesn't have a name (it's just blank).

Where do you see this? In the AWS console?

max-rocket-internet picture max-rocket-internet on 24 Jun 2019

Yup! Click on the one ec2 instance, click on root volume, which takes me to the listing of all volumes. The one associated with that instance says Not Encrypted, with nothing listed in the KMS Key ID column. I'm wondering if the API request was ever made, and/or if it failed.

heydonovan picture heydonovan on 24 Jun 2019

After adding the root_kms_key_id parameter, did you make the ASG create a new node? It won't affect any existing nodes as they were created with the old launch configuration.

max-rocket-internet picture max-rocket-internet on 24 Jun 2019

Yes, tried that as well. Even burned the cluster down, and recreated it.

heydonovan picture heydonovan on 24 Jun 2019

Maybe ask @russki since they created the original PR: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/292

max-rocket-internet picture max-rocket-internet on 25 Jun 2019

Hmm, @heydonovan i believe you need to use worker_groups_launch_template instead as that's the one that lets you provide the encryption

However recently AWS announced https://www.terraform.io/docs/providers/aws/r/ebs_encryption_by_default.html which we could add, that might apply to the worker_groups as well

russki picture russki on 24 Jul 2019
👍4

Hey @russki, using worker_groups_launch_template works but it doesn't take affect immediately as soon as it applied, the worker nodes have to be re-created, is there a workaround instead of killing them gently ?
Also @max-rocket-internet In the same context I have confusions regarding using worker_groups or worker_groups_launch_template or both ?

vishnuhd picture vishnuhd on 13 Nov 2019

@vishnuhd With templates, you have an option to launch with a certain version of the template in your ASG or always use latest. One of the options is to increase the ASG size, wait for the new nodes to appear (with encrypted disks) and drain the old ones

In regards to confusion between templates vs groups
Per https://docs.aws.amazon.com/autoscaling/ec2/userguide/LaunchTemplates.html it says:

We recommend that you use launch templates instead of launch configurations to ensure that you can use the latest features of Amazon EC2

russki picture russki on 13 Nov 2019

Thanks @russki for eliminating the confusion.

I still am bothering how to manage the worker nodes using terraform, since if I want the changes to be reflected immediately on instances, for that I will be updating the launch template config only and not the asg manually. Shouldn't be there a bool like apply_immediately ?
Let me know if I am missing something.

vishnuhd picture vishnuhd on 16 Nov 2019

I still am bothering how to manage the worker nodes using terraform, since if I want the changes to be reflected immediately on instances

This is simply how ASGs work. There is no direct connection between an ASG, its LT or LC and the instances. You can't change this easily.

max-rocket-internet picture max-rocket-internet on 18 Nov 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 16 Feb 2020

This issue has been automatically closed because it has not had recent activity since being marked as stale.

stale[bot] picture stale[bot] on 17 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tokiwong picture tokiwong  路  4Comments
swapzero picture swapzero  路  4Comments
Pratima picture Pratima  路  4Comments
tnimni picture tnimni  路  3Comments
joshkurz picture joshkurz  路  4Comments