EC2: Enable EBS single step encryption by default (#1556)

* EC2: EBS single step encryption by default * return back the encryption variable
5 years ago · 95eddccfb7
parent 3c30074a7f
commit 95eddccfb7
6 changed files with 11 additions and 39 deletions
--- a/config.cfg
+++ b/config.cfg
@ -143,8 +143,7 @@ cloud_providers:
    image: "ubuntu-19-04-x64"
  ec2:
    # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
-    # Warning: the Algo script will take approximately 6 minutes longer to complete.
-    encrypted: false
+    encrypted: true
    # Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
    # Additional prompt will be raised to determine which IP to use
    use_existing_eip: false
--- a/roles/cloud-ec2/defaults/main.yml
+++ b/roles/cloud-ec2/defaults/main.yml
@ -1,5 +1,4 @@
 ---
-ami_search_encrypted: omit
 encrypted: "{{ cloud_providers.ec2.encrypted }}"
 ec2_vpc_nets:
  cidr_block: 172.16.0.0/16
--- a/roles/cloud-ec2/files/stack.yaml
+++ b/roles/cloud-ec2/files/stack.yaml
@ -14,6 +14,8 @@ Parameters:
  UseThisElasticIP:
    Type: String
    Default: ''
+  EbsEncrypted:
+    Type: String
 Conditions:
  AllocateNewEIP: !Equals [!Ref UseThisElasticIP, '']
  AssociateExistingEIP: !Not [!Equals [!Ref UseThisElasticIP, '']]
@ -159,6 +161,12 @@ Resources:
    Properties:
      InstanceType:
        Ref: InstanceTypeParameter
+      BlockDeviceMappings:
+        - DeviceName: /dev/sda1
+          Ebs:
+            DeleteOnTermination: true
+            VolumeSize: 8
+            Encrypted: !Ref EbsEncrypted
      InstanceInitiatedShutdownBehavior: terminate
      SecurityGroupIds:
        - Ref: InstanceSecurityGroup
--- a/roles/cloud-ec2/tasks/cloudformation.yml
+++ b/roles/cloud-ec2/tasks/cloudformation.yml
@ -13,6 +13,7 @@
      ImageIdParameter: "{{ ami_image }}"
      WireGuardPort: "{{ wireguard_port }}"
      UseThisElasticIP: "{{ existing_eip }}"
+      EbsEncrypted: "{{ encrypted }}"
    tags:
      Environment: Algo
  register: stack
--- a/roles/cloud-ec2/tasks/encrypt_image.yml
+++ b/roles/cloud-ec2/tasks/encrypt_image.yml
@ -1,29 +0,0 @@
---
- name: Check if the encrypted image already exist
-  ec2_ami_facts:
-    aws_access_key: "{{ access_key }}"
-    aws_secret_key: "{{ secret_key }}"
-    owners: self
-    region: "{{ algo_region }}"
-    filters:
-      state: available
-      "tag:Algo": encrypted
-      "tag:image": "{{ cloud_providers.ec2.image.name }}"
-  register: search_crypt
-
- name: Copy to an encrypted image
-  ec2_ami_copy:
-    aws_access_key: "{{ access_key }}"
-    aws_secret_key: "{{ secret_key }}"
-    encrypted: yes
-    name: "algo/{{ cloud_providers.ec2.image.name }}"
-    kms_key_id: "{{ kms_key_id | default(omit) }}"
-    region: "{{ algo_region }}"
-    source_image_id: "{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}"
-    source_region: "{{ algo_region }}"
-    wait: true
-    tags:
-      Algo: "encrypted"
-      image: "{{ cloud_providers.ec2.image.name }}"
-  register: ami_search_encrypted
-  when: search_crypt.images|length|int == 0
--- a/roles/cloud-ec2/tasks/main.yml
+++ b/roles/cloud-ec2/tasks/main.yml
@ -16,15 +16,9 @@
        name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-amd64-server-*"
    register: ami_search

-  - import_tasks: encrypt_image.yml
-    when: encrypted
-
  - name: Set the ami id as a fact
    set_fact:
-      ami_image: >-
-        {% if ami_search_encrypted.image_id is defined %}{{ ami_search_encrypted.image_id }}
-        {%- elif search_crypt.images is defined and search_crypt.images|length >= 1 %}{{ (search_crypt.images | sort(attribute='creation_date') | last)['image_id'] }}
-        {%- else %}{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}{% endif %}
+      ami_image: "{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}"

  - name: Deploy the stack
    import_tasks: cloudformation.yml