feat: Added Custom KMS support for boot volume encryption, support for in-transit encryption (#62)

KSN2510 · web-flow · commit ea54d228edcb · 2022-02-10T21:29:16.000+11:00
* feat: Added Custom KMS Key encryption support for Boot Volume.

Signed-off-by: Nikhil Kota &lt;srinivasa.nikhil.kota@oracle.com&gt;

* feat: Added support for in-transit encryption for the data volume's paravirtualized attachment.
diff --git a/compute.tf b/compute.tf
@@ -38,7 +38,8 @@ resource "oci_core_instance" "operator" {
     network_type     = "PARAVIRTUALIZED"
   }
 
-  # prevent the operator from destroying and recreating itself if the image ocid changes 
+  is_pv_encryption_in_transit_enabled = var.enable_pv_encryption_in_transit
+  # prevent the operator from destroying and recreating itself if the image ocid changes
   lifecycle {
     ignore_changes = [source_details[0].source_id]
   }
@@ -61,6 +62,7 @@ resource "oci_core_instance" "operator" {
   source_details {
     source_type = "image"
     source_id   = local.operator_image_id
+    kms_key_id  = var.boot_volume_encryption_key
   }
 
   state = var.operator_state
diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc
@@ -123,6 +123,16 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 |imageid/Oracle
 |Oracle
 
+|`enable_pv_encryption_in_transit`
+|Whether to enable in-transit encryption for the data volume's paravirtualized attachment
+|true/false
+|false
+
+|`boot_volume_encryption_key`
+|The OCID of the OCI KMS key to assign as the master encryption key for the boot volume.
+|""
+|
+
 |`enable_operator_instance_principal`
 |Whether to enable instance_principal on the operator.
 |true/false
diff --git a/variables.tf b/variables.tf
@@ -126,6 +126,18 @@ variable "upgrade_operator" {
   type        = bool
 }
 
+variable "enable_pv_encryption_in_transit" {
+  description = "Whether to enable in-transit encryption for the data volume's paravirtualized attachment. The default value is false"
+  default = false
+  type = bool
+}
+
+variable "boot_volume_encryption_key" {
+  description = "The OCID of the OCI KMS key to assign as the master encryption key for the boot volume."
+  default     = ""
+  type        = string
+}
+
 # operator notification
 variable "enable_operator_notification" {
   description = "Whether to enable ONS notification for the operator host."
@@ -150,3 +162,4 @@ variable "operator_notification_topic" {
   default     = "operator"
   type        = string
 }
+

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,8 @@ resource "oci_core_instance" "operator" {`
`38`	`38`	`network_type = "PARAVIRTUALIZED"`
`39`	`39`	`}`
`40`	`40`
`41`		`- # prevent the operator from destroying and recreating itself if the image ocid changes`
	`41`	`+ is_pv_encryption_in_transit_enabled = var.enable_pv_encryption_in_transit`
	`42`	`+ # prevent the operator from destroying and recreating itself if the image ocid changes`
`42`	`43`	`lifecycle {`
`43`	`44`	`ignore_changes = [source_details[0].source_id]`
`44`	`45`	`}`
`@@ -61,6 +62,7 @@ resource "oci_core_instance" "operator" {`
`61`	`62`	`source_details {`
`62`	`63`	`source_type = "image"`
`63`	`64`	`source_id = local.operator_image_id`
	`65`	`+ kms_key_id = var.boot_volume_encryption_key`
`64`	`66`	`}`
`65`	`67`
`66`	`68`	`state = var.operator_state`