kevinheyer/bootstrap-vz
1
0
Fork 0
mirror of https://github.com/kevingruesser/bootstrap-vz.git synced 2025-08-22 18:00:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #468 from vmlintu-nosto/encrypted_ebs

Browse source 
Add support for encrypted AMIs
This commit is contained in:
Anders Ingemann 2018-06-14 10:06:17 +02:00 committed by GitHub
commit 631c94c649
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 54 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
bootstrapvz/providers/ec2/README.rst
View file

@ -146,6 +146,30 @@ Example:
name: ec2 name: ec2
amzn-driver-version: 1.5.0 amzn-driver-version: 1.5.0
Encrypted volumes
~~~~~~~~~~~~~~~~~
Encrypted AMIs that can be used to launch instances with encrypted boot volume
are supported. Defining encryption key is optional and EC2 uses default
encryption key if one is not set. Encryption works only with EBS volumes.
- ``encrypted:``: Default: False
Valid values: ``True``, ``False``
``optional``
- ``kms_key_id:``: Default: EC2 default EBS encryption key
Valid values: arn of the KMS key
``optional``
Example:
.. code-block:: yaml
---
provider:
name: ec2
encrypted: True
kms_key_id: arn:aws:kms:us-east-1:1234567890:key/00000000-0000-0000-0000-000000000000
Image Image
~~~~~ ~~~~~

8
bootstrapvz/providers/ec2/__init__.py
View file

@ -25,6 +25,8 @@ def validate_manifest(data, validator, error):
bootloader = data['system']['bootloader'] bootloader = data['system']['bootloader']
virtualization = data['provider']['virtualization'] virtualization = data['provider']['virtualization']
encrypted = data['provider'].get('encrypted', False)
kms_key_id = data['provider'].get('kms_key_id', None)
backing = data['volume']['backing'] backing = data['volume']['backing']
partition_type = data['volume']['partitions']['type'] partition_type = data['volume']['partitions']['type']
enhanced_networking = data['provider']['enhanced_networking'] if 'enhanced_networking' in data['provider'] else None enhanced_networking = data['provider']['enhanced_networking'] if 'enhanced_networking' in data['provider'] else None
@ -38,6 +40,12 @@ def validate_manifest(data, validator, error):
if backing == 's3' and partition_type != 'none': if backing == 's3' and partition_type != 'none':
error('S3 backed AMIs currently only work with unpartitioned volumes', ['system', 'bootloader']) error('S3 backed AMIs currently only work with unpartitioned volumes', ['system', 'bootloader'])
if backing != 'ebs' and encrypted:
error('Encryption is supported only on EBS volumes')
if encrypted is False and kms_key_id is not None:
error('KMS Key Id can be set only when encryption is enabled')
if enhanced_networking == 'simple' and virtualization != 'hvm': if enhanced_networking == 'simple' and virtualization != 'hvm':
error('Enhanced networking only works with HVM virtualization', ['provider', 'virtualization']) error('Enhanced networking only works with HVM virtualization', ['provider', 'virtualization'])

16
bootstrapvz/providers/ec2/ebsvolume.py
View file

@ -4,18 +4,26 @@ from bootstrapvz.base.fs.exceptions import VolumeError
class EBSVolume(Volume): class EBSVolume(Volume):
def create(self, conn, zone, tags=[]): def create(self, conn, zone, tags=[], encrypted=False, kms_key_id=None):
self.fsm.create(connection=conn, zone=zone, tags=tags) self.fsm.create(connection=conn, zone=zone, tags=tags, encrypted=encrypted, kms_key_id=kms_key_id)
def _before_create(self, e): def _before_create(self, e):
self.conn = e.connection self.conn = e.connection
zone = e.zone zone = e.zone
tags = e.tags tags = e.tags
size = self.size.bytes.get_qty_in('GiB') size = self.size.bytes.get_qty_in('GiB')
self.volume = self.conn.create_volume(Size=size,
params = dict(Size=size,
AvailabilityZone=zone, AvailabilityZone=zone,
VolumeType='gp2', VolumeType='gp2',
TagSpecifications=[{'ResourceType': 'volume', 'Tags': tags}]) TagSpecifications=[{'ResourceType': 'volume', 'Tags': tags}],
Encrypted=e.encrypted)
if e.encrypted and e.kms_key_id:
params['KmsKeyId'] = e.kms_key_id
self.volume = self.conn.create_volume(**params)
self.vol_id = self.volume['VolumeId'] self.vol_id = self.volume['VolumeId']
waiter = self.conn.get_waiter('volume_available') waiter = self.conn.get_waiter('volume_available')
waiter.wait(VolumeIds=[self.vol_id], waiter.wait(VolumeIds=[self.vol_id],

2
bootstrapvz/providers/ec2/manifest-schema.yml
View file

@ -27,6 +27,8 @@ properties:
amzn-driver-version: amzn-driver-version:
type: string type: string
pattern: "^([0-9]+\\.?){3}$" pattern: "^([0-9]+\\.?){3}$"
encrypted: { type: boolean }
kms_key_id: { type: string }
required: [description, virtualization] required: [description, virtualization]
system: system:
type: object type: object

7
bootstrapvz/providers/ec2/tasks/ebs.py
View file

@ -16,7 +16,12 @@ class Create(Task):
formatted_tags = {k: v.format(**info.manifest_vars) for k, v in raw_tags.items()} formatted_tags = {k: v.format(**info.manifest_vars) for k, v in raw_tags.items()}
tags = [{'Key': k, 'Value': v} for k, v in formatted_tags.items()] tags = [{'Key': k, 'Value': v} for k, v in formatted_tags.items()]
info.volume.create(info._ec2['connection'], info._ec2['host']['availabilityZone'], tags) # EBS volumes support encryption. KMS key id is optional and default key
# is used when it is not defined.
encrypted = info.manifest.data['provider'].get('encrypted', False)
kms_key_id = info.manifest.data['provider'].get('kms_key_id', None)
info.volume.create(info._ec2['connection'], info._ec2['host']['availabilityZone'], tags=tags, encrypted=encrypted, kms_key_id=kms_key_id)
class Attach(Task): class Attach(Task):