Enabling encryption at rest with optional KMS key for EBS and EFS; Allowing multiple architecture for AMI and updating to Amazon linux 2

adenot · adenot · commit 6124535f94e7 · 2020-12-03T14:49:08.000+11:00
diff --git a/_data.tf b/_data.tf
@@ -5,10 +5,15 @@ data "aws_ami" "amzn" {
 
   filter {
     name   = "name"
-    values = ["amzn-ami-*"]
+    values = ["amzn2-ami-ecs-hvm*"]
   }
 
-  name_regex = ".+-amazon-ecs-optimized$"
+  filter {
+    name   = "architecture"
+    values = [var.architecture]
+  }
+
+  name_regex = ".+-ebs$"
 }
 
 data "aws_caller_identity" "current" {}
diff --git a/_variables.tf b/_variables.tf
@@ -16,6 +16,11 @@ variable "instance_type_3" {
   description = "Instance type for ECS workers (third priority)"
 }
 
+variable "architecture" {
+  default     = "x86_64"
+  description = "Architecture to select the AMI, x86_64 or arm64"
+}
+
 variable "on_demand_percentage" {
   description = "Percentage of on-demand intances vs spot"
   default     = 100
@@ -159,12 +164,7 @@ variable "autoscaling_default_cooldown" {
 
 variable "instance_volume_size" {
   description = "Volume size for docker volume (in GB)"
-  default     = 22
-}
-
-variable "instance_volume_size_root" {
-  description = "Volume size for root volume (in GB)"
-  default     = 16
+  default     = 30
 }
 
 variable "lb_access_logs_bucket" {
@@ -217,3 +217,9 @@ variable "alarm_prefix" {
   description = "String prefix for cloudwatch alarms. (Optional)"
   default     = ""
 }
+
+variable "kms_key_arn" {
+  type        = string
+  description = "ARN of a KMS Key to use on EFS and EBS volumes"
+  default     = ""
+}
diff --git a/ec2-launch-template.tf b/ec2-launch-template.tf
@@ -20,16 +20,10 @@ resource "aws_launch_template" "ecs" {
   block_device_mappings {
     device_name = "/dev/xvda"
 
-    ebs {
-      volume_size = var.instance_volume_size_root
-    }
-  }
-
-  block_device_mappings {
-    device_name = "/dev/xvdcz"
-
     ebs {
       volume_size = var.instance_volume_size
+      encrypted   = true
+      kms_key_id  = var.kms_key_arn != "" ? var.kms_key_arn : null
     }
   }
 
diff --git a/efs.tf b/efs.tf
@@ -1,6 +1,7 @@
 resource "aws_efs_file_system" "ecs" {
   creation_token = "ecs-${var.name}"
   encrypted      = true
+  kms_key_id     = var.kms_key_arn != "" ? var.kms_key_arn : null
 
   throughput_mode                 = var.throughput_mode
   provisioned_throughput_in_mibps = var.provisioned_throughput_in_mibps
diff --git a/userdata.tpl b/userdata.tpl
@@ -18,11 +18,6 @@ yum update -y
 yum install -y amazon-efs-utils aws-cli
 
 
-echo "### INSTALL SSM AGENT"
-cd /tmp
-yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
-restart amazon-ssm-agent
-
 echo "### SETUP EFS"
 EFS_DIR=/mnt/efs
 EFS_ID=${tf_efs_id}
