Merge pull request kubernetes-sigs#303 from abhinavdahiya/encyrpted_k…

…ey_id

support KMS key for EBS encryption

pkg/actuators/machine/instances.go

@@ -212,6 +212,15 @@ func getBlockDeviceMappings(blockDeviceMappings []providerconfigv1.BlockDeviceMa
 			Encrypted:  blockDeviceMappings[0].EBS.Encrypted,
 		},
 	}
+
+	if aws.StringValue(blockDeviceMappings[0].EBS.KMSKey.ID) != "" {
+		klog.V(3).Infof("Using KMS key ID %q for encrypting EBS volume", *blockDeviceMappings[0].EBS.KMSKey.ID)
+		blockDeviceMapping.Ebs.KmsKeyId = blockDeviceMappings[0].EBS.KMSKey.ID
+	} else if aws.StringValue(blockDeviceMappings[0].EBS.KMSKey.ARN) != "" {
+		klog.V(3).Info("Using KMS key ARN for encrypting EBS volume") // ARN usually have account ids, therefore are sensitive data so shouldn't log the value
+		blockDeviceMapping.Ebs.KmsKeyId = blockDeviceMappings[0].EBS.KMSKey.ARN
+	}
+
 	if *volumeType == "io1" {
 		blockDeviceMapping.Ebs.Iops = blockDeviceMappings[0].EBS.Iops
 	}

pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go

@@ -180,6 +180,9 @@ type EBSBlockDeviceSpec struct {
 	// may only be attached to machines that support Amazon EBS encryption.
 	Encrypted *bool `json:"encrypted,omitempty"`
 
+	// Indicates the KMS key that should be used to encrypt the Amazon EBS volume.
+	KMSKey AWSResourceReference `json:"kmsKey,omitempty"`
+
 	// The number of I/O operations per second (IOPS) that the volume supports.
 	// For io1, this represents the number of IOPS that are provisioned for the
 	// volume. For gp2, this represents the baseline performance of the volume and