feat: (PMCPFR-1571) EncryptAtHost changes for NIST

main.tf

@@ -49,6 +49,7 @@ data "azurerm_resource_group" "aks_rg" {
   count = var.resource_group_name == null ? 0 : 1
   name  = var.resource_group_name
 }
+
 resource "azurerm_proximity_placement_group" "proximity" {
   count = var.node_pools_proximity_placement ? 1 : 0
 
@@ -143,6 +144,7 @@ module "aks" {
   aks_cluster_max_pods                     = var.default_nodepool_max_pods
   aks_cluster_os_disk_size                 = var.default_nodepool_os_disk_size
   aks_cluster_node_vm_size                 = var.default_nodepool_vm_type
+  aks_cluster_enable_host_encryption       = var.enable_default_nodepool_host_encryption
   aks_cluster_node_admin                   = var.node_vm_admin
   aks_cluster_ssh_public_key               = try(file(var.ssh_public_key), "")
   aks_cluster_private_dns_zone_id          = var.aks_cluster_private_dns_zone_id
@@ -206,6 +208,7 @@ module "node_pools" {
   zones                        = (var.node_pools_availability_zone == "" || var.node_pools_proximity_placement == true) ? [] : (var.node_pools_availability_zones != null) ? var.node_pools_availability_zones : [var.node_pools_availability_zone]
   proximity_placement_group_id = element(coalescelist(azurerm_proximity_placement_group.proximity[*].id, [""]), 0)
   orchestrator_version         = var.kubernetes_version
+  enable_host_encryption       = var.enable_nodepools_host_encryption
   tags                         = var.tags
 }
 

modules/aks_node_pool/main.tf

@@ -10,6 +10,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscale_node_pool" {
   vnet_subnet_id               = var.vnet_subnet_id
   zones                        = var.zones
   fips_enabled                 = var.fips_enabled
+  enable_host_encryption       = var.enable_host_encryption
   proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id
   vm_size                      = var.machine_type
   os_disk_size_gb              = var.os_disk_size
@@ -40,6 +41,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "static_node_pool" {
   vnet_subnet_id               = var.vnet_subnet_id
   zones                        = var.zones
   fips_enabled                 = var.fips_enabled
+  enable_host_encryption       = true
   proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id
   vm_size                      = var.machine_type
   os_disk_size_gb              = var.os_disk_size

modules/aks_node_pool/variables.tf

@@ -23,6 +23,12 @@ variable "fips_enabled" {
   default     = false
 }
 
+variable "enable_host_encryption" {
+  description = "Enables host encryption on all the nodes in the Node Pool. Changing this forces a new resource to be created."
+  type        = bool
+  default     = false
+}
+
 variable "vnet_subnet_id" {
   description = "The ID of the Subnet where this Node Pool should exist. Changing this forces a new resource to be created."
   type        = string

modules/azure_aks/main.tf

@@ -52,22 +52,23 @@ resource "azurerm_kubernetes_cluster" "aks" {
   }
 
   default_node_pool {
-    name                  = "system"
-    vm_size               = var.aks_cluster_node_vm_size
-    zones                 = var.aks_availability_zones
-    enable_auto_scaling   = var.aks_cluster_node_auto_scaling
-    enable_node_public_ip = false
-    node_labels           = {}
-    node_taints           = []
-    fips_enabled          = var.fips_enabled
-    max_pods              = var.aks_cluster_max_pods
-    os_disk_size_gb       = var.aks_cluster_os_disk_size
-    max_count             = var.aks_cluster_max_nodes
-    min_count             = var.aks_cluster_min_nodes
-    node_count            = var.aks_cluster_node_count
-    vnet_subnet_id        = var.aks_vnet_subnet_id
-    tags                  = var.aks_cluster_tags
-    orchestrator_version  = var.kubernetes_version
+    name                   = "system"
+    vm_size                = var.aks_cluster_node_vm_size
+    zones                  = var.aks_availability_zones
+    enable_auto_scaling    = var.aks_cluster_node_auto_scaling
+    enable_node_public_ip  = false
+    node_labels            = {}
+    node_taints            = []
+    fips_enabled           = var.fips_enabled
+    enable_host_encryption = var.aks_cluster_enable_host_encryption
+    max_pods               = var.aks_cluster_max_pods
+    os_disk_size_gb        = var.aks_cluster_os_disk_size
+    max_count              = var.aks_cluster_max_nodes
+    min_count              = var.aks_cluster_min_nodes
+    node_count             = var.aks_cluster_node_count
+    vnet_subnet_id         = var.aks_vnet_subnet_id
+    tags                   = var.aks_cluster_tags
+    orchestrator_version   = var.kubernetes_version
   }
 
   dynamic "service_principal" {

modules/azure_aks/variables.tf

@@ -113,6 +113,12 @@ variable "aks_cluster_max_pods" {
   default     = 110
 }
 
+variable "aks_cluster_enable_host_encryption" {
+  description = "Enables host encryption on all the nodes in the Default Node Pool"
+  type        = bool
+  default     = false
+}
+
 variable "kubernetes_version" {
   description = "The AKS cluster K8s version"
   type        = string

modules/azurerm_vm/main.tf

@@ -64,6 +64,7 @@ resource "azurerm_linux_virtual_machine" "vm" {
   size                         = var.machine_type
   admin_username               = var.vm_admin
   zone                         = var.vm_zone
+  encryption_at_host_enabled   = var.encryption_at_host_enabled
 
   #Cloud Init
   custom_data = (var.cloud_init != "" ? var.cloud_init : null)

modules/azurerm_vm/variables.tf

@@ -162,3 +162,9 @@ variable "proximity_placement_group_id" {
   type        = string
   default     = ""
 }
+
+variable "encryption_at_host_enabled" {
+  description = "Enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false"
+  type        = bool
+  default     = false
+}

variables.tf

@@ -165,6 +165,12 @@ variable "default_nodepool_availability_zones" {
   default     = ["1"]
 }
 
+variable "enable_default_nodepool_host_encryption" {
+  description = "Enables host encryption on all the nodes in the Default Node Pool"
+  type        = bool
+  default     = false
+}
+
 # AKS advanced network config
 variable "aks_network_plugin" {
   description = "Network plugin to use for networking. Currently supported values are azure and kubenet. Changing this forces a new resource to be created."
@@ -362,6 +368,12 @@ variable "jump_rwx_filestore_path" {
   default     = "/viya-share"
 }
 
+variable "enable_jump_vm_host_encryption" {
+  description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false"
+  type        = bool
+  default     = false
+}
+
 variable "storage_type" {
   description = "Type of Storage. Valid Values: `standard`, `ha` and `none`. `standard` creates NFS server VM, `ha` creates Azure Netapp Files"
   type        = string
@@ -426,6 +438,12 @@ variable "nfs_raid_disk_zone" {
   default     = null
 }
 
+variable "enable_nfs_vm_host_encryption" {
+  description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false"
+  type        = bool
+  default     = false
+}
+
 ## Azure Container Registry (ACR)
 variable "create_container_registry" {
   description = "Create Azure Container Registry"
@@ -515,6 +533,12 @@ variable "node_pools_proximity_placement" {
   default     = false
 }
 
+variable "enable_nodepools_host_encryption" {
+  description = "Enables host encryption on all the nodes in the Node Pool. Changing this forces a new resource to be created."
+  type        = bool
+  default     = false
+}
+
 variable "node_pools" {
   description = "Node pool definitions"
   type = map(object({

vms.tf

@@ -54,21 +54,22 @@ data "cloudinit_config" "jump" {
 module "jump" {
   source = "./modules/azurerm_vm"
 
-  count                   = var.create_jump_vm ? 1 : 0
-  name                    = "${var.prefix}-jump"
-  azure_rg_name           = local.aks_rg.name
-  azure_rg_location       = var.location
-  vnet_subnet_id          = module.vnet.subnets["misc"].id
-  machine_type            = var.jump_vm_machine_type
-  azure_nsg_id            = local.nsg.id
-  tags                    = var.tags
-  vm_admin                = var.jump_vm_admin
-  vm_zone                 = var.jump_vm_zone
-  fips_enabled            = var.fips_enabled
-  ssh_public_key          = local.ssh_public_key
-  cloud_init              = data.cloudinit_config.jump[0].rendered
-  create_public_ip        = var.create_jump_public_ip
-  enable_public_static_ip = var.enable_jump_public_static_ip
+  count                      = var.create_jump_vm ? 1 : 0
+  name                       = "${var.prefix}-jump"
+  azure_rg_name              = local.aks_rg.name
+  azure_rg_location          = var.location
+  vnet_subnet_id             = module.vnet.subnets["misc"].id
+  machine_type               = var.jump_vm_machine_type
+  azure_nsg_id               = local.nsg.id
+  tags                       = var.tags
+  vm_admin                   = var.jump_vm_admin
+  vm_zone                    = var.jump_vm_zone
+  fips_enabled               = var.fips_enabled
+  ssh_public_key             = local.ssh_public_key
+  cloud_init                 = data.cloudinit_config.jump[0].rendered
+  create_public_ip           = var.create_jump_public_ip
+  enable_public_static_ip    = var.enable_jump_public_static_ip
+  encryption_at_host_enabled = var.enable_jump_vm_host_encryption
 
   # Jump VM mounts NFS path hence dependency on 'module.nfs'
   depends_on = [module.vnet, module.nfs]
@@ -109,6 +110,7 @@ module "nfs" {
   data_disk_size                 = var.nfs_raid_disk_size
   data_disk_storage_account_type = var.nfs_raid_disk_type
   data_disk_zone                 = var.nfs_raid_disk_zone
+  encryption_at_host_enabled     = var.enable_nfs_vm_host_encryption
   depends_on                     = [module.vnet]
 }