Hello folks I m trying to encrypt EBS volumes created by a M Pulumi Community #aws

Hello folks! I'm trying to encrypt EBS volumes cr...

victorious-architect-78054

11/05/2024, 10:36 AM

Hello folks! I'm trying to encrypt EBS volumes created by a "ManagedNodeGroups" in my EKS cluster. according to the aws documentation, I added a launch template, with encryption configuration:

Copy code

launchTemplate, err := ec2.NewLaunchTemplate(ctx, fmt.Sprintf("%s-eks-launch-template", environment), &ec2.LaunchTemplateArgs{
		Name:           pulumi.Sprintf("%s-eks-launch-template", environment),
		Tags:           defaultTags,
		DefaultVersion: pulumi.Int(1),
		BlockDeviceMappings: ec2.LaunchTemplateBlockDeviceMappingArray{
			&ec2.LaunchTemplateBlockDeviceMappingArgs{
				DeviceName: pulumi.String("/dev/xvda"),
				Ebs: &ec2.LaunchTemplateBlockDeviceMappingEbsArgs{
					DeleteOnTermination: pulumi.String("true"),
					VolumeSize:          pulumi.Int(20), // 20 GB volume
					Encrypted:           pulumi.String("true"),
					VolumeType:          pulumi.String("gp2"),
					KmsKeyId:            pulumi.String(key.Arn),
				},
			},
		},
	})
	
	 eks.NewManagedNodeGroup(ctx, fmt.Sprintf("%s-eks-managed-node-group", environment), &eks.ManagedNodeGroupArgs{
		NodeGroupName: pulumi.Sprintf("%s-eks-managed-node-group", environment),
		Cluster:       eksCluster,
		ClusterName:   eksClusterName,
		NodeRoleArn:   executionRole.Arn,
		SubnetIds:     privateSubnets,
		LaunchTemplate: &classicEKS.NodeGroupLaunchTemplateArgs{
			Id:      launchTemplate.ID(),
			Version: pulumi.String("$Latest"),
		},
		ScalingConfig: &classicEKS.NodeGroupScalingConfigArgs{
			DesiredSize: pulumi.Int(minSize),
			MaxSize: pulumi.Int(minSize * 2),
			MinSize: pulumi.Int(minSize),
		},
		CapacityType: pulumi.String(capacityType),
		AmiType: pulumi.String("BOTTLEROCKET_x86_64"),
		Version: pulumi.String("1.31"),
		InstanceTypes: pulumi.StringArray{
			pulumi.String(instanceType),
		},
		Tags: defaultTags,
	})

But this is just creating another volumes and templates and keep existing default templates and volumes (like explained here: https://stackoverflow.com/questions/76653246/terraform-aws-creates-two-launch-templates-while-creating-eks-cluster-managed) what is the correct way to handle this ?

quick-house-41860

11/05/2024, 2:09 PM

Can you try setting the launch template version to the

latestVersion

output of

launchTemplate

? That should correctly work IIRC

victorious-architect-78054

11/05/2024, 4:15 PM

it's still creating two template, the one I declared in the code and the one automatically created with "auto scaling node group" I think it's not possible to customize this one

victorious-architect-78054

11/05/2024, 4:15 PM

I ended with this solution =>

Copy code

_, err := ebs.NewEncryptionByDefault(ctx, "ebs-encryption-default", &ebs.EncryptionByDefaultArgs{
    Enabled: pulumi.Bool(true),
})

victorious-architect-78054

11/05/2024, 4:17 PM

I realized also I needed two volume because i'm using BOTTLEROCKET

victorious-architect-78054

11/05/2024, 4:18 PM

maybe this configuration work but I will try later

Copy code

launchTemplate, err := ec2.NewLaunchTemplate(ctx, fmt.Sprintf("%s-eks-launch-template", environment), &ec2.LaunchTemplateArgs{
		Name:           pulumi.Sprintf("%s-eks-launch-template", environment),
		Tags:           defaultTags,
		DefaultVersion: <http://pulumi.Int|pulumi.Int>(1),
		BlockDeviceMappings: ec2.LaunchTemplateBlockDeviceMappingArray{
			&ec2.LaunchTemplateBlockDeviceMappingArgs{
				DeviceName: pulumi.String("/dev/xvda"),
				Ebs: &ec2.LaunchTemplateBlockDeviceMappingEbsArgs{
					DeleteOnTermination: pulumi.String("true"),
					VolumeSize:          <http://pulumi.Int|pulumi.Int>(2), // 2 GB volume
					Encrypted:           pulumi.String("true"),
					VolumeType:          pulumi.String("gp2"),
					KmsKeyId:            pulumi.String(key.Arn),
				},
			},
			&ec2.LaunchTemplateBlockDeviceMappingArgs{
				DeviceName: pulumi.String("/dev/xvdb"),
				Ebs: &ec2.LaunchTemplateBlockDeviceMappingEbsArgs{
					DeleteOnTermination: pulumi.String("true"),
					VolumeSize:          <http://pulumi.Int|pulumi.Int>(20), // 20 GB volume
					Encrypted:           pulumi.String("true"),
					VolumeType:          pulumi.String("gp2"),
					KmsKeyId:            pulumi.String(key.Arn),
				},
			},
		},
	})

victorious-architect-78054

11/05/2024, 4:18 PM

with "/dev/xvda" and "/dev/xvdb" defined

quick-house-41860

11/05/2024, 4:22 PM

EKS might create an additional template nevertheless, I'm not sure about how it handles that internally. Just to confirm, your nodes are using the correct template though?

quick-house-41860

11/05/2024, 4:24 PM

Yes, Bottlerocket has two block devices.

"/dev/xvdb"

is the data volume. In case you need more storage on that node you should increase the size of that one

victorious-architect-78054

11/05/2024, 4:26 PM

yes the managed node group is using the template

victorious-architect-78054

11/05/2024, 4:27 PM

but I want "all" the volumes to be encrypt

victorious-architect-78054

11/05/2024, 4:27 PM

so at the end the "ebs.NewEncryptionByDefault" is working well

quick-house-41860

11/05/2024, 4:29 PM

Great! The option with specifying both block device mappings should also work

Open in Slack

Previous Next