EC2: Enable EBS single step encryption by default (#1556)

* EC2: EBS single step encryption by default

* return back the encryption variable

config.cfg

@@ -143,8 +143,7 @@ cloud_providers:
     image: "ubuntu-19-04-x64"
   ec2:
     # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
-    # Warning: the Algo script will take approximately 6 minutes longer to complete.
-    encrypted: false
+    encrypted: true
     # Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
     # Additional prompt will be raised to determine which IP to use
     use_existing_eip: false

roles/cloud-ec2/defaults/main.yml

@@ -1,5 +1,4 @@
 ---
-ami_search_encrypted: omit
 encrypted: "{{ cloud_providers.ec2.encrypted }}"
 ec2_vpc_nets:
   cidr_block: 172.16.0.0/16

roles/cloud-ec2/files/stack.yaml

@@ -14,6 +14,8 @@ Parameters:
   UseThisElasticIP:
     Type: String
     Default: ''
+  EbsEncrypted:
+    Type: String
 Conditions:
   AllocateNewEIP: !Equals [!Ref UseThisElasticIP, '']
   AssociateExistingEIP: !Not [!Equals [!Ref UseThisElasticIP, '']]
@@ -159,6 +161,12 @@ Resources:
     Properties:
       InstanceType:
         Ref: InstanceTypeParameter
+      BlockDeviceMappings:
+        - DeviceName: /dev/sda1
+          Ebs:
+            DeleteOnTermination: true
+            VolumeSize: 8
+            Encrypted: !Ref EbsEncrypted
       InstanceInitiatedShutdownBehavior: terminate
       SecurityGroupIds:
         - Ref: InstanceSecurityGroup

roles/cloud-ec2/tasks/cloudformation.yml

@@ -13,6 +13,7 @@
       ImageIdParameter: "{{ ami_image }}"
       WireGuardPort: "{{ wireguard_port }}"
       UseThisElasticIP: "{{ existing_eip }}"
+      EbsEncrypted: "{{ encrypted }}"
     tags:
       Environment: Algo
   register: stack

roles/cloud-ec2/tasks/encrypt_image.yml

@@ -1,29 +0,0 @@
----
-- name: Check if the encrypted image already exist
-  ec2_ami_facts:
-    aws_access_key: "{{ access_key }}"
-    aws_secret_key: "{{ secret_key }}"
-    owners: self
-    region: "{{ algo_region }}"
-    filters:
-      state: available
-      "tag:Algo": encrypted
-      "tag:image": "{{ cloud_providers.ec2.image.name }}"
-  register: search_crypt
-
-- name: Copy to an encrypted image
-  ec2_ami_copy:
-    aws_access_key: "{{ access_key }}"
-    aws_secret_key: "{{ secret_key }}"
-    encrypted: yes
-    name: "algo/{{ cloud_providers.ec2.image.name }}"
-    kms_key_id: "{{ kms_key_id | default(omit) }}"
-    region: "{{ algo_region }}"
-    source_image_id: "{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}"
-    source_region: "{{ algo_region }}"
-    wait: true
-    tags:
-      Algo: "encrypted"
-      image: "{{ cloud_providers.ec2.image.name }}"
-  register: ami_search_encrypted
-  when: search_crypt.images|length|int == 0

roles/cloud-ec2/tasks/main.yml

@@ -16,15 +16,9 @@
         name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-amd64-server-*"
     register: ami_search
 
-  - import_tasks: encrypt_image.yml
-    when: encrypted
-
   - name: Set the ami id as a fact
     set_fact:
-      ami_image: >-
-        {% if ami_search_encrypted.image_id is defined %}{{ ami_search_encrypted.image_id }}
-        {%- elif search_crypt.images is defined and search_crypt.images|length >= 1 %}{{ (search_crypt.images | sort(attribute='creation_date') | last)['image_id'] }}
-        {%- else %}{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}{% endif %}
+      ami_image: "{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}"
 
   - name: Deploy the stack
     import_tasks: cloudformation.yml