search

pulumi / pulumi-eks

A Pulumi component for easily creating and managing an Amazon EKS Cluster
https://www.pulumi.com/registry/packages/eks/
Apache License 2.0
171 stars 80 forks source link

Allow users to set KMS key when encrypting node block devices #1200

Open pierskarsenbarg opened 3 months ago

pierskarsenbarg commented 3 months ago

Hello!

Issue details

In this PR we added the ability to encrypt block devices for nodes, but you can't set your own KMS key to do this

Affected area/feature

lukehoban commented 3 months ago

Definitely would be good to add this feature.

But also - in the meantime - I believe this provides a way to workaround this limitation using transforms:

import * as aws from "@pulumi/aws";
import * as eks from "@pulumi/eks";

const cluster = new eks.Cluster("cluster", {});

const key = new aws.kms.Key("key");

const nodeGroup = new eks.NodeGroupV2("workers", {
    cluster: cluster,
    nodeRootVolumeEncrypted: true,
}, {
    transforms: [args => {
        if (args.type == "aws:ec2/launchTemplate:LaunchTemplate") {
            // The `eks.NodeGroupV2` component will create a `LaunchTemplate` with `blockDeviceMappings`,
            // we just need to fill in the `kmsKeyId` as well.
            const props = args.props;
            for (const bdm of props.blockDeviceMappings) {
                bdm.ebs.kmsKeyId = key.id;
            }
            return { props, opts: args.opts };
        }
        return;
    }]
});

Note: The new transforms resources option is recent, and documentation for it is in the works now. It replaces the previous transformations option, and in particular enables the core feature to work with components like @pulumi/eks which are implemented using Component Packages authored in different languages than the user program.

pierskarsenbarg commented 3 months ago

You can also add in a launchtemplate resource that can be passed straight into the ManagedNodeGroup resource:

const launchtemplate = new aws.ec2.LaunchTemplate("launchtemplate", {
    instanceType: "t3.medium",
    blockDeviceMappings: [{
        ebs: {
            encrypted: "true",
            kmsKeyId: key,id,
        },
        // deviceName: "/dev/xvda"
    }],
    imageId: ami.id
})

const nodegroup = new eks.ManagedNodeGroup("nodegroup", {
    cluster: cluster,
    scalingConfig: {
        desiredSize: 2,
        minSize: 2,
        maxSize: 4
    },
    launchTemplate: {
        version: "$Latest",
        name: launchtemplate.name
    },
    nodeRole: ec2Role
})