From 6067290c0e979993af10309f0bbacbe16441e42e Mon Sep 17 00:00:00 2001
From: Ryan White <4404175+alzabo@users.noreply.github.com>
Date: Wed, 25 Aug 2021 09:22:53 -0400
Subject: [PATCH] feat: Support for encrypted root disk in node_groups (#1428)

---
 modules/node_groups/README.md          | 2 ++
 modules/node_groups/launch_template.tf | 2 ++
 modules/node_groups/locals.tf          | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/modules/node_groups/README.md b/modules/node_groups/README.md
index ab7bb51..448b9f7 100644
--- a/modules/node_groups/README.md
+++ b/modules/node_groups/README.md
@@ -23,6 +23,8 @@ The role ARN specified in `var.default_iam_role_arn` will be used by default. In
 | capacity\_type | Type of instance capacity to provision. Options are `ON_DEMAND` and `SPOT` | string | Provider default behavior |
 | create_launch_template | Create and use a default launch template | bool |  `false` |
 | desired\_capacity | Desired number of workers | number | `var.workers_group_defaults[asg_desired_capacity]` |
+| disk\_encrypted | Whether the root disk will be encrypyted. Requires `create_launch_template` to be `true` and `disk_kms_key_id` to be set | bool | false |
+| disk\_kms\_key\_id | KMS Key used to encrypt the root disk. Requires both `create_launch_template` and `disk_encrypted` to be `true` | string | "" |
 | disk\_size | Workers' disk size | number | Provider default behavior |
 | disk\_type | Workers' disk type. Require `create_launch_template` to be `true`| number | `gp3` |
 | ebs\_optimized | Enables/disables EBS optimization. Require `create_launch_template` to be `true` | bool | `true` if defined `instance\_types` are not present in `var.ebs\_optimized\_not\_supported` |
diff --git a/modules/node_groups/launch_template.tf b/modules/node_groups/launch_template.tf
index eab50b6..a528a3d 100644
--- a/modules/node_groups/launch_template.tf
+++ b/modules/node_groups/launch_template.tf
@@ -35,6 +35,8 @@ resource "aws_launch_template" "workers" {
     ebs {
       volume_size           = lookup(each.value, "disk_size", null)
       volume_type           = lookup(each.value, "disk_type", null)
+      encrypted             = lookup(each.value, "disk_encrypted", null)
+      kms_key_id            = lookup(each.value, "disk_kms_key_id", null)
       delete_on_termination = true
     }
   }
diff --git a/modules/node_groups/locals.tf b/modules/node_groups/locals.tf
index 89dcd84..945a7e3 100644
--- a/modules/node_groups/locals.tf
+++ b/modules/node_groups/locals.tf
@@ -16,6 +16,8 @@ locals {
       kubelet_extra_args            = var.workers_group_defaults["kubelet_extra_args"]
       disk_size                     = var.workers_group_defaults["root_volume_size"]
       disk_type                     = var.workers_group_defaults["root_volume_type"]
+      disk_encrypted                = var.workers_group_defaults["root_encrypted"]
+      disk_kms_key_id               = var.workers_group_defaults["root_kms_key_id"]
       enable_monitoring             = var.workers_group_defaults["enable_monitoring"]
       eni_delete                    = var.workers_group_defaults["eni_delete"]
       public_ip                     = var.workers_group_defaults["public_ip"]