Add support for bastion boot-volume encryption (#1040)

Author: robo-cap

module-bastion.tf

@@ -60,6 +60,7 @@ module "bastion" {
   timezone                 = var.timezone
   upgrade                  = var.bastion_upgrade
   user                     = var.bastion_user
+  volume_kms_key_id        = var.bastion_volume_kms_key_id
 
   # Standard tags as defined if enabled for use, or freeform
   # User-provided tags are merged last and take precedence

modules/bastion/compute.tf

@@ -68,6 +68,7 @@ resource "oci_core_instance" "bastion" {
     boot_volume_size_in_gbs = local.boot_volume_size
     source_id               = var.image_id
     source_type             = "image"
+    kms_key_id              = var.volume_kms_key_id
   }
 
   lifecycle {

modules/bastion/variables.tf

@@ -23,6 +23,7 @@ variable "subnet_id" { type = string }
 variable "timezone" { type = string }
 variable "upgrade" { type = bool }
 variable "user" { type = string }
+variable "volume_kms_key_id" { type = string }
 
 # Tags
 variable "defined_tags" { type = map(string) }

variables-bastion.tf

@@ -93,4 +93,10 @@ variable "bastion_await_cloudinit" {
   default     = true
   description = "Whether to block until successful connection to bastion and completion of cloud-init."
   type        = bool
+}
+
+variable "bastion_volume_kms_key_id" {
+  default     = null
+  description = "The OCID of the OCI KMS key to assign as the master encryption key for the bastion host boot volume."
+  type        = string
 }

variables-operator.tf

@@ -127,7 +127,7 @@ variable "operator_shape" {
 
 variable "operator_volume_kms_key_id" {
   default     = null
-  description = "The OCID of the OCI KMS key to assign as the master encryption key for the boot volume."
+  description = "The OCID of the OCI KMS key to assign as the master encryption key for the operator host boot volume."
   type        = string
 }