diff --git a/main.tf b/main.tf index 2edc59e7..5fffd9e1 100644 --- a/main.tf +++ b/main.tf @@ -49,6 +49,7 @@ data "azurerm_resource_group" "aks_rg" { count = var.resource_group_name == null ? 0 : 1 name = var.resource_group_name } + resource "azurerm_proximity_placement_group" "proximity" { count = var.node_pools_proximity_placement ? 1 : 0 @@ -143,6 +144,7 @@ module "aks" { aks_cluster_max_pods = var.default_nodepool_max_pods aks_cluster_os_disk_size = var.default_nodepool_os_disk_size aks_cluster_node_vm_size = var.default_nodepool_vm_type + aks_cluster_enable_host_encryption = var.enable_default_nodepool_host_encryption aks_cluster_node_admin = var.node_vm_admin aks_cluster_ssh_public_key = try(file(var.ssh_public_key), "") aks_cluster_private_dns_zone_id = var.aks_cluster_private_dns_zone_id @@ -206,6 +208,7 @@ module "node_pools" { zones = (var.node_pools_availability_zone == "" || var.node_pools_proximity_placement == true) ? [] : (var.node_pools_availability_zones != null) ? var.node_pools_availability_zones : [var.node_pools_availability_zone] proximity_placement_group_id = element(coalescelist(azurerm_proximity_placement_group.proximity[*].id, [""]), 0) orchestrator_version = var.kubernetes_version + enable_host_encryption = var.enable_nodepools_host_encryption tags = var.tags } diff --git a/modules/aks_node_pool/main.tf b/modules/aks_node_pool/main.tf index beae2667..15023591 100755 --- a/modules/aks_node_pool/main.tf +++ b/modules/aks_node_pool/main.tf @@ -10,6 +10,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscale_node_pool" { vnet_subnet_id = var.vnet_subnet_id zones = var.zones fips_enabled = var.fips_enabled + enable_host_encryption = var.enable_host_encryption proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id vm_size = var.machine_type os_disk_size_gb = var.os_disk_size @@ -40,6 +41,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "static_node_pool" { vnet_subnet_id = var.vnet_subnet_id zones = var.zones fips_enabled = var.fips_enabled + enable_host_encryption = true proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id vm_size = var.machine_type os_disk_size_gb = var.os_disk_size diff --git a/modules/aks_node_pool/variables.tf b/modules/aks_node_pool/variables.tf index 1ab640db..a23920ab 100755 --- a/modules/aks_node_pool/variables.tf +++ b/modules/aks_node_pool/variables.tf @@ -23,6 +23,12 @@ variable "fips_enabled" { default = false } +variable "enable_host_encryption" { + description = "Enables host encryption on all the nodes in the Node Pool. Changing this forces a new resource to be created." + type = bool + default = false +} + variable "vnet_subnet_id" { description = "The ID of the Subnet where this Node Pool should exist. Changing this forces a new resource to be created." type = string diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf index 6efb6954..50f00f14 100644 --- a/modules/azure_aks/main.tf +++ b/modules/azure_aks/main.tf @@ -52,22 +52,23 @@ resource "azurerm_kubernetes_cluster" "aks" { } default_node_pool { - name = "system" - vm_size = var.aks_cluster_node_vm_size - zones = var.aks_availability_zones - enable_auto_scaling = var.aks_cluster_node_auto_scaling - enable_node_public_ip = false - node_labels = {} - node_taints = [] - fips_enabled = var.fips_enabled - max_pods = var.aks_cluster_max_pods - os_disk_size_gb = var.aks_cluster_os_disk_size - max_count = var.aks_cluster_max_nodes - min_count = var.aks_cluster_min_nodes - node_count = var.aks_cluster_node_count - vnet_subnet_id = var.aks_vnet_subnet_id - tags = var.aks_cluster_tags - orchestrator_version = var.kubernetes_version + name = "system" + vm_size = var.aks_cluster_node_vm_size + zones = var.aks_availability_zones + enable_auto_scaling = var.aks_cluster_node_auto_scaling + enable_node_public_ip = false + node_labels = {} + node_taints = [] + fips_enabled = var.fips_enabled + enable_host_encryption = var.aks_cluster_enable_host_encryption + max_pods = var.aks_cluster_max_pods + os_disk_size_gb = var.aks_cluster_os_disk_size + max_count = var.aks_cluster_max_nodes + min_count = var.aks_cluster_min_nodes + node_count = var.aks_cluster_node_count + vnet_subnet_id = var.aks_vnet_subnet_id + tags = var.aks_cluster_tags + orchestrator_version = var.kubernetes_version } dynamic "service_principal" { diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf index 4d8f0944..82a863a3 100644 --- a/modules/azure_aks/variables.tf +++ b/modules/azure_aks/variables.tf @@ -113,6 +113,12 @@ variable "aks_cluster_max_pods" { default = 110 } +variable "aks_cluster_enable_host_encryption" { + description = "Enables host encryption on all the nodes in the Default Node Pool" + type = bool + default = false +} + variable "kubernetes_version" { description = "The AKS cluster K8s version" type = string diff --git a/modules/azurerm_vm/main.tf b/modules/azurerm_vm/main.tf index 97f48504..d26ca45a 100644 --- a/modules/azurerm_vm/main.tf +++ b/modules/azurerm_vm/main.tf @@ -64,6 +64,7 @@ resource "azurerm_linux_virtual_machine" "vm" { size = var.machine_type admin_username = var.vm_admin zone = var.vm_zone + encryption_at_host_enabled = var.encryption_at_host_enabled #Cloud Init custom_data = (var.cloud_init != "" ? var.cloud_init : null) diff --git a/modules/azurerm_vm/variables.tf b/modules/azurerm_vm/variables.tf index 1bd3b989..b61ade98 100644 --- a/modules/azurerm_vm/variables.tf +++ b/modules/azurerm_vm/variables.tf @@ -162,3 +162,9 @@ variable "proximity_placement_group_id" { type = string default = "" } + +variable "encryption_at_host_enabled" { + description = "Enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false" + type = bool + default = false +} diff --git a/variables.tf b/variables.tf index c240d4cd..30363417 100644 --- a/variables.tf +++ b/variables.tf @@ -165,6 +165,12 @@ variable "default_nodepool_availability_zones" { default = ["1"] } +variable "enable_default_nodepool_host_encryption" { + description = "Enables host encryption on all the nodes in the Default Node Pool" + type = bool + default = false +} + # AKS advanced network config variable "aks_network_plugin" { description = "Network plugin to use for networking. Currently supported values are azure and kubenet. Changing this forces a new resource to be created." @@ -362,6 +368,12 @@ variable "jump_rwx_filestore_path" { default = "/viya-share" } +variable "enable_jump_vm_host_encryption" { + description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false" + type = bool + default = false +} + variable "storage_type" { description = "Type of Storage. Valid Values: `standard`, `ha` and `none`. `standard` creates NFS server VM, `ha` creates Azure Netapp Files" type = string @@ -426,6 +438,12 @@ variable "nfs_raid_disk_zone" { default = null } +variable "enable_nfs_vm_host_encryption" { + description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false" + type = bool + default = false +} + ## Azure Container Registry (ACR) variable "create_container_registry" { description = "Create Azure Container Registry" @@ -515,6 +533,12 @@ variable "node_pools_proximity_placement" { default = false } +variable "enable_nodepools_host_encryption" { + description = "Enables host encryption on all the nodes in the Node Pool. Changing this forces a new resource to be created." + type = bool + default = false +} + variable "node_pools" { description = "Node pool definitions" type = map(object({ diff --git a/vms.tf b/vms.tf index e941f8db..b155de90 100644 --- a/vms.tf +++ b/vms.tf @@ -54,21 +54,22 @@ data "cloudinit_config" "jump" { module "jump" { source = "./modules/azurerm_vm" - count = var.create_jump_vm ? 1 : 0 - name = "${var.prefix}-jump" - azure_rg_name = local.aks_rg.name - azure_rg_location = var.location - vnet_subnet_id = module.vnet.subnets["misc"].id - machine_type = var.jump_vm_machine_type - azure_nsg_id = local.nsg.id - tags = var.tags - vm_admin = var.jump_vm_admin - vm_zone = var.jump_vm_zone - fips_enabled = var.fips_enabled - ssh_public_key = local.ssh_public_key - cloud_init = data.cloudinit_config.jump[0].rendered - create_public_ip = var.create_jump_public_ip - enable_public_static_ip = var.enable_jump_public_static_ip + count = var.create_jump_vm ? 1 : 0 + name = "${var.prefix}-jump" + azure_rg_name = local.aks_rg.name + azure_rg_location = var.location + vnet_subnet_id = module.vnet.subnets["misc"].id + machine_type = var.jump_vm_machine_type + azure_nsg_id = local.nsg.id + tags = var.tags + vm_admin = var.jump_vm_admin + vm_zone = var.jump_vm_zone + fips_enabled = var.fips_enabled + ssh_public_key = local.ssh_public_key + cloud_init = data.cloudinit_config.jump[0].rendered + create_public_ip = var.create_jump_public_ip + enable_public_static_ip = var.enable_jump_public_static_ip + encryption_at_host_enabled = var.enable_jump_vm_host_encryption # Jump VM mounts NFS path hence dependency on 'module.nfs' depends_on = [module.vnet, module.nfs] @@ -109,6 +110,7 @@ module "nfs" { data_disk_size = var.nfs_raid_disk_size data_disk_storage_account_type = var.nfs_raid_disk_type data_disk_zone = var.nfs_raid_disk_zone + encryption_at_host_enabled = var.enable_nfs_vm_host_encryption depends_on = [module.vnet] }