Skip to content

Commit 9b8e40f

Browse files
jonassvalinjonassvalin
authored
Merge pull request #78 from infrablocks/enable-ebs-encryption
Enable ebs volume encryption and modernisation
2 parents 14d8778 + 4dc9d2e commit 9b8e40f

22 files changed

+240
-161
lines changed

CHANGELOG.md

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,27 @@
1+
## 6.0.0 (February 17th 2023)
2+
3+
BACKWARDS INCOMPATIBILITIES / NOTES:
4+
5+
* This module is now compatible with Terraform 1.1 and higher.
6+
* This module now uses ebs volume encryption by default. This can be disabled
7+
using `cluster_instance_enable_ebs_volume_encryption = false`.
8+
* In line with Amazon's update of the default root block storage device, the
9+
default in this module is now `/dev/xvda`.
10+
* All variables previously using `"yes|no"` have been replaced with
11+
`true|false`.
12+
13+
IMPROVEMENTS:
14+
15+
* This module now uses the nullable feature to simplify variable defaults.
16+
117
## 5.0.1 (February 2nd 2023)
218

319
IMPROVEMENTS:
420

521
* added option to specify log retention period for cluster
622
* added option to disable enhanced instance monitoring (enabled by default)
7-
* added option to specify the path of the root block storage device as AWS default has changed from `/dev/sda1` to `/dev/xvda`
23+
* added option to specify the path of the root block storage device as AWS
24+
default has changed from `/dev/sda1` to `/dev/xvda`
825

926
## 5.0.0 (December 22nd 2022)
1027

@@ -88,11 +105,11 @@ IMPROVEMENTS:
88105
BACKWARDS INCOMPATIBILITIES / NOTES:
89106

90107
* The configuration directory has changed from `<repo>/src` to `<repo>` to
91-
satisfy the terraform standard module structure.
108+
satisfy the Terraform standard module structure.
92109

93110
IMPROVEMENTS:
94111

95-
* All variables and outputs now have descriptions to satisfy the terraform
112+
* All variables and outputs now have descriptions to satisfy the Terraform
96113
standard module structure.
97114

98115
## 0.2.0 (November 3th, 2017)

README.md

Lines changed: 28 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -75,35 +75,35 @@ for more details.
7575

7676
### Inputs
7777

78-
| Name | Description | Default | Required |
78+
| Name | Description | Default | Required |
7979
|--------------------------------------------|------------------------------------------------------------------------------------------------------------------|:------------------:|:----------------------------------------:|
80-
| region | The region into which to deploy the cluster | - | yes |
81-
| vpc_id | The ID of the VPC into which to deploy the cluster | - | yes |
82-
| subnet_ids | The IDs of the subnets for container instances | - | yes |
83-
| component | The component this cluster will contain | - | yes |
84-
| deployment_identifier | An identifier for this instantiation | - | yes |
85-
| tags | A map of additional tags to add to all resources | - | no |
86-
| cluster_name | The name of the cluster to create | default | yes |
87-
| cluster_instance_ssh_public_key_path | The path to the public key to use for the container instances | - | yes |
88-
| cluster_instance_type | The instance type of the container instances | t2.medium | yes |
89-
| cluster_instance_root_block_device_size | The size in GB of the root block device on cluster instances | 30 | yes |
90-
| cluster_instance_root_block_device_path | Path of the instance root block storage volume | /dev/sda1 | yes
91-
| cluster_instance_root_block_device_type | The type of the root block device on cluster instances ('standard', 'gp2', or 'io1') | standard | yes |
92-
| cluster_instance_user_data_template | The contents of a template for container instance user data | see user-data | no |
93-
| cluster_instance_amis | A map of regions to AMIs for the container instances | ECS optimised AMIs | yes |
94-
| cluster_instance_iam_policy_contents | The contents of the cluster instance IAM policy | see policies | no |
95-
| cluster_service_iam_policy_contents | The contents of the cluster service IAM policy | see policies | no |
96-
| cluster_minimum_size | The minimum size of the ECS cluster | 1 | yes |
97-
| cluster_maximum_size | The maximum size of the ECS cluster | 10 | yes |
98-
| cluster_desired_capacity | The desired capacity of the ECS cluster | 3 | yes |
99-
| associate_public_ip_addresses | Whether or not to associate public IP addresses with ECS container instances ("yes" or "no") | "no" | yes |
100-
| include_default_ingress_rule | Whether or not to include the default ingress rule on the ECS container instances security group ("yes" or "no") | "yes" | yes |
101-
| include_default_egress_rule | Whether or not to include the default egress rule on the ECS container instances security group ("yes" or "no") | "yes" | yes |
102-
| allowed_cidrs | The CIDRs allowed access to containers | ["10.0.0.0/8"] | if include_default_ingress_rule is "yes" |
103-
| egress_cidrs | The CIDRs accessible from containers | ["0.0.0.0/0"] | if include_default_egress_rule is "yes" |
104-
| security_groups | The list of security group IDs to associate with the cluster in addition to the default security group | [] | no |
105-
| cluster_log_group_retention | The number of days logs will be retained in the CloudWatch log group of the cluster (0 = unlimited) | 0 | no |
106-
| enable_detailed_monitoring | Enable detailed monitoring of EC2 instance(s) | true | no
80+
| region | The region into which to deploy the cluster | - | yes |
81+
| vpc_id | The ID of the VPC into which to deploy the cluster | - | yes |
82+
| subnet_ids | The IDs of the subnets for container instances | - | yes |
83+
| component | The component this cluster will contain | - | yes |
84+
| deployment_identifier | An identifier for this instantiation | - | yes |
85+
| tags | A map of additional tags to add to all resources | - | no |
86+
| cluster_name | The name of the cluster to create | default | yes |
87+
| cluster_instance_ssh_public_key_path | The path to the public key to use for the container instances | - | yes |
88+
| cluster_instance_type | The instance type of the container instances | t2.medium | yes |
89+
| cluster_instance_root_block_device_size | The size in GB of the root block device on cluster instances | 30 | yes |
90+
| cluster_instance_root_block_device_path | Path of the instance root block storage volume | /dev/xvda | yes |
91+
| cluster_instance_root_block_device_type | The type of the root block device on cluster instances ('standard', 'gp2', or 'io1') | standard | yes |
92+
| cluster_instance_user_data_template | The contents of a template for container instance user data | see user-data | no |
93+
| cluster_instance_amis | A map of regions to AMIs for the container instances | ECS optimised AMIs | yes |
94+
| cluster_instance_iam_policy_contents | The contents of the cluster instance IAM policy | see policies | no |
95+
| cluster_service_iam_policy_contents | The contents of the cluster service IAM policy | see policies | no |
96+
| cluster_minimum_size | The minimum size of the ECS cluster | 1 | yes |
97+
| cluster_maximum_size | The maximum size of the ECS cluster | 10 | yes |
98+
| cluster_desired_capacity | The desired capacity of the ECS cluster | 3 | yes |
99+
| associate_public_ip_addresses | Whether or not to associate public IP addresses with ECS container instances ("yes" or "no") | false | no |
100+
| include_default_ingress_rule | Whether or not to include the default ingress rule on the ECS container instances security group ("yes" or "no") | true | no |
101+
| include_default_egress_rule | Whether or not to include the default egress rule on the ECS container instances security group ("yes" or "no") | true | no |
102+
| allowed_cidrs | The CIDRs allowed access to containers | ["10.0.0.0/8"] | if include_default_ingress_rule is "yes" |
103+
| egress_cidrs | The CIDRs accessible from containers | ["0.0.0.0/0"] | if include_default_egress_rule is "yes" |
104+
| security_groups | The list of security group IDs to associate with the cluster in addition to the default security group | [] | no |
105+
| cluster_log_group_retention | The number of days logs will be retained in the CloudWatch log group of the cluster (0 = unlimited) | 0 | no |
106+
| enable_detailed_monitoring | Enable detailed monitoring of EC2 instance(s) | true | no
107107

108108
Notes:
109109

asg.tf

Lines changed: 22 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
locals {
22
ami_id = coalesce(
3-
lookup(local.cluster_instance_amis, var.region),
3+
lookup(var.cluster_instance_amis, var.region),
44
data.aws_ami.amazon_linux_2.image_id)
55
cluster_user_data_template = coalesce(
6-
local.cluster_instance_user_data_template,
6+
var.cluster_instance_user_data_template,
77
file("${path.module}/user-data/cluster.tpl"))
88
cluster_user_data = replace(
99
local.cluster_user_data_template,
@@ -21,10 +21,10 @@ data "aws_ami" "amazon_linux_2" {
2121
}
2222

2323
resource "aws_launch_template" "cluster" {
24-
name_prefix = "cluster-${var.component}-${var.deployment_identifier}-${local.cluster_name}-"
24+
name_prefix = "cluster-${var.component}-${var.deployment_identifier}-${var.cluster_name}-"
2525
image_id = local.ami_id
26-
instance_type = local.cluster_instance_type
27-
key_name = local.cluster_instance_ssh_public_key_path == "" ? "" : element(concat(aws_key_pair.cluster.*.key_name, [""]), 0)
26+
instance_type = var.cluster_instance_type
27+
key_name = var.cluster_instance_ssh_public_key_path == "" ? "" : element(concat(aws_key_pair.cluster.*.key_name, [""]), 0)
2828

2929
iam_instance_profile {
3030
name = aws_iam_instance_profile.cluster.name
@@ -33,21 +33,24 @@ resource "aws_launch_template" "cluster" {
3333
user_data = base64encode(local.cluster_user_data)
3434

3535
network_interfaces {
36-
associate_public_ip_address = local.associate_public_ip_addresses == "yes" ? true : false
37-
security_groups = concat([aws_security_group.cluster.id], local.security_groups)
36+
associate_public_ip_address = var.associate_public_ip_addresses
37+
security_groups = concat([aws_security_group.cluster.id], var.security_groups)
3838
}
3939

4040
block_device_mappings {
41-
device_name = local.cluster_instance_root_block_device_path
41+
device_name = var.cluster_instance_root_block_device_path
4242

4343
ebs {
44-
volume_size = local.cluster_instance_root_block_device_size
45-
volume_type = local.cluster_instance_root_block_device_type
44+
encrypted = var.cluster_instance_enable_ebs_volume_encryption
45+
kms_key_id = local.cluster_instance_ebs_volume_kms_key_id
46+
47+
volume_size = var.cluster_instance_root_block_device_size
48+
volume_type = var.cluster_instance_root_block_device_type
4649
}
4750
}
4851

4952
monitoring {
50-
enabled = local.enable_detailed_monitoring
53+
enabled = var.enable_detailed_monitoring
5154
}
5255

5356
depends_on = [
@@ -56,7 +59,7 @@ resource "aws_launch_template" "cluster" {
5659
}
5760

5861
resource "aws_autoscaling_group" "cluster" {
59-
name_prefix = "asg-${var.component}-${var.deployment_identifier}-${local.cluster_name}-"
62+
name_prefix = "asg-${var.component}-${var.deployment_identifier}-${var.cluster_name}-"
6063

6164
vpc_zone_identifier = var.subnet_ids
6265

@@ -65,26 +68,26 @@ resource "aws_autoscaling_group" "cluster" {
6568
version = "$Latest"
6669
}
6770

68-
min_size = local.cluster_minimum_size
69-
max_size = local.cluster_maximum_size
70-
desired_capacity = local.cluster_desired_capacity
71+
min_size = var.cluster_minimum_size
72+
max_size = var.cluster_maximum_size
73+
desired_capacity = var.cluster_desired_capacity
7174

72-
protect_from_scale_in = ((local.include_asg_capacity_provider == "yes" && local.asg_capacity_provider_manage_termination_protection == "yes") || local.protect_cluster_instances_from_scale_in == "yes")
75+
protect_from_scale_in = ((var.include_asg_capacity_provider == "yes" && var.asg_capacity_provider_manage_termination_protection == "yes") || var.protect_cluster_instances_from_scale_in == "yes")
7376

7477
tag {
7578
key = "Name"
76-
value = "cluster-worker-${var.component}-${var.deployment_identifier}-${local.cluster_name}"
79+
value = "cluster-worker-${var.component}-${var.deployment_identifier}-${var.cluster_name}"
7780
propagate_at_launch = true
7881
}
7982

8083
tag {
8184
key = "ClusterName"
82-
value = local.cluster_name
85+
value = var.cluster_name
8386
propagate_at_launch = true
8487
}
8588

8689
dynamic "tag" {
87-
for_each = local.include_asg_capacity_provider == "yes" ? merge({
90+
for_each = var.include_asg_capacity_provider == "yes" ? merge({
8891
AmazonECSManaged : ""
8992
}, local.tags) : local.tags
9093
content {

0 commit comments

Comments
 (0)