search

sassoftware / viya4-iac-azure

This project contains Terraform configuration files to provision infrastructure components required to deploy SAS Viya platform products on Microsoft Azure Cloud.
Apache License 2.0
72 stars 88 forks source link

feat: (IAC-1386) EncryptAtHost changes for NIST #372

Closed riragh closed 5 months ago

riragh commented 5 months ago

Changes:

This PR adds EncryptAtHost requirements in the VMs and AKS nodes.

Note: You must enable the feature for your subscription before you use the EncryptionAtHost property for your VM/VMSS. Use the following steps to enable the feature for your subscription:

Execute the following command to register the feature for your subscription
  az feature register --namespace Microsoft.Compute --name EncryptionAtHost

Check that the registration state is Registered (takes a few minutes) using the command below before trying out the feature.
  az feature show --namespace Microsoft.Compute --name EncryptionAtHost

This is an optional features, to enable encryption at host for nodes and VMs you would set the following variables:

Name Description Type Default
enable_vm_host_encryption Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. This setting applies to both Jump and NFS VM. bool false
vm_disk_encryption_set_id The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. This setting applies to both Jump and NFS VM. string null
aks_cluster_enable_host_encryption Enables host encryption on all the nodes in the Node Pool. bool false
aks_node_disk_encryption_set_id The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. Changing this forces a new resource to be created. string null

By default, when using AKS, OS and data disks use server-side encryption with platform-managed keys. The caches for these disks are encrypted at rest with platform-managed keys. You can specify your own managed keys following Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service. The caches for these disks are also encrypted using the key you specify.

When using customer-managed-keys, ensure you have the proper AKS credentials. The managed identity needs to have contributor access to the resource group where the diskencryptionset is deployed. Otherwise, you'll get an error suggesting that the managed identity does not have permissions. Also, make sure the VNet of your deployment has access to the Key Vault which has the diskencryptionset. Note: Adding the subnet service endpoints makes the process smooth.

Tests:

Scenario Description Order Cadence Verification
1 Defaults, no changes Fast 2020 Transparent to user, no changes
2 Set enable_vm_host_encryption = true, aks_cluster_enable_host_encryption = true fast:2020 Encryption at host enabled with platform-managed keys on VM and nodes in nodepools
3 Set enable_vm_host_encryption = true, vm_disk_encryption_set_id = "<disk_encryption_set_id>", aks_cluster_enable_host_encryption = true, aks_node_disk_encryption_set_id = "<disk_encryption_set_id>" fast:2020 Encryption at host enabled with customer-managed keys on VM and nodes in nodepools
riragh commented 5 months ago

Are these breaking changes? I see where we are adding items into the node pool definitions and how the vms are being created as well.

No not a breaking change. The default values are set for the variables as false and null, which guards this. So it doesn't affect the existing user.