Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow users to set KMS key when encrypting node block devices #1200

Open
pierskarsenbarg opened this issue Jun 14, 2024 · 2 comments
Open

Allow users to set KMS key when encrypting node block devices #1200

pierskarsenbarg opened this issue Jun 14, 2024 · 2 comments
Labels
impact/security kind/enhancement Improvements or new features

Comments

@pierskarsenbarg
Copy link
Member

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

In this PR we added the ability to encrypt block devices for nodes, but you can't set your own KMS key to do this

Affected area/feature
@pierskarsenbarg pierskarsenbarg added needs-triage Needs attention from the triage team kind/enhancement Improvements or new features labels Jun 14, 2024
@rquitales rquitales added impact/security and removed needs-triage Needs attention from the triage team labels Jun 17, 2024
@lukehoban
Copy link
Contributor

Definitely would be good to add this feature.

But also - in the meantime - I believe this provides a way to workaround this limitation using transforms:

import * as aws from "@pulumi/aws";
import * as eks from "@pulumi/eks";

const cluster = new eks.Cluster("cluster", {});

const key = new aws.kms.Key("key");

const nodeGroup = new eks.NodeGroupV2("workers", {
    cluster: cluster,
    nodeRootVolumeEncrypted: true,
}, {
    transforms: [args => {
        if (args.type == "aws:ec2/launchTemplate:LaunchTemplate") {
            // The `eks.NodeGroupV2` component will create a `LaunchTemplate` with `blockDeviceMappings`,
            // we just need to fill in the `kmsKeyId` as well.
            const props = args.props;
            for (const bdm of props.blockDeviceMappings) {
                bdm.ebs.kmsKeyId = key.id;
            }
            return { props, opts: args.opts };
        }
        return;
    }]
});

Note: The new transforms resources option is recent, and documentation for it is in the works now. It replaces the previous transformations option, and in particular enables the core feature to work with components like @pulumi/eks which are implemented using Component Packages authored in different languages than the user program.

@pierskarsenbarg
Copy link
Member Author

You can also add in a launchtemplate resource that can be passed straight into the ManagedNodeGroup resource:

const launchtemplate = new aws.ec2.LaunchTemplate("launchtemplate", {
    instanceType: "t3.medium",
    blockDeviceMappings: [{
        ebs: {
            encrypted: "true",
            kmsKeyId: key,id,
        },
        // deviceName: "/dev/xvda"
    }],
    imageId: ami.id
})

const nodegroup = new eks.ManagedNodeGroup("nodegroup", {
    cluster: cluster,
    scalingConfig: {
        desiredSize: 2,
        minSize: 2,
        maxSize: 4
    },
    launchTemplate: {
        version: "$Latest",
        name: launchtemplate.name
    },
    nodeRole: ec2Role
})

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact/security kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pierskarsenbarg @lukehoban @rquitales