Open pierskarsenbarg opened 3 months ago
Definitely would be good to add this feature.
But also - in the meantime - I believe this provides a way to workaround this limitation using transforms
:
import * as aws from "@pulumi/aws";
import * as eks from "@pulumi/eks";
const cluster = new eks.Cluster("cluster", {});
const key = new aws.kms.Key("key");
const nodeGroup = new eks.NodeGroupV2("workers", {
cluster: cluster,
nodeRootVolumeEncrypted: true,
}, {
transforms: [args => {
if (args.type == "aws:ec2/launchTemplate:LaunchTemplate") {
// The `eks.NodeGroupV2` component will create a `LaunchTemplate` with `blockDeviceMappings`,
// we just need to fill in the `kmsKeyId` as well.
const props = args.props;
for (const bdm of props.blockDeviceMappings) {
bdm.ebs.kmsKeyId = key.id;
}
return { props, opts: args.opts };
}
return;
}]
});
Note: The new transforms
resources option is recent, and documentation for it is in the works now. It replaces the previous transformations
option, and in particular enables the core feature to work with components like @pulumi/eks
which are implemented using Component Packages authored in different languages than the user program.
You can also add in a launchtemplate resource that can be passed straight into the ManagedNodeGroup resource:
const launchtemplate = new aws.ec2.LaunchTemplate("launchtemplate", {
instanceType: "t3.medium",
blockDeviceMappings: [{
ebs: {
encrypted: "true",
kmsKeyId: key,id,
},
// deviceName: "/dev/xvda"
}],
imageId: ami.id
})
const nodegroup = new eks.ManagedNodeGroup("nodegroup", {
cluster: cluster,
scalingConfig: {
desiredSize: 2,
minSize: 2,
maxSize: 4
},
launchTemplate: {
version: "$Latest",
name: launchtemplate.name
},
nodeRole: ec2Role
})
Hello!
Issue details
In this PR we added the ability to encrypt block devices for nodes, but you can't set your own KMS key to do this
Affected area/feature