aws: allow users to set the KMS key id for encrypting EBS volumes

Users can provide the KMS Key ARN which should be used to encrypt the EBS volumes otherwise the default KMS key for the region will be used.
patrickdillon · Mar 16, 2020 · 17030b3 · 17030b3
1 parent 9ab21a9
commit 17030b3
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/docs/user/aws/customization.md b/docs/user/aws/customization.md
@@ -20,6 +20,9 @@ Beyond the [platform-agnostic `install-config.yaml` properties](../customization
         This is only valid for `type` `io1`.
     * `size` (optional integer): Size of the root volume in gibibytes (GiB).
     * `type` (optional string):  The [type of volume][volume-type].
+    * `kmsKeyARN` (optional string): The [ARN of KMS key][ebs-kms-key] that should be used to encrypt the EBS volume.
+        When no key is specified by user, the account's [default KMS Key][kms-key-default] for the region will be used.
+        Example ARN values are: `arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` or `arn:aws:kms:us-east-1:111122223333:alias/my-key`
 * `type` (optional string): The [EC2 instance type][instance-type].
 * `zones` (optional array of strings): The availability zones used for machines in the pool.
 
@@ -68,6 +71,7 @@ compute:
         iops: 4000
         size: 500
         type: io1
+        kmsKeyARN: arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
       type: c5.9xlarge
       zones:
       - us-west-2c
@@ -83,5 +87,7 @@ sshKey: ssh-ed25519 AAAA...
 
 [availablity-zones]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html
 [instance-type]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html
+[kms-key-default]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetEbsDefaultKmsKeyId.html
+[kms-key]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
 [volume-iops]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html
 [volume-type]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html
diff --git a/pkg/asset/machines/aws/machines.go b/pkg/asset/machines/aws/machines.go
@@ -97,6 +97,8 @@ func provider(clusterID string, region string, subnet string, instanceType strin
 					VolumeType: pointer.StringPtr(root.Type),
 					VolumeSize: pointer.Int64Ptr(int64(root.Size)),
 					Iops:       pointer.Int64Ptr(int64(root.IOPS)),
+					Encrypted:  pointer.BoolPtr(true),
+					KMSKey:     awsprovider.AWSResourceReference{ARN: pointer.StringPtr(root.KMSKeyARN)},
 				},
 			},
 		},

diff --git a/pkg/types/aws/machinepool.go b/pkg/types/aws/machinepool.go
@@ -37,6 +37,9 @@ func (a *MachinePool) Set(required *MachinePool) {
 	if required.EC2RootVolume.Type != "" {
 		a.EC2RootVolume.Type = required.EC2RootVolume.Type
 	}
+	if required.EC2RootVolume.KMSKeyARN != "" {
+		a.EC2RootVolume.KMSKeyARN = required.EC2RootVolume.KMSKeyARN
+	}
 }
 
 // EC2RootVolume defines the storage for an ec2 instance.
@@ -48,4 +51,10 @@ type EC2RootVolume struct {
 	Size int `json:"size"`
 	// Type defines the type of the volume.
 	Type string `json:"type"`
+
+	// The KMS key that will be used to encrypt the EBS volume.
+	// If no key is provided the default KMS key for the account will be used.
+	// https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetEbsDefaultKmsKeyId.html
+	// +optional
+	KMSKeyARN string `json:"kmsKeyARN,omitempty"`
 }