diff --git a/main.tf b/main.tf index 2edc59e7..e2d9b075 100644 --- a/main.tf +++ b/main.tf @@ -49,6 +49,7 @@ data "azurerm_resource_group" "aks_rg" { count = var.resource_group_name == null ? 0 : 1 name = var.resource_group_name } + resource "azurerm_proximity_placement_group" "proximity" { count = var.node_pools_proximity_placement ? 1 : 0 @@ -143,6 +144,8 @@ module "aks" { aks_cluster_max_pods = var.default_nodepool_max_pods aks_cluster_os_disk_size = var.default_nodepool_os_disk_size aks_cluster_node_vm_size = var.default_nodepool_vm_type + aks_cluster_enable_host_encryption = var.aks_cluster_enable_host_encryption + aks_node_disk_encryption_set_id = var.aks_node_disk_encryption_set_id aks_cluster_node_admin = var.node_vm_admin aks_cluster_ssh_public_key = try(file(var.ssh_public_key), "") aks_cluster_private_dns_zone_id = var.aks_cluster_private_dns_zone_id @@ -206,6 +209,7 @@ module "node_pools" { zones = (var.node_pools_availability_zone == "" || var.node_pools_proximity_placement == true) ? [] : (var.node_pools_availability_zones != null) ? var.node_pools_availability_zones : [var.node_pools_availability_zone] proximity_placement_group_id = element(coalescelist(azurerm_proximity_placement_group.proximity[*].id, [""]), 0) orchestrator_version = var.kubernetes_version + enable_host_encryption = var.aks_cluster_enable_host_encryption tags = var.tags } diff --git a/modules/aks_node_pool/main.tf b/modules/aks_node_pool/main.tf index beae2667..abced417 100755 --- a/modules/aks_node_pool/main.tf +++ b/modules/aks_node_pool/main.tf @@ -10,6 +10,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscale_node_pool" { vnet_subnet_id = var.vnet_subnet_id zones = var.zones fips_enabled = var.fips_enabled + enable_host_encryption = var.enable_host_encryption proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id vm_size = var.machine_type os_disk_size_gb = var.os_disk_size @@ -40,6 +41,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "static_node_pool" { vnet_subnet_id = var.vnet_subnet_id zones = var.zones fips_enabled = var.fips_enabled + enable_host_encryption = var.enable_host_encryption proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id vm_size = var.machine_type os_disk_size_gb = var.os_disk_size diff --git a/modules/aks_node_pool/variables.tf b/modules/aks_node_pool/variables.tf index 1ab640db..a23920ab 100755 --- a/modules/aks_node_pool/variables.tf +++ b/modules/aks_node_pool/variables.tf @@ -23,6 +23,12 @@ variable "fips_enabled" { default = false } +variable "enable_host_encryption" { + description = "Enables host encryption on all the nodes in the Node Pool. Changing this forces a new resource to be created." + type = bool + default = false +} + variable "vnet_subnet_id" { description = "The ID of the Subnet where this Node Pool should exist. Changing this forces a new resource to be created." type = string diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf index 6efb6954..8cadfe1f 100644 --- a/modules/azure_aks/main.tf +++ b/modules/azure_aks/main.tf @@ -13,6 +13,7 @@ resource "azurerm_kubernetes_cluster" "aks" { support_plan = var.cluster_support_tier role_based_access_control_enabled = true http_application_routing_enabled = false + disk_encryption_set_id = var.aks_node_disk_encryption_set_id # https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions # az aks get-versions --location eastus -o table @@ -52,22 +53,23 @@ resource "azurerm_kubernetes_cluster" "aks" { } default_node_pool { - name = "system" - vm_size = var.aks_cluster_node_vm_size - zones = var.aks_availability_zones - enable_auto_scaling = var.aks_cluster_node_auto_scaling - enable_node_public_ip = false - node_labels = {} - node_taints = [] - fips_enabled = var.fips_enabled - max_pods = var.aks_cluster_max_pods - os_disk_size_gb = var.aks_cluster_os_disk_size - max_count = var.aks_cluster_max_nodes - min_count = var.aks_cluster_min_nodes - node_count = var.aks_cluster_node_count - vnet_subnet_id = var.aks_vnet_subnet_id - tags = var.aks_cluster_tags - orchestrator_version = var.kubernetes_version + name = "system" + vm_size = var.aks_cluster_node_vm_size + zones = var.aks_availability_zones + enable_auto_scaling = var.aks_cluster_node_auto_scaling + enable_node_public_ip = false + node_labels = {} + node_taints = [] + fips_enabled = var.fips_enabled + enable_host_encryption = var.aks_cluster_enable_host_encryption + max_pods = var.aks_cluster_max_pods + os_disk_size_gb = var.aks_cluster_os_disk_size + max_count = var.aks_cluster_max_nodes + min_count = var.aks_cluster_min_nodes + node_count = var.aks_cluster_node_count + vnet_subnet_id = var.aks_vnet_subnet_id + tags = var.aks_cluster_tags + orchestrator_version = var.kubernetes_version } dynamic "service_principal" { diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf index 4d8f0944..d9bcbaaa 100644 --- a/modules/azure_aks/variables.tf +++ b/modules/azure_aks/variables.tf @@ -113,6 +113,18 @@ variable "aks_cluster_max_pods" { default = 110 } +variable "aks_cluster_enable_host_encryption" { + description = "Enables host encryption on all the nodes in the Default Node Pool" + type = bool + default = false +} + +variable "aks_node_disk_encryption_set_id" { + description = "The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. Changing this forces a new resource to be created." + type = string + default = null +} + variable "kubernetes_version" { description = "The AKS cluster K8s version" type = string diff --git a/modules/azurerm_vm/main.tf b/modules/azurerm_vm/main.tf index 97f48504..a7bd1bc0 100644 --- a/modules/azurerm_vm/main.tf +++ b/modules/azurerm_vm/main.tf @@ -36,15 +36,16 @@ resource "azurerm_network_interface_security_group_association" "vm_nic_sg" { # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk resource "azurerm_managed_disk" "vm_data_disk" { - count = var.data_disk_count - name = format("%s-disk%02d", var.name, count.index + 1) - location = var.azure_rg_location - resource_group_name = var.azure_rg_name - storage_account_type = var.data_disk_storage_account_type - create_option = "Empty" - disk_size_gb = var.data_disk_size - zone = var.data_disk_zone - tags = var.tags + count = var.data_disk_count + name = format("%s-disk%02d", var.name, count.index + 1) + location = var.azure_rg_location + resource_group_name = var.azure_rg_name + storage_account_type = var.data_disk_storage_account_type + create_option = "Empty" + disk_size_gb = var.data_disk_size + zone = var.data_disk_zone + disk_encryption_set_id = var.disk_encryption_set_id + tags = var.tags } resource "azurerm_virtual_machine_data_disk_attachment" "vm_data_disk_attach" { @@ -64,6 +65,7 @@ resource "azurerm_linux_virtual_machine" "vm" { size = var.machine_type admin_username = var.vm_admin zone = var.vm_zone + encryption_at_host_enabled = var.encryption_at_host_enabled #Cloud Init custom_data = (var.cloud_init != "" ? var.cloud_init : null) @@ -78,9 +80,10 @@ resource "azurerm_linux_virtual_machine" "vm" { } os_disk { - caching = var.os_disk_caching - storage_account_type = var.os_disk_storage_account_type - disk_size_gb = var.os_disk_size + caching = var.os_disk_caching + storage_account_type = var.os_disk_storage_account_type + disk_size_gb = var.os_disk_size + disk_encryption_set_id = var.disk_encryption_set_id } source_image_reference { diff --git a/modules/azurerm_vm/variables.tf b/modules/azurerm_vm/variables.tf index 1bd3b989..9507b38a 100644 --- a/modules/azurerm_vm/variables.tf +++ b/modules/azurerm_vm/variables.tf @@ -162,3 +162,15 @@ variable "proximity_placement_group_id" { type = string default = "" } + +variable "encryption_at_host_enabled" { + description = "Enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false" + type = bool + default = false +} + +variable "disk_encryption_set_id" { + description = "The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk." + type = string + default = null +} diff --git a/variables.tf b/variables.tf index c240d4cd..5e482915 100644 --- a/variables.tf +++ b/variables.tf @@ -165,6 +165,18 @@ variable "default_nodepool_availability_zones" { default = ["1"] } +variable "aks_cluster_enable_host_encryption" { + description = "Enables host encryption on all the nodes in the Node Pool." + type = bool + default = false +} + +variable "aks_node_disk_encryption_set_id" { + description = "The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. Changing this forces a new resource to be created." + type = string + default = null +} + # AKS advanced network config variable "aks_network_plugin" { description = "Network plugin to use for networking. Currently supported values are azure and kubenet. Changing this forces a new resource to be created." @@ -362,6 +374,18 @@ variable "jump_rwx_filestore_path" { default = "/viya-share" } +variable "enable_vm_host_encryption" { + description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. This setting applies to both Jump and NFS VM. Defaults to false" + type = bool + default = false +} + +variable "vm_disk_encryption_set_id" { + description = "The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. This setting applies to both Jump and NFS VM." + type = string + default = null +} + variable "storage_type" { description = "Type of Storage. Valid Values: `standard`, `ha` and `none`. `standard` creates NFS server VM, `ha` creates Azure Netapp Files" type = string diff --git a/vms.tf b/vms.tf index e941f8db..97d2048f 100644 --- a/vms.tf +++ b/vms.tf @@ -54,21 +54,23 @@ data "cloudinit_config" "jump" { module "jump" { source = "./modules/azurerm_vm" - count = var.create_jump_vm ? 1 : 0 - name = "${var.prefix}-jump" - azure_rg_name = local.aks_rg.name - azure_rg_location = var.location - vnet_subnet_id = module.vnet.subnets["misc"].id - machine_type = var.jump_vm_machine_type - azure_nsg_id = local.nsg.id - tags = var.tags - vm_admin = var.jump_vm_admin - vm_zone = var.jump_vm_zone - fips_enabled = var.fips_enabled - ssh_public_key = local.ssh_public_key - cloud_init = data.cloudinit_config.jump[0].rendered - create_public_ip = var.create_jump_public_ip - enable_public_static_ip = var.enable_jump_public_static_ip + count = var.create_jump_vm ? 1 : 0 + name = "${var.prefix}-jump" + azure_rg_name = local.aks_rg.name + azure_rg_location = var.location + vnet_subnet_id = module.vnet.subnets["misc"].id + machine_type = var.jump_vm_machine_type + azure_nsg_id = local.nsg.id + tags = var.tags + vm_admin = var.jump_vm_admin + vm_zone = var.jump_vm_zone + fips_enabled = var.fips_enabled + ssh_public_key = local.ssh_public_key + cloud_init = data.cloudinit_config.jump[0].rendered + create_public_ip = var.create_jump_public_ip + enable_public_static_ip = var.enable_jump_public_static_ip + encryption_at_host_enabled = var.enable_vm_host_encryption + disk_encryption_set_id = var.vm_disk_encryption_set_id # Jump VM mounts NFS path hence dependency on 'module.nfs' depends_on = [module.vnet, module.nfs] @@ -109,6 +111,8 @@ module "nfs" { data_disk_size = var.nfs_raid_disk_size data_disk_storage_account_type = var.nfs_raid_disk_type data_disk_zone = var.nfs_raid_disk_zone + encryption_at_host_enabled = var.enable_vm_host_encryption + disk_encryption_set_id = var.vm_disk_encryption_set_id depends_on = [module.vnet] }