From a124e619c989f4b2773d6787591088e1e353cb68 Mon Sep 17 00:00:00 2001 From: Ritika Patil Date: Wed, 14 Feb 2024 16:10:50 -0600 Subject: [PATCH 1/3] feat: (PMCPFR-1571) EncryptAtHost changes for NIST --- main.tf | 3 +++ modules/aks_node_pool/main.tf | 2 ++ modules/aks_node_pool/variables.tf | 6 ++++++ modules/azure_aks/main.tf | 33 +++++++++++++++--------------- modules/azure_aks/variables.tf | 6 ++++++ modules/azurerm_vm/main.tf | 1 + modules/azurerm_vm/variables.tf | 6 ++++++ variables.tf | 24 ++++++++++++++++++++++ vms.tf | 32 +++++++++++++++-------------- 9 files changed, 82 insertions(+), 31 deletions(-) diff --git a/main.tf b/main.tf index 2edc59e7..5fffd9e1 100644 --- a/main.tf +++ b/main.tf @@ -49,6 +49,7 @@ data "azurerm_resource_group" "aks_rg" { count = var.resource_group_name == null ? 0 : 1 name = var.resource_group_name } + resource "azurerm_proximity_placement_group" "proximity" { count = var.node_pools_proximity_placement ? 1 : 0 @@ -143,6 +144,7 @@ module "aks" { aks_cluster_max_pods = var.default_nodepool_max_pods aks_cluster_os_disk_size = var.default_nodepool_os_disk_size aks_cluster_node_vm_size = var.default_nodepool_vm_type + aks_cluster_enable_host_encryption = var.enable_default_nodepool_host_encryption aks_cluster_node_admin = var.node_vm_admin aks_cluster_ssh_public_key = try(file(var.ssh_public_key), "") aks_cluster_private_dns_zone_id = var.aks_cluster_private_dns_zone_id @@ -206,6 +208,7 @@ module "node_pools" { zones = (var.node_pools_availability_zone == "" || var.node_pools_proximity_placement == true) ? [] : (var.node_pools_availability_zones != null) ? var.node_pools_availability_zones : [var.node_pools_availability_zone] proximity_placement_group_id = element(coalescelist(azurerm_proximity_placement_group.proximity[*].id, [""]), 0) orchestrator_version = var.kubernetes_version + enable_host_encryption = var.enable_nodepools_host_encryption tags = var.tags } diff --git a/modules/aks_node_pool/main.tf b/modules/aks_node_pool/main.tf index beae2667..15023591 100755 --- a/modules/aks_node_pool/main.tf +++ b/modules/aks_node_pool/main.tf @@ -10,6 +10,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscale_node_pool" { vnet_subnet_id = var.vnet_subnet_id zones = var.zones fips_enabled = var.fips_enabled + enable_host_encryption = var.enable_host_encryption proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id vm_size = var.machine_type os_disk_size_gb = var.os_disk_size @@ -40,6 +41,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "static_node_pool" { vnet_subnet_id = var.vnet_subnet_id zones = var.zones fips_enabled = var.fips_enabled + enable_host_encryption = true proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id vm_size = var.machine_type os_disk_size_gb = var.os_disk_size diff --git a/modules/aks_node_pool/variables.tf b/modules/aks_node_pool/variables.tf index 1ab640db..a23920ab 100755 --- a/modules/aks_node_pool/variables.tf +++ b/modules/aks_node_pool/variables.tf @@ -23,6 +23,12 @@ variable "fips_enabled" { default = false } +variable "enable_host_encryption" { + description = "Enables host encryption on all the nodes in the Node Pool. Changing this forces a new resource to be created." + type = bool + default = false +} + variable "vnet_subnet_id" { description = "The ID of the Subnet where this Node Pool should exist. Changing this forces a new resource to be created." type = string diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf index 6efb6954..50f00f14 100644 --- a/modules/azure_aks/main.tf +++ b/modules/azure_aks/main.tf @@ -52,22 +52,23 @@ resource "azurerm_kubernetes_cluster" "aks" { } default_node_pool { - name = "system" - vm_size = var.aks_cluster_node_vm_size - zones = var.aks_availability_zones - enable_auto_scaling = var.aks_cluster_node_auto_scaling - enable_node_public_ip = false - node_labels = {} - node_taints = [] - fips_enabled = var.fips_enabled - max_pods = var.aks_cluster_max_pods - os_disk_size_gb = var.aks_cluster_os_disk_size - max_count = var.aks_cluster_max_nodes - min_count = var.aks_cluster_min_nodes - node_count = var.aks_cluster_node_count - vnet_subnet_id = var.aks_vnet_subnet_id - tags = var.aks_cluster_tags - orchestrator_version = var.kubernetes_version + name = "system" + vm_size = var.aks_cluster_node_vm_size + zones = var.aks_availability_zones + enable_auto_scaling = var.aks_cluster_node_auto_scaling + enable_node_public_ip = false + node_labels = {} + node_taints = [] + fips_enabled = var.fips_enabled + enable_host_encryption = var.aks_cluster_enable_host_encryption + max_pods = var.aks_cluster_max_pods + os_disk_size_gb = var.aks_cluster_os_disk_size + max_count = var.aks_cluster_max_nodes + min_count = var.aks_cluster_min_nodes + node_count = var.aks_cluster_node_count + vnet_subnet_id = var.aks_vnet_subnet_id + tags = var.aks_cluster_tags + orchestrator_version = var.kubernetes_version } dynamic "service_principal" { diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf index 4d8f0944..82a863a3 100644 --- a/modules/azure_aks/variables.tf +++ b/modules/azure_aks/variables.tf @@ -113,6 +113,12 @@ variable "aks_cluster_max_pods" { default = 110 } +variable "aks_cluster_enable_host_encryption" { + description = "Enables host encryption on all the nodes in the Default Node Pool" + type = bool + default = false +} + variable "kubernetes_version" { description = "The AKS cluster K8s version" type = string diff --git a/modules/azurerm_vm/main.tf b/modules/azurerm_vm/main.tf index 97f48504..d26ca45a 100644 --- a/modules/azurerm_vm/main.tf +++ b/modules/azurerm_vm/main.tf @@ -64,6 +64,7 @@ resource "azurerm_linux_virtual_machine" "vm" { size = var.machine_type admin_username = var.vm_admin zone = var.vm_zone + encryption_at_host_enabled = var.encryption_at_host_enabled #Cloud Init custom_data = (var.cloud_init != "" ? var.cloud_init : null) diff --git a/modules/azurerm_vm/variables.tf b/modules/azurerm_vm/variables.tf index 1bd3b989..b61ade98 100644 --- a/modules/azurerm_vm/variables.tf +++ b/modules/azurerm_vm/variables.tf @@ -162,3 +162,9 @@ variable "proximity_placement_group_id" { type = string default = "" } + +variable "encryption_at_host_enabled" { + description = "Enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false" + type = bool + default = false +} diff --git a/variables.tf b/variables.tf index c240d4cd..30363417 100644 --- a/variables.tf +++ b/variables.tf @@ -165,6 +165,12 @@ variable "default_nodepool_availability_zones" { default = ["1"] } +variable "enable_default_nodepool_host_encryption" { + description = "Enables host encryption on all the nodes in the Default Node Pool" + type = bool + default = false +} + # AKS advanced network config variable "aks_network_plugin" { description = "Network plugin to use for networking. Currently supported values are azure and kubenet. Changing this forces a new resource to be created." @@ -362,6 +368,12 @@ variable "jump_rwx_filestore_path" { default = "/viya-share" } +variable "enable_jump_vm_host_encryption" { + description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false" + type = bool + default = false +} + variable "storage_type" { description = "Type of Storage. Valid Values: `standard`, `ha` and `none`. `standard` creates NFS server VM, `ha` creates Azure Netapp Files" type = string @@ -426,6 +438,12 @@ variable "nfs_raid_disk_zone" { default = null } +variable "enable_nfs_vm_host_encryption" { + description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false" + type = bool + default = false +} + ## Azure Container Registry (ACR) variable "create_container_registry" { description = "Create Azure Container Registry" @@ -515,6 +533,12 @@ variable "node_pools_proximity_placement" { default = false } +variable "enable_nodepools_host_encryption" { + description = "Enables host encryption on all the nodes in the Node Pool. Changing this forces a new resource to be created." + type = bool + default = false +} + variable "node_pools" { description = "Node pool definitions" type = map(object({ diff --git a/vms.tf b/vms.tf index e941f8db..b155de90 100644 --- a/vms.tf +++ b/vms.tf @@ -54,21 +54,22 @@ data "cloudinit_config" "jump" { module "jump" { source = "./modules/azurerm_vm" - count = var.create_jump_vm ? 1 : 0 - name = "${var.prefix}-jump" - azure_rg_name = local.aks_rg.name - azure_rg_location = var.location - vnet_subnet_id = module.vnet.subnets["misc"].id - machine_type = var.jump_vm_machine_type - azure_nsg_id = local.nsg.id - tags = var.tags - vm_admin = var.jump_vm_admin - vm_zone = var.jump_vm_zone - fips_enabled = var.fips_enabled - ssh_public_key = local.ssh_public_key - cloud_init = data.cloudinit_config.jump[0].rendered - create_public_ip = var.create_jump_public_ip - enable_public_static_ip = var.enable_jump_public_static_ip + count = var.create_jump_vm ? 1 : 0 + name = "${var.prefix}-jump" + azure_rg_name = local.aks_rg.name + azure_rg_location = var.location + vnet_subnet_id = module.vnet.subnets["misc"].id + machine_type = var.jump_vm_machine_type + azure_nsg_id = local.nsg.id + tags = var.tags + vm_admin = var.jump_vm_admin + vm_zone = var.jump_vm_zone + fips_enabled = var.fips_enabled + ssh_public_key = local.ssh_public_key + cloud_init = data.cloudinit_config.jump[0].rendered + create_public_ip = var.create_jump_public_ip + enable_public_static_ip = var.enable_jump_public_static_ip + encryption_at_host_enabled = var.enable_jump_vm_host_encryption # Jump VM mounts NFS path hence dependency on 'module.nfs' depends_on = [module.vnet, module.nfs] @@ -109,6 +110,7 @@ module "nfs" { data_disk_size = var.nfs_raid_disk_size data_disk_storage_account_type = var.nfs_raid_disk_type data_disk_zone = var.nfs_raid_disk_zone + encryption_at_host_enabled = var.enable_nfs_vm_host_encryption depends_on = [module.vnet] } From 99d1f552c81dc018d95b3cbb1cd174a9c0f457db Mon Sep 17 00:00:00 2001 From: Ritika Patil Date: Fri, 22 Mar 2024 15:24:55 -0500 Subject: [PATCH 2/3] feat: (IAC-1386) EncryptAtHost changes for default static nodepool --- modules/aks_node_pool/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/aks_node_pool/main.tf b/modules/aks_node_pool/main.tf index 15023591..abced417 100755 --- a/modules/aks_node_pool/main.tf +++ b/modules/aks_node_pool/main.tf @@ -41,7 +41,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "static_node_pool" { vnet_subnet_id = var.vnet_subnet_id zones = var.zones fips_enabled = var.fips_enabled - enable_host_encryption = true + enable_host_encryption = var.enable_host_encryption proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id vm_size = var.machine_type os_disk_size_gb = var.os_disk_size From 883647f0afcc7edc558b93cddcbaca0cba5b03a4 Mon Sep 17 00:00:00 2001 From: Ritika Patil Date: Wed, 27 Mar 2024 13:55:18 -0500 Subject: [PATCH 3/3] feat: (IAC-1386) Updated code to add changes for customer managed keys --- main.tf | 5 +++-- modules/azure_aks/main.tf | 1 + modules/azure_aks/variables.tf | 6 ++++++ modules/azurerm_vm/main.tf | 26 ++++++++++++++------------ modules/azurerm_vm/variables.tf | 6 ++++++ variables.tf | 32 ++++++++++++++++---------------- vms.tf | 6 ++++-- 7 files changed, 50 insertions(+), 32 deletions(-) diff --git a/main.tf b/main.tf index 5fffd9e1..e2d9b075 100644 --- a/main.tf +++ b/main.tf @@ -144,7 +144,8 @@ module "aks" { aks_cluster_max_pods = var.default_nodepool_max_pods aks_cluster_os_disk_size = var.default_nodepool_os_disk_size aks_cluster_node_vm_size = var.default_nodepool_vm_type - aks_cluster_enable_host_encryption = var.enable_default_nodepool_host_encryption + aks_cluster_enable_host_encryption = var.aks_cluster_enable_host_encryption + aks_node_disk_encryption_set_id = var.aks_node_disk_encryption_set_id aks_cluster_node_admin = var.node_vm_admin aks_cluster_ssh_public_key = try(file(var.ssh_public_key), "") aks_cluster_private_dns_zone_id = var.aks_cluster_private_dns_zone_id @@ -208,7 +209,7 @@ module "node_pools" { zones = (var.node_pools_availability_zone == "" || var.node_pools_proximity_placement == true) ? [] : (var.node_pools_availability_zones != null) ? var.node_pools_availability_zones : [var.node_pools_availability_zone] proximity_placement_group_id = element(coalescelist(azurerm_proximity_placement_group.proximity[*].id, [""]), 0) orchestrator_version = var.kubernetes_version - enable_host_encryption = var.enable_nodepools_host_encryption + enable_host_encryption = var.aks_cluster_enable_host_encryption tags = var.tags } diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf index 50f00f14..8cadfe1f 100644 --- a/modules/azure_aks/main.tf +++ b/modules/azure_aks/main.tf @@ -13,6 +13,7 @@ resource "azurerm_kubernetes_cluster" "aks" { support_plan = var.cluster_support_tier role_based_access_control_enabled = true http_application_routing_enabled = false + disk_encryption_set_id = var.aks_node_disk_encryption_set_id # https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions # az aks get-versions --location eastus -o table diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf index 82a863a3..d9bcbaaa 100644 --- a/modules/azure_aks/variables.tf +++ b/modules/azure_aks/variables.tf @@ -119,6 +119,12 @@ variable "aks_cluster_enable_host_encryption" { default = false } +variable "aks_node_disk_encryption_set_id" { + description = "The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. Changing this forces a new resource to be created." + type = string + default = null +} + variable "kubernetes_version" { description = "The AKS cluster K8s version" type = string diff --git a/modules/azurerm_vm/main.tf b/modules/azurerm_vm/main.tf index d26ca45a..a7bd1bc0 100644 --- a/modules/azurerm_vm/main.tf +++ b/modules/azurerm_vm/main.tf @@ -36,15 +36,16 @@ resource "azurerm_network_interface_security_group_association" "vm_nic_sg" { # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk resource "azurerm_managed_disk" "vm_data_disk" { - count = var.data_disk_count - name = format("%s-disk%02d", var.name, count.index + 1) - location = var.azure_rg_location - resource_group_name = var.azure_rg_name - storage_account_type = var.data_disk_storage_account_type - create_option = "Empty" - disk_size_gb = var.data_disk_size - zone = var.data_disk_zone - tags = var.tags + count = var.data_disk_count + name = format("%s-disk%02d", var.name, count.index + 1) + location = var.azure_rg_location + resource_group_name = var.azure_rg_name + storage_account_type = var.data_disk_storage_account_type + create_option = "Empty" + disk_size_gb = var.data_disk_size + zone = var.data_disk_zone + disk_encryption_set_id = var.disk_encryption_set_id + tags = var.tags } resource "azurerm_virtual_machine_data_disk_attachment" "vm_data_disk_attach" { @@ -79,9 +80,10 @@ resource "azurerm_linux_virtual_machine" "vm" { } os_disk { - caching = var.os_disk_caching - storage_account_type = var.os_disk_storage_account_type - disk_size_gb = var.os_disk_size + caching = var.os_disk_caching + storage_account_type = var.os_disk_storage_account_type + disk_size_gb = var.os_disk_size + disk_encryption_set_id = var.disk_encryption_set_id } source_image_reference { diff --git a/modules/azurerm_vm/variables.tf b/modules/azurerm_vm/variables.tf index b61ade98..9507b38a 100644 --- a/modules/azurerm_vm/variables.tf +++ b/modules/azurerm_vm/variables.tf @@ -168,3 +168,9 @@ variable "encryption_at_host_enabled" { type = bool default = false } + +variable "disk_encryption_set_id" { + description = "The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk." + type = string + default = null +} diff --git a/variables.tf b/variables.tf index 30363417..5e482915 100644 --- a/variables.tf +++ b/variables.tf @@ -165,12 +165,18 @@ variable "default_nodepool_availability_zones" { default = ["1"] } -variable "enable_default_nodepool_host_encryption" { - description = "Enables host encryption on all the nodes in the Default Node Pool" +variable "aks_cluster_enable_host_encryption" { + description = "Enables host encryption on all the nodes in the Node Pool." type = bool default = false } +variable "aks_node_disk_encryption_set_id" { + description = "The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. Changing this forces a new resource to be created." + type = string + default = null +} + # AKS advanced network config variable "aks_network_plugin" { description = "Network plugin to use for networking. Currently supported values are azure and kubenet. Changing this forces a new resource to be created." @@ -368,12 +374,18 @@ variable "jump_rwx_filestore_path" { default = "/viya-share" } -variable "enable_jump_vm_host_encryption" { - description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false" +variable "enable_vm_host_encryption" { + description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. This setting applies to both Jump and NFS VM. Defaults to false" type = bool default = false } +variable "vm_disk_encryption_set_id" { + description = "The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. This setting applies to both Jump and NFS VM." + type = string + default = null +} + variable "storage_type" { description = "Type of Storage. Valid Values: `standard`, `ha` and `none`. `standard` creates NFS server VM, `ha` creates Azure Netapp Files" type = string @@ -438,12 +450,6 @@ variable "nfs_raid_disk_zone" { default = null } -variable "enable_nfs_vm_host_encryption" { - description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false" - type = bool - default = false -} - ## Azure Container Registry (ACR) variable "create_container_registry" { description = "Create Azure Container Registry" @@ -533,12 +539,6 @@ variable "node_pools_proximity_placement" { default = false } -variable "enable_nodepools_host_encryption" { - description = "Enables host encryption on all the nodes in the Node Pool. Changing this forces a new resource to be created." - type = bool - default = false -} - variable "node_pools" { description = "Node pool definitions" type = map(object({ diff --git a/vms.tf b/vms.tf index b155de90..97d2048f 100644 --- a/vms.tf +++ b/vms.tf @@ -69,7 +69,8 @@ module "jump" { cloud_init = data.cloudinit_config.jump[0].rendered create_public_ip = var.create_jump_public_ip enable_public_static_ip = var.enable_jump_public_static_ip - encryption_at_host_enabled = var.enable_jump_vm_host_encryption + encryption_at_host_enabled = var.enable_vm_host_encryption + disk_encryption_set_id = var.vm_disk_encryption_set_id # Jump VM mounts NFS path hence dependency on 'module.nfs' depends_on = [module.vnet, module.nfs] @@ -110,7 +111,8 @@ module "nfs" { data_disk_size = var.nfs_raid_disk_size data_disk_storage_account_type = var.nfs_raid_disk_type data_disk_zone = var.nfs_raid_disk_zone - encryption_at_host_enabled = var.enable_nfs_vm_host_encryption + encryption_at_host_enabled = var.enable_vm_host_encryption + disk_encryption_set_id = var.vm_disk_encryption_set_id depends_on = [module.vnet] }