Merge pull request hitachienergy#825 from seriva/feature/disk-encryption

Added encryption of EC2 Root volumes (hitachienergy#381) Added AWS disk encryption documentation (hitachienergy#781) Added Azure disk encryption documentation (hitachienergy#782)
to-bar · Jan 16, 2020 · 2cce83b · 2cce83b
2 parents 1d497cf + 1306caf
commit 2cce83b
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 13 deletions.
diff --git a/CHANGELOG-0.5.md b/CHANGELOG-0.5.md
@@ -6,6 +6,12 @@
 
 - [#820](https://github.com/epiphany-platform/epiphany/pull/820) - Firewall: OS level firewall setup (firewalld)
 
+### Added
+
+- [#381](https://github.com/epiphany-platform/epiphany/issues/381) - Add AWS EC2 Root Volume encryption
+- [#782](https://github.com/epiphany-platform/epiphany/issues/781) - All disks encryption documentation - AWS
+- [#782](https://github.com/epiphany-platform/epiphany/issues/782) - All disks encryption documentation - Azure
+
 ### Changed
 
 - [#763](https://github.com/epiphany-platform/epiphany/pull/763) - Elasticsearch Curator: Flexible configuration of cron jobs

diff --git a/core/src/epicli/data/aws/defaults/infrastructure/virtual-machine.yml b/core/src/epicli/data/aws/defaults/infrastructure/virtual-machine.yml
@@ -22,6 +22,7 @@ specification:
       volume_type: gp2
       volume_size: 30
       delete_on_termination: true
+      encrypted: true
     additional_disks: []
 #      - device_name: "/dev/sdb"
 #        volume_type: gp2

diff --git a/core/src/epicli/data/aws/terraform/infrastructure/launch-configuration.j2 b/core/src/epicli/data/aws/terraform/infrastructure/launch-configuration.j2
@@ -27,6 +27,7 @@ resource "aws_launch_configuration" "{{ specification.name }}" {
     volume_type           = "{{ specification.disks.root.volume_type }}"
     volume_size           = "{{ specification.disks.root.volume_size }}"
     delete_on_termination = "{{ specification.disks.root.delete_on_termination | lower }}"
+    encrypted             = "{{ specification.disks.root.encrypted | lower }}"
   }
 
 {% for disk in specification.disks.additional_disks %}

diff --git a/docs/home/HOWTO.md b/docs/home/HOWTO.md
@@ -45,10 +45,11 @@
   - [How to use TLS/SSL certificate with HA Proxy](./howto/SECURITY.md#how-to-use-tls/ssl-certificate-with-ha-proxy)
   - [How to use TLS/SSL with Kafka](./howto/SECURITY.md#how-to-use-tlsssl-with-kafka)
   - [How to use TLS/SSL certificates for Kafka authentication](./howto/SECURITY.md#how-to-use-tlsssl-certificates-for-kafka-authentication)
-  - [How to use TLS/SSL certificates for Kafka authorization](./howto/SECURITY.md#how-to-use-tlsssl-certificates-for-kafka-authorization)
+  - [How to use TLS/SSL certificates for Kafka authorization](./howto/SECURITY.md#how-to-use-tlsssl-certificates-for-kafka-authorization)  
+  - [How to enable Azure disk encryption](./howto/SECURITY.md#how-to-enable-azure-disk-encryption)
   - [How to enable AWS disk encryption](./howto/SECURITY.md#how-to-enable-AWS-disk-encryption)
   - [How to use Kubernetes Secrets](./howto/SECURITY.md#how-to-use-kubernetes-secrets)
-  - [How to authenticate to Azure AD app](./howto/SECURITY.md#how-to-authenticate-to-azure-ad-app)
+  - [How to authenticate to Azure AD app](./howto/SECURITY.md#how-to-authenticate-to-azure-ad-app)  
 
 - [Databases](./howto/DATABASES.md)
   - [How to configure PostgreSQL](./howto/DATABASES.md#how-to-configure-postgresql)

diff --git a/docs/home/howto/CLUSTER.md b/docs/home/howto/CLUSTER.md
@@ -277,7 +277,7 @@ To setup the cluster do the following steps from the provisioning machine:
 Epicli has a delete command to remove a cluster from a cloud provider (AWS, Azure). With Epicli run the following:
 
   ```shell
-  epicli apply -b /path/to/cluster/build/folder
+  epicli delete -b /path/to/cluster/build/folder
   ```
 
 From the defined cluster build folder it will take the information needed to remove the resources from the cloud provider.

diff --git a/docs/home/howto/SECURITY.md b/docs/home/howto/SECURITY.md
@@ -127,32 +127,63 @@ specification:
     ...
 ```
 
-## How to enable AWS disk encryption
+## How to enable Azure disk encryption
 
-### EC2 Root volumes
+Automatic encryption of storage on Azure is not yet supported by Epiphany. Guides to encrypt manually can be found:
 
-Since [May 2019](https://aws.amazon.com/about-aws/whats-new/2019/05/launch-encrypted-ebs-backed-ec2-instances-from-unencrypted-amis-in-a-single-step/) AWS supports the creation of instances from unencrypted AMIs. At this point Terraform does not [support](https://github.com/terraform-providers/terraform-provider-aws/issues/8624) this jet. If you need encrypted root volumes for now you need to supply your own pre-encryped AMIs as specified in the guide [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html).
+- [Here](https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss) for VM storage.
+- [Here](https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption) for storage shares,
 
-We will add this as the functionality becomes available in Terraform. The issue is beeing tracked [here](https://github.com/epiphany-platform/epiphany/issues/381).
+## How to enable AWS disk encryption
 
-### Additional EC2 storage
+### EC2 Root volumes
 
-When defining extra storage inside the `infrastructure/virtual-machine` document one can set the `encryption` flag:
+Encryption at rest for EC2 root volumes is turned on by default. To change this one can modify the `encrypted` flag for the `root` disk inside a `infrastructure/virtual-machine` document:
 
 ```yaml
 ...
-additional_disks:
-  - device_name: "/dev/sdb"
+disks:
+  root:
     volume_type: gp2
-    volume_size: 60
+    volume_size: 30
     delete_on_termination: true
     encrypted: true
 ...
 ```
 
+### Additional EC2 volumes
+
+Encryption at rest for additional EC2 volumes is turned on by default. To change this one can modify the `encrypted` flag for each `additional_disks` inside a `infrastructure/virtual-machine` document:
+
+```yaml
+...
+disks:
+  root:
+  ...
+  additional_disks:
+    - device_name: "/dev/sdb"
+      volume_type: gp2
+      volume_size: 60
+      delete_on_termination: true
+      encrypted: true
+...
+```
+
 ### EFS storage
 
-EFS storage is encrypted by default.
+Encryption at rest for EFS storage is turned on by default. To change this one can modify the `encrypted` flag inside the `infrastructure/efs-storage` document:
+
+```yaml
+kind: infrastructure/efs-storage
+title: "Elastic File System Config"
+provider: aws
+name: default
+specification:
+  encrypted: true
+...
+```
+
+Additional information can be found [here](https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html).
 
 ## How to use Kubernetes Secrets