feat: add kms boot volume encryption (#76)

Soaib024 · web-flow · commit affe05fe4796 · 2023-03-20T18:14:04.000Z
diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@
 [![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)[![Build status](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/actions/workflows/ci.yml/badge.svg)](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/actions/workflows/ci.yml)[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-base-ocp-vpc?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/releases/latest)[![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 
-A module for provisioning an IBM Cloud Red Hat OpenShift cluster on VPC Gen2. The module either creates the required Cloud Object Storage instance or uses an existing instance. The module also supports optionally passing a key management configuration for secret encryption.
+A module for provisioning an IBM Cloud Red Hat OpenShift cluster on VPC Gen2. The module either creates the required Cloud Object Storage instance or uses an existing instance. The module also supports optionally passing a key management configuration for secret encryption and boot volume encryption
 
 ## Before you begin
 
@@ -119,7 +119,7 @@ You need the following permissions to run this module.
 - [ Existing COS](examples/existing_cos)
 - [ 2 MZR clusters in same VPC](examples/multiple_mzr_clusters)
 - [ Single Zone Cluster](examples/single_zone_cluster)
-- [ Standard Example](examples/standard)
+- [ Standard Example With User Managed Boot Volume Encryption](examples/standard)
 <!-- END EXAMPLES HOOK -->
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -171,7 +171,7 @@ No modules.
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | Id of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
 | <a name="input_vpc_subnets"></a> [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | <pre>map(list(object({<br>    id         = string<br>    zone       = string<br>    cidr_block = string<br>  })))</pre> | n/a | yes |
-| <a name="input_worker_pools"></a> [worker\_pools](#input\_worker\_pools) | List of worker pools | <pre>list(object({<br>    subnet_prefix     = string<br>    pool_name         = string<br>    machine_type      = string<br>    workers_per_zone  = number<br>    resource_group_id = optional(string)<br>    labels            = optional(map(string))<br>  }))</pre> | <pre>[<br>  {<br>    "machine_type": "bx2.4x16",<br>    "pool_name": "default",<br>    "subnet_prefix": "zone-1",<br>    "workers_per_zone": 2<br>  },<br>  {<br>    "machine_type": "bx2.4x16",<br>    "pool_name": "zone-2",<br>    "subnet_prefix": "zone-2",<br>    "workers_per_zone": 2<br>  },<br>  {<br>    "machine_type": "bx2.4x16",<br>    "pool_name": "zone-3",<br>    "subnet_prefix": "zone-3",<br>    "workers_per_zone": 2<br>  }<br>]</pre> | no |
+| <a name="input_worker_pools"></a> [worker\_pools](#input\_worker\_pools) | List of worker pools | <pre>list(object({<br>    subnet_prefix     = string<br>    pool_name         = string<br>    machine_type      = string<br>    workers_per_zone  = number<br>    resource_group_id = optional(string)<br>    labels            = optional(map(string))<br>    boot_volume_encryption_kms_config = optional(object({<br>      crk             = string<br>      kms_instance_id = string<br>      kms_account_id  = optional(string)<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "machine_type": "bx2.4x16",<br>    "pool_name": "default",<br>    "subnet_prefix": "zone-1",<br>    "workers_per_zone": 2<br>  },<br>  {<br>    "machine_type": "bx2.4x16",<br>    "pool_name": "zone-2",<br>    "subnet_prefix": "zone-2",<br>    "workers_per_zone": 2<br>  },<br>  {<br>    "machine_type": "bx2.4x16",<br>    "pool_name": "zone-3",<br>    "subnet_prefix": "zone-3",<br>    "workers_per_zone": 2<br>  }<br>]</pre> | no |
 | <a name="input_worker_pools_taints"></a> [worker\_pools\_taints](#input\_worker\_pools\_taints) | Optional, Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | `null` | no |
 
 ## Outputs
diff --git a/common-dev-assets b/common-dev-assets
@@ -1 +1 @@
-Subproject commit 7aa8a965779b9c8e67d0501cf682313bda8fee4a
+Subproject commit f4bc01fd08bf6b7968c34a7f8856b05209a22db9
diff --git a/examples/apply_taints/variables.tf b/examples/apply_taints/variables.tf
@@ -136,6 +136,11 @@ variable "worker_pools" {
     workers_per_zone  = number
     resource_group_id = optional(string)
     labels            = optional(map(string))
+    boot_volume_encryption_kms_config = optional(object({
+      crk             = string
+      kms_instance_id = string
+      kms_account_id  = optional(string)
+    }))
   }))
   description = "List of worker pools."
   default = [
diff --git a/examples/multiple_mzr_clusters/variables.tf b/examples/multiple_mzr_clusters/variables.tf
@@ -136,6 +136,11 @@ variable "worker_pools" {
     workers_per_zone  = number
     resource_group_id = optional(string)
     labels            = optional(map(string))
+    boot_volume_encryption_kms_config = optional(object({
+      crk             = string
+      kms_instance_id = string
+      kms_account_id  = optional(string)
+    }))
   }))
   default = [
     {
diff --git a/examples/standard/README.md b/examples/standard/README.md
@@ -1,4 +1,4 @@
-# Standard Example
+# Standard Example With User Managed Boot Volume Encryption
 
  - The example will provision an OCP cluster with one extra worker pool inside a VPC.
- - The example also enables a key protect provider for the cluster, as well as the required COS instance.
+ - The example also enables a key protect provider for the cluster and boot volume encryption, as well as the required COS instance.
diff --git a/examples/standard/main.tf b/examples/standard/main.tf
@@ -35,7 +35,11 @@ module "kp_all_inclusive" {
   resource_group_id         = module.resource_group.resource_group_id
   region                    = var.region
   resource_tags             = var.resource_tags
-  key_map                   = { "ocp" = ["${var.prefix}-cluster-key"] }
+  key_map = { "ocp" = [
+    "${var.prefix}-cluster-key",
+    "${var.prefix}-default-pool-boot-volume-encryption-key",
+    "${var.prefix}-other-pool-boot-volume-encryption-key"
+  ] }
 }
 
 ##############################################################################
@@ -59,6 +63,33 @@ locals {
       cidr_block = module.vpc.subnet_zone_list[2].cidr
     }]
   }
+
+  worker_pools = [
+    {
+      subnet_prefix     = "zone-1"
+      pool_name         = "default" # ibm_container_vpc_cluster automatically names standard pool "standard" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
+      machine_type      = "bx2.4x16"
+      workers_per_zone  = 2
+      labels            = {}
+      resource_group_id = module.resource_group.resource_group_id
+      boot_volume_encryption_kms_config = {
+        crk             = module.kp_all_inclusive.keys["ocp.${var.prefix}-default-pool-boot-volume-encryption-key"].key_id
+        kms_instance_id = module.kp_all_inclusive.key_protect_guid
+      }
+    },
+    {
+      subnet_prefix     = "zone-2"
+      pool_name         = "zone-2"
+      machine_type      = "bx2.4x16"
+      workers_per_zone  = 2
+      labels            = {}
+      resource_group_id = module.resource_group.resource_group_id
+      boot_volume_encryption_kms_config = {
+        crk             = module.kp_all_inclusive.keys["ocp.${var.prefix}-other-pool-boot-volume-encryption-key"].key_id
+        kms_instance_id = module.kp_all_inclusive.key_protect_guid
+      }
+    }
+  ]
 }
 
 module "ocp_base" {
@@ -70,7 +101,7 @@ module "ocp_base" {
   force_delete_storage = true
   vpc_id               = module.vpc.vpc_id
   vpc_subnets          = local.cluster_vpc_subnets
-  worker_pools         = var.worker_pools
+  worker_pools         = length(var.worker_pools) > 0 ? var.worker_pools : local.worker_pools
   ocp_version          = var.ocp_version
   tags                 = var.resource_tags
   kms_config = {
diff --git a/examples/standard/variables.tf b/examples/standard/variables.tf
@@ -50,22 +50,14 @@ variable "worker_pools" {
     workers_per_zone  = number
     resource_group_id = optional(string)
     labels            = optional(map(string))
+    boot_volume_encryption_kms_config = optional(object({
+      crk             = string
+      kms_instance_id = string
+      kms_account_id  = optional(string)
+    }))
   }))
   description = "List of worker pools."
-  default = [
-    {
-      subnet_prefix    = "zone-1"
-      pool_name        = "default" # ibm_container_vpc_cluster automatically names standard pool "standard" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
-      machine_type     = "bx2.4x16"
-      workers_per_zone = 2
-    },
-    {
-      subnet_prefix    = "zone-2"
-      pool_name        = "zone-2"
-      machine_type     = "bx2.4x16"
-      workers_per_zone = 2
-    }
-  ]
+  default     = []
 }
 
 ##############################################################################
diff --git a/main.tf b/main.tf
@@ -64,6 +64,9 @@ resource "ibm_container_vpc_cluster" "cluster" {
   force_delete_storage            = var.force_delete_storage
   disable_public_service_endpoint = var.disable_public_endpoint
   worker_labels                   = local.default_pool.labels
+  crk                             = local.default_pool.boot_volume_encryption_kms_config == null ? null : local.default_pool.boot_volume_encryption_kms_config.crk
+  kms_instance_id                 = local.default_pool.boot_volume_encryption_kms_config == null ? null : local.default_pool.boot_volume_encryption_kms_config.kms_instance_id
+  kms_account_id                  = local.default_pool.boot_volume_encryption_kms_config == null ? null : local.default_pool.boot_volume_encryption_kms_config.kms_account_id
 
   lifecycle {
     ignore_changes = [kube_version]
@@ -122,6 +125,9 @@ resource "ibm_container_vpc_cluster" "autoscaling_cluster" {
   force_delete_storage            = var.force_delete_storage
   disable_public_service_endpoint = var.disable_public_endpoint
   worker_labels                   = local.default_pool.labels
+  crk                             = local.default_pool.boot_volume_encryption_kms_config == null ? null : local.default_pool.boot_volume_encryption_kms_config.crk
+  kms_instance_id                 = local.default_pool.boot_volume_encryption_kms_config == null ? null : local.default_pool.boot_volume_encryption_kms_config.kms_instance_id
+  kms_account_id                  = local.default_pool.boot_volume_encryption_kms_config == null ? null : local.default_pool.boot_volume_encryption_kms_config.kms_account_id
 
   lifecycle {
     ignore_changes = [worker_count, kube_version]
@@ -211,6 +217,9 @@ resource "ibm_container_vpc_worker_pool" "pool" {
   flavor            = each.value.machine_type
   worker_count      = each.value.workers_per_zone
   labels            = each.value.labels
+  crk               = each.value.boot_volume_encryption_kms_config == null ? null : each.value.boot_volume_encryption_kms_config.crk
+  kms_instance_id   = each.value.boot_volume_encryption_kms_config == null ? null : each.value.boot_volume_encryption_kms_config.kms_instance_id
+  kms_account_id    = each.value.boot_volume_encryption_kms_config == null ? null : each.value.boot_volume_encryption_kms_config.kms_account_id
 
   dynamic "zones" {
     for_each = var.vpc_subnets[each.value.subnet_prefix]
@@ -249,6 +258,9 @@ resource "ibm_container_vpc_worker_pool" "autoscaling_pool" {
   flavor            = each.value.machine_type
   worker_count      = each.value.workers_per_zone
   labels            = each.value.labels
+  crk               = each.value.boot_volume_encryption_kms_config == null ? null : each.value.boot_volume_encryption_kms_config.crk
+  kms_instance_id   = each.value.boot_volume_encryption_kms_config == null ? null : each.value.boot_volume_encryption_kms_config.kms_instance_id
+  kms_account_id    = each.value.boot_volume_encryption_kms_config == null ? null : each.value.boot_volume_encryption_kms_config.kms_account_id
 
   lifecycle {
     ignore_changes = [worker_count]
diff --git a/module-metadata.json b/module-metadata.json
@@ -27,7 +27,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 105
+        "line": 110
       }
     },
     "cos_name": {
@@ -36,7 +36,7 @@
       "description": "Name of the COS instance to provision. New instance only provisioned if `use_existing_cos = false`. Default: `\u003ccluster_name\u003e_cos`",
       "pos": {
         "filename": "variables.tf",
-        "line": 135
+        "line": 140
       }
     },
     "disable_public_endpoint": {
@@ -50,7 +50,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 117
+        "line": 122
       }
     },
     "existing_cos_id": {
@@ -59,7 +59,7 @@
       "description": "The COS id of an already existing COS instance. Only required if 'use_existing_cos = true'",
       "pos": {
         "filename": "variables.tf",
-        "line": 147
+        "line": 152
       }
     },
     "force_delete_storage": {
@@ -73,7 +73,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 129
+        "line": 134
       }
     },
     "ibmcloud_api_key": {
@@ -98,7 +98,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 81
+        "line": 86
       }
     },
     "kms_config": {
@@ -107,7 +107,7 @@
       "description": "Use to attach a Key Protect instance to the cluster",
       "pos": {
         "filename": "variables.tf",
-        "line": 153
+        "line": 158
       }
     },
     "ocp_entitlement": {
@@ -121,7 +121,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 123
+        "line": 128
       }
     },
     "ocp_version": {
@@ -130,7 +130,7 @@
       "description": "The version of the OpenShift cluster that should be provisioned (format 4.x). This is only used during initial cluster provisioning, but ignored for future updates. If no value is passed, or the string 'latest' is passed, the current latest OCP version will be used.",
       "pos": {
         "filename": "variables.tf",
-        "line": 87
+        "line": 92
       }
     },
     "region": {
@@ -198,7 +198,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 141
+        "line": 146
       }
     },
     "verify_worker_network_readiness": {
@@ -211,7 +211,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 169
+        "line": 174
       }
     },
     "vpc_id": {
@@ -227,7 +227,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 164
+        "line": 169
       },
       "immutable": true
     },
@@ -243,7 +243,7 @@
     },
     "worker_pools": {
       "name": "worker_pools",
-      "type": "list(object({\n    subnet_prefix     = string\n    pool_name         = string\n    machine_type      = string\n    workers_per_zone  = number\n    resource_group_id = optional(string)\n    labels            = optional(map(string))\n  }))",
+      "type": "list(object({\n    subnet_prefix     = string\n    pool_name         = string\n    machine_type      = string\n    workers_per_zone  = number\n    resource_group_id = optional(string)\n    labels            = optional(map(string))\n    boot_volume_encryption_kms_config = optional(object({\n      crk             = string\n      kms_instance_id = string\n      kms_account_id  = optional(string)\n    }))\n  }))",
       "description": "List of worker pools",
       "default": [
         {
@@ -276,7 +276,7 @@
       "description": "Optional, Map of lists containing node taints by node-pool name",
       "pos": {
         "filename": "variables.tf",
-        "line": 75
+        "line": 80
       }
     }
   },
@@ -417,7 +417,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 110
+        "line": 113
       }
     },
     "ibm_container_vpc_cluster.cluster": {
@@ -456,7 +456,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 243
+        "line": 252
       }
     },
     "ibm_container_vpc_worker_pool.pool": {
@@ -472,7 +472,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 205
+        "line": 211
       }
     },
     "ibm_resource_instance.cos_instance": {
@@ -503,7 +503,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 300
+        "line": 312
       }
     },
     "null_resource.reset_api_key": {
@@ -515,7 +515,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 181
+        "line": 187
       }
     }
   },
@@ -532,7 +532,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 195
+        "line": 201
       }
     },
     "data.ibm_container_cluster_versions.cluster_versions": {
diff --git a/variables.tf b/variables.tf
@@ -48,6 +48,11 @@ variable "worker_pools" {
     workers_per_zone  = number
     resource_group_id = optional(string)
     labels            = optional(map(string))
+    boot_volume_encryption_kms_config = optional(object({
+      crk             = string
+      kms_instance_id = string
+      kms_account_id  = optional(string)
+    }))
   }))
   default = [
     {
