feat: (IAC-1386) EncryptAtHost changes for NIST (#372)

Author: riragh

main.tf

@@ -49,6 +49,7 @@ data "azurerm_resource_group" "aks_rg" {
   count = var.resource_group_name == null ? 0 : 1
   name  = var.resource_group_name
 }
+
 resource "azurerm_proximity_placement_group" "proximity" {
   count = var.node_pools_proximity_placement ? 1 : 0
 
@@ -143,6 +144,8 @@ module "aks" {
   aks_cluster_max_pods                     = var.default_nodepool_max_pods
   aks_cluster_os_disk_size                 = var.default_nodepool_os_disk_size
   aks_cluster_node_vm_size                 = var.default_nodepool_vm_type
+  aks_cluster_enable_host_encryption       = var.aks_cluster_enable_host_encryption
+  aks_node_disk_encryption_set_id          = var.aks_node_disk_encryption_set_id
   aks_cluster_node_admin                   = var.node_vm_admin
   aks_cluster_ssh_public_key               = try(file(var.ssh_public_key), "")
   aks_cluster_private_dns_zone_id          = var.aks_cluster_private_dns_zone_id
@@ -206,6 +209,7 @@ module "node_pools" {
   zones                        = (var.node_pools_availability_zone == "" || var.node_pools_proximity_placement == true) ? [] : (var.node_pools_availability_zones != null) ? var.node_pools_availability_zones : [var.node_pools_availability_zone]
   proximity_placement_group_id = element(coalescelist(azurerm_proximity_placement_group.proximity[*].id, [""]), 0)
   orchestrator_version         = var.kubernetes_version
+  enable_host_encryption       = var.aks_cluster_enable_host_encryption
   tags                         = var.tags
 }
 

modules/aks_node_pool/main.tf

@@ -10,6 +10,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscale_node_pool" {
   vnet_subnet_id               = var.vnet_subnet_id
   zones                        = var.zones
   fips_enabled                 = var.fips_enabled
+  enable_host_encryption       = var.enable_host_encryption
   proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id
   vm_size                      = var.machine_type
   os_disk_size_gb              = var.os_disk_size
@@ -40,6 +41,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "static_node_pool" {
   vnet_subnet_id               = var.vnet_subnet_id
   zones                        = var.zones
   fips_enabled                 = var.fips_enabled
+  enable_host_encryption       = var.enable_host_encryption
   proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id
   vm_size                      = var.machine_type
   os_disk_size_gb              = var.os_disk_size

modules/aks_node_pool/variables.tf

@@ -23,6 +23,12 @@ variable "fips_enabled" {
   default     = false
 }
 
+variable "enable_host_encryption" {
+  description = "Enables host encryption on all the nodes in the Node Pool. Changing this forces a new resource to be created."
+  type        = bool
+  default     = false
+}
+
 variable "vnet_subnet_id" {
   description = "The ID of the Subnet where this Node Pool should exist. Changing this forces a new resource to be created."
   type        = string

modules/azure_aks/main.tf

@@ -13,6 +13,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
   support_plan                      = var.cluster_support_tier
   role_based_access_control_enabled = true
   http_application_routing_enabled  = false
+  disk_encryption_set_id            = var.aks_node_disk_encryption_set_id
 
   # https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions
   # az aks get-versions --location eastus -o table
@@ -52,22 +53,23 @@ resource "azurerm_kubernetes_cluster" "aks" {
   }
 
   default_node_pool {
-    name                  = "system"
-    vm_size               = var.aks_cluster_node_vm_size
-    zones                 = var.aks_availability_zones
-    enable_auto_scaling   = var.aks_cluster_node_auto_scaling
-    enable_node_public_ip = false
-    node_labels           = {}
-    node_taints           = []
-    fips_enabled          = var.fips_enabled
-    max_pods              = var.aks_cluster_max_pods
-    os_disk_size_gb       = var.aks_cluster_os_disk_size
-    max_count             = var.aks_cluster_max_nodes
-    min_count             = var.aks_cluster_min_nodes
-    node_count            = var.aks_cluster_node_count
-    vnet_subnet_id        = var.aks_vnet_subnet_id
-    tags                  = var.aks_cluster_tags
-    orchestrator_version  = var.kubernetes_version
+    name                   = "system"
+    vm_size                = var.aks_cluster_node_vm_size
+    zones                  = var.aks_availability_zones
+    enable_auto_scaling    = var.aks_cluster_node_auto_scaling
+    enable_node_public_ip  = false
+    node_labels            = {}
+    node_taints            = []
+    fips_enabled           = var.fips_enabled
+    enable_host_encryption = var.aks_cluster_enable_host_encryption
+    max_pods               = var.aks_cluster_max_pods
+    os_disk_size_gb        = var.aks_cluster_os_disk_size
+    max_count              = var.aks_cluster_max_nodes
+    min_count              = var.aks_cluster_min_nodes
+    node_count             = var.aks_cluster_node_count
+    vnet_subnet_id         = var.aks_vnet_subnet_id
+    tags                   = var.aks_cluster_tags
+    orchestrator_version   = var.kubernetes_version
   }
 
   dynamic "service_principal" {

modules/azure_aks/variables.tf

@@ -113,6 +113,18 @@ variable "aks_cluster_max_pods" {
   default     = 110
 }
 
+variable "aks_cluster_enable_host_encryption" {
+  description = "Enables host encryption on all the nodes in the Default Node Pool"
+  type        = bool
+  default     = false
+}
+
+variable "aks_node_disk_encryption_set_id" {
+  description = "The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. Changing this forces a new resource to be created."
+  type        = string
+  default     = null
+}
+
 variable "kubernetes_version" {
   description = "The AKS cluster K8s version"
   type        = string

modules/azurerm_vm/main.tf

@@ -36,15 +36,16 @@ resource "azurerm_network_interface_security_group_association" "vm_nic_sg" {
 
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk
 resource "azurerm_managed_disk" "vm_data_disk" {
-  count                = var.data_disk_count
-  name                 = format("%s-disk%02d", var.name, count.index + 1)
-  location             = var.azure_rg_location
-  resource_group_name  = var.azure_rg_name
-  storage_account_type = var.data_disk_storage_account_type
-  create_option        = "Empty"
-  disk_size_gb         = var.data_disk_size
-  zone                 = var.data_disk_zone
-  tags                 = var.tags
+  count                  = var.data_disk_count
+  name                   = format("%s-disk%02d", var.name, count.index + 1)
+  location               = var.azure_rg_location
+  resource_group_name    = var.azure_rg_name
+  storage_account_type   = var.data_disk_storage_account_type
+  create_option          = "Empty"
+  disk_size_gb           = var.data_disk_size
+  zone                   = var.data_disk_zone
+  disk_encryption_set_id = var.disk_encryption_set_id
+  tags                   = var.tags
 }
 
 resource "azurerm_virtual_machine_data_disk_attachment" "vm_data_disk_attach" {
@@ -64,6 +65,7 @@ resource "azurerm_linux_virtual_machine" "vm" {
   size                         = var.machine_type
   admin_username               = var.vm_admin
   zone                         = var.vm_zone
+  encryption_at_host_enabled   = var.encryption_at_host_enabled
 
   #Cloud Init
   custom_data = (var.cloud_init != "" ? var.cloud_init : null)
@@ -78,9 +80,10 @@ resource "azurerm_linux_virtual_machine" "vm" {
   }
 
   os_disk {
-    caching              = var.os_disk_caching
-    storage_account_type = var.os_disk_storage_account_type
-    disk_size_gb         = var.os_disk_size
+    caching                = var.os_disk_caching
+    storage_account_type   = var.os_disk_storage_account_type
+    disk_size_gb           = var.os_disk_size
+    disk_encryption_set_id = var.disk_encryption_set_id
   }
 
   source_image_reference {

modules/azurerm_vm/variables.tf

@@ -162,3 +162,15 @@ variable "proximity_placement_group_id" {
   type        = string
   default     = ""
 }
+
+variable "encryption_at_host_enabled" {
+  description = "Enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false"
+  type        = bool
+  default     = false
+}
+
+variable "disk_encryption_set_id" {
+  description = "The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk."
+  type        = string
+  default     = null
+}

variables.tf

@@ -165,6 +165,18 @@ variable "default_nodepool_availability_zones" {
   default     = ["1"]
 }
 
+variable "aks_cluster_enable_host_encryption" {
+  description = "Enables host encryption on all the nodes in the Node Pool."
+  type        = bool
+  default     = false
+}
+
+variable "aks_node_disk_encryption_set_id" {
+  description = "The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. Changing this forces a new resource to be created."
+  type        = string
+  default     = null
+}
+
 # AKS advanced network config
 variable "aks_network_plugin" {
   description = "Network plugin to use for networking. Currently supported values are azure and kubenet. Changing this forces a new resource to be created."
@@ -362,6 +374,18 @@ variable "jump_rwx_filestore_path" {
   default     = "/viya-share"
 }
 
+variable "enable_vm_host_encryption" {
+  description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. This setting applies to both Jump and NFS VM. Defaults to false"
+  type        = bool
+  default     = false
+}
+
+variable "vm_disk_encryption_set_id" {
+  description = "The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. This setting applies to both Jump and NFS VM."
+  type        = string
+  default     = null
+}
+
 variable "storage_type" {
   description = "Type of Storage. Valid Values: `standard`, `ha` and `none`. `standard` creates NFS server VM, `ha` creates Azure Netapp Files"
   type        = string

vms.tf

@@ -54,21 +54,23 @@ data "cloudinit_config" "jump" {
 module "jump" {
   source = "./modules/azurerm_vm"
 
-  count                   = var.create_jump_vm ? 1 : 0
-  name                    = "${var.prefix}-jump"
-  azure_rg_name           = local.aks_rg.name
-  azure_rg_location       = var.location
-  vnet_subnet_id          = module.vnet.subnets["misc"].id
-  machine_type            = var.jump_vm_machine_type
-  azure_nsg_id            = local.nsg.id
-  tags                    = var.tags
-  vm_admin                = var.jump_vm_admin
-  vm_zone                 = var.jump_vm_zone
-  fips_enabled            = var.fips_enabled
-  ssh_public_key          = local.ssh_public_key
-  cloud_init              = data.cloudinit_config.jump[0].rendered
-  create_public_ip        = var.create_jump_public_ip
-  enable_public_static_ip = var.enable_jump_public_static_ip
+  count                      = var.create_jump_vm ? 1 : 0
+  name                       = "${var.prefix}-jump"
+  azure_rg_name              = local.aks_rg.name
+  azure_rg_location          = var.location
+  vnet_subnet_id             = module.vnet.subnets["misc"].id
+  machine_type               = var.jump_vm_machine_type
+  azure_nsg_id               = local.nsg.id
+  tags                       = var.tags
+  vm_admin                   = var.jump_vm_admin
+  vm_zone                    = var.jump_vm_zone
+  fips_enabled               = var.fips_enabled
+  ssh_public_key             = local.ssh_public_key
+  cloud_init                 = data.cloudinit_config.jump[0].rendered
+  create_public_ip           = var.create_jump_public_ip
+  enable_public_static_ip    = var.enable_jump_public_static_ip
+  encryption_at_host_enabled = var.enable_vm_host_encryption
+  disk_encryption_set_id     = var.vm_disk_encryption_set_id
 
   # Jump VM mounts NFS path hence dependency on 'module.nfs'
   depends_on = [module.vnet, module.nfs]
@@ -109,6 +111,8 @@ module "nfs" {
   data_disk_size                 = var.nfs_raid_disk_size
   data_disk_storage_account_type = var.nfs_raid_disk_type
   data_disk_zone                 = var.nfs_raid_disk_zone
+  encryption_at_host_enabled     = var.enable_vm_host_encryption
+  disk_encryption_set_id         = var.vm_disk_encryption_set_id
   depends_on                     = [module.vnet]
 }