chore: Add encryption at rest to AKS clusters (#41)

Co-authored-by: George Scott <[email protected]>
wandb · Feb 14, 2024 · 60a2379 · 60a2379
1 parent 6bc2968
commit 60a2379
Show file tree

Hide file tree

Showing 7 changed files with 87 additions and 90 deletions.
diff --git a/main.tf b/main.tf
@@ -8,13 +8,7 @@ resource "azurerm_resource_group" "default" {
   name     = var.namespace
   location = var.location
 
-  tags = merge(
-    {
-      "customer-ns" = var.namespace,
-      "env"         = "managed-install"
-    },
-    var.tags,
-  )
+  tags = var.tags
 }
 
 module "identity" {
@@ -31,13 +25,7 @@ module "networking" {
   resource_group_name = azurerm_resource_group.default.name
   location            = azurerm_resource_group.default.location
 
-  tags = merge(
-    {
-      "customer-ns" = var.namespace,
-      "env"         = "managed-install"
-    },
-    var.tags,
-  )
+  tags = var.tags
 }
 
 module "database" {
@@ -72,73 +60,57 @@ module "redis" {
 }
 
 module "vault" {
-  source         = "./modules/vault"
-  namespace      = var.namespace
-  resource_group = azurerm_resource_group.default
-  location       = azurerm_resource_group.default.location
+  source = "./modules/vault"
 
   identity_object_id = module.identity.identity.principal_id
+  location           = azurerm_resource_group.default.location
+  namespace          = var.namespace
+  resource_group     = azurerm_resource_group.default
+
+  tags = var.tags
 }
 
 module "storage" {
-  count               = (var.blob_container == "" && var.external_bucket == null) ? 1 : 0
-  source              = "./modules/storage"
+  count  = (var.blob_container == "" && var.external_bucket == null) ? 1 : 0
+  source = "./modules/storage"
+
   namespace           = var.namespace
   resource_group_name = azurerm_resource_group.default.name
   location            = azurerm_resource_group.default.location
   create_queue        = !var.use_internal_queue
-
   deletion_protection = var.deletion_protection
 
-  tags = merge(
-    {
-      "customer-ns" = var.namespace,
-      "env"         = "managed-install"
-    },
-    var.tags,
-  )
+  tags = var.tags
 }
 
 module "app_lb" {
-  source         = "./modules/app_lb"
+  source = "./modules/app_lb"
+
   namespace      = var.namespace
   resource_group = azurerm_resource_group.default
   location       = azurerm_resource_group.default.location
   network        = module.networking.network
   public_subnet  = module.networking.public_subnet
 
-  tags = merge(
-    {
-      "customer-ns" = var.namespace,
-      "env"         = "managed-install"
-    },
-    var.tags,
-  )
+  tags = var.tags
 }
 
 module "app_aks" {
-  source         = "./modules/app_aks"
-  depends_on     = [module.app_lb]
-  namespace      = var.namespace
-  resource_group = azurerm_resource_group.default
-  location       = azurerm_resource_group.default.location
-
-  node_pool_vm_size  = var.kubernetes_instance_type
-  node_pool_vm_count = var.kubernetes_node_count
-
-  identity = module.identity.identity
-
-  gateway           = module.app_lb.gateway
-  public_subnet     = module.networking.public_subnet
-  cluster_subnet_id = module.networking.private_subnet.id
-
-  tags = merge(
-    {
-      "customer-ns" = var.namespace,
-      "env"         = "managed-install"
-    },
-    var.tags,
-  )
+  source     = "./modules/app_aks"
+  depends_on = [module.app_lb]
+
+  cluster_subnet_id     = module.networking.private_subnet.id
+  etcd_key_vault_key_id = module.vault.etcd_key_id
+  gateway               = module.app_lb.gateway
+  identity              = module.identity.identity
+  location              = azurerm_resource_group.default.location
+  namespace             = var.namespace
+  node_pool_vm_count    = var.kubernetes_node_count
+  node_pool_vm_size     = var.kubernetes_instance_type
+  public_subnet         = module.networking.public_subnet
+  resource_group        = azurerm_resource_group.default
+
+  tags = var.tags
 }
 
 locals {

diff --git a/modules/app_aks/main.tf b/modules/app_aks/main.tf
@@ -43,10 +43,15 @@ resource "azurerm_kubernetes_cluster" "default" {
   lifecycle {
     ignore_changes = [microsoft_defender]
   }
+
+  key_management_service {
+    key_vault_key_id = var.etcd_key_vault_key_id
+  }
 }
 
 locals {
   ingress_gateway_principal_id = azurerm_kubernetes_cluster.default.ingress_application_gateway.0.ingress_application_gateway_identity.0.object_id
+
 }
 
 resource "azurerm_role_assignment" "gateway" {

diff --git a/modules/app_aks/variables.tf b/modules/app_aks/variables.tf
@@ -1,33 +1,39 @@
-variable "namespace" {
+variable "cluster_subnet_id" {
   type        = string
-  description = "Friendly name prefix used for tagging and naming Azure resources."
+  description = "Network subnet id for cluster"
 }
 
-variable "identity" {
+variable "etcd_key_vault_key_id" {
+  description = "The ID of the key (stored in Key Vault) used to encryypt etcd's persistent storage."
+  nullable    = false
+  type        = string
+}
+
+variable "gateway" {
   type = object({ id = string })
 }
 
-variable "resource_group" {
-  type        = object({ name = string, id = string })
-  description = "Resource Group where the Managed Kubernetes Cluster should exist."
+variable "identity" {
+  type = object({ id = string })
 }
 
 variable "location" {
   type        = string
   description = "The location where the Managed Kubernetes Cluster should be created."
 }
 
-variable "cluster_subnet_id" {
+variable "namespace" {
   type        = string
-  description = "Network subnet id for cluster"
+  description = "Friendly name prefix used for tagging and naming Azure resources."
 }
 
-variable "gateway" {
+variable "public_subnet" {
   type = object({ id = string })
 }
 
-variable "public_subnet" {
-  type = object({ id = string })
+variable "resource_group" {
+  type        = object({ name = string, id = string })
+  description = "Resource Group where the Managed Kubernetes Cluster should exist."
 }
 
 variable "tags" {

diff --git a/modules/redis/main.tf b/modules/redis/main.tf
@@ -11,8 +11,4 @@ resource "azurerm_redis_cache" "default" {
   redis_configuration {
   }
 
-  tags = {
-    "customer-ns" = var.namespace,
-    "env"         = "managed-install"
-  }
 }
diff --git a/modules/vault/main.tf b/modules/vault/main.tf
@@ -21,20 +21,17 @@ resource "azurerm_key_vault" "default" {
     default_action = "Allow"
   }
 
-  tags = {
-    "customer-ns" = var.namespace,
-    "env"         = "managed-install"
-  }
+  tags = var.tags
 }
 
 resource "azurerm_key_vault_access_policy" "parent" {
   key_vault_id = azurerm_key_vault.default.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = data.azurerm_client_config.current.object_id
 
-  key_permissions     = ["Get", "Backup", "Delete", "List", "Purge", "Recover", "Restore", "Rotate", "GetRotationPolicy"]
-  secret_permissions  = ["Get", "Backup", "Delete", "List", "Purge", "Recover", "Restore", "Set"]
-  storage_permissions = ["Get", "Backup", "Delete", "List", "Purge", "Recover", "Restore"]
+  key_permissions     = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "GetRotationPolicy", "List", "Purge", "Recover", "Restore", "Rotate"]
+  secret_permissions  = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set"]
+  storage_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore"]
 
   depends_on = [azurerm_key_vault.default]
 }
@@ -44,9 +41,21 @@ resource "azurerm_key_vault_access_policy" "identity" {
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = var.identity_object_id
 
-  key_permissions     = ["Get"]
-  secret_permissions  = ["Get", "Delete", "List", "Purge", "Recover", "Restore", "Set"]
-  storage_permissions = ["Get"]
+  key_permissions     = ["Create", "Decrypt", "Encrypt", "Get", "List"]
+  secret_permissions  = ["Delete", "Get", "List", "Purge", "Recover", "Restore", "Set"]
+  storage_permissions = ["Get", "List"]
+
 
   depends_on = [azurerm_key_vault.default]
 }
+
+resource "azurerm_key_vault_key" "etcd" {
+  depends_on = [azurerm_key_vault_access_policy.parent, azurerm_key_vault_access_policy.identity]
+
+  name         = "generated-etcd-key"
+  key_vault_id = azurerm_key_vault.default.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ]
+}
diff --git a/modules/vault/outputs.tf b/modules/vault/outputs.tf
@@ -1,3 +1,7 @@
+output "etcd_key_id" {
+  value = azurerm_key_vault_key.etcd.id
+}
+
 output "vault" {
   value = azurerm_key_vault.default
 }
diff --git a/modules/vault/variables.tf b/modules/vault/variables.tf
@@ -1,3 +1,12 @@
+variable "identity_object_id" {
+  type = string
+}
+
+variable "location" {
+  type        = string
+  description = "The location where the Managed Kubernetes Cluster should be created."
+}
+
 variable "namespace" {
   type        = string
   description = "Friendly name prefix used for tagging and naming Azure resources."
@@ -8,11 +17,7 @@ variable "resource_group" {
   description = "Resource Group where the Managed Kubernetes Cluster should exist."
 }
 
-variable "location" {
-  type        = string
-  description = "The location where the Managed Kubernetes Cluster should be created."
-}
-
-variable "identity_object_id" {
-  type = string
+variable "tags" {
+  type        = map(string)
+  description = "Map of tags for resource"
 }