diff --git a/config.cfg b/config.cfg index 72a0837..d232348 100644 --- a/config.cfg +++ b/config.cfg @@ -143,8 +143,7 @@ cloud_providers: image: "ubuntu-19-04-x64" ec2: # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest. - # Warning: the Algo script will take approximately 6 minutes longer to complete. - encrypted: false + encrypted: true # Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP # Additional prompt will be raised to determine which IP to use use_existing_eip: false diff --git a/roles/cloud-ec2/defaults/main.yml b/roles/cloud-ec2/defaults/main.yml index 86ae995..ce818fe 100644 --- a/roles/cloud-ec2/defaults/main.yml +++ b/roles/cloud-ec2/defaults/main.yml @@ -1,5 +1,4 @@ --- -ami_search_encrypted: omit encrypted: "{{ cloud_providers.ec2.encrypted }}" ec2_vpc_nets: cidr_block: 172.16.0.0/16 diff --git a/roles/cloud-ec2/files/stack.yaml b/roles/cloud-ec2/files/stack.yaml index 5a8d2f8..33cdde6 100644 --- a/roles/cloud-ec2/files/stack.yaml +++ b/roles/cloud-ec2/files/stack.yaml @@ -14,6 +14,8 @@ Parameters: UseThisElasticIP: Type: String Default: '' + EbsEncrypted: + Type: String Conditions: AllocateNewEIP: !Equals [!Ref UseThisElasticIP, ''] AssociateExistingEIP: !Not [!Equals [!Ref UseThisElasticIP, '']] @@ -159,6 +161,12 @@ Resources: Properties: InstanceType: Ref: InstanceTypeParameter + BlockDeviceMappings: + - DeviceName: /dev/sda1 + Ebs: + DeleteOnTermination: true + VolumeSize: 8 + Encrypted: !Ref EbsEncrypted InstanceInitiatedShutdownBehavior: terminate SecurityGroupIds: - Ref: InstanceSecurityGroup diff --git a/roles/cloud-ec2/tasks/cloudformation.yml b/roles/cloud-ec2/tasks/cloudformation.yml index 8aadfaa..27f4265 100644 --- a/roles/cloud-ec2/tasks/cloudformation.yml +++ b/roles/cloud-ec2/tasks/cloudformation.yml @@ -13,6 +13,7 @@ ImageIdParameter: "{{ ami_image }}" WireGuardPort: "{{ wireguard_port }}" UseThisElasticIP: "{{ existing_eip }}" + EbsEncrypted: "{{ encrypted }}" tags: Environment: Algo register: stack diff --git a/roles/cloud-ec2/tasks/encrypt_image.yml b/roles/cloud-ec2/tasks/encrypt_image.yml deleted file mode 100644 index c4f8c03..0000000 --- a/roles/cloud-ec2/tasks/encrypt_image.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: Check if the encrypted image already exist - ec2_ami_facts: - aws_access_key: "{{ access_key }}" - aws_secret_key: "{{ secret_key }}" - owners: self - region: "{{ algo_region }}" - filters: - state: available - "tag:Algo": encrypted - "tag:image": "{{ cloud_providers.ec2.image.name }}" - register: search_crypt - -- name: Copy to an encrypted image - ec2_ami_copy: - aws_access_key: "{{ access_key }}" - aws_secret_key: "{{ secret_key }}" - encrypted: yes - name: "algo/{{ cloud_providers.ec2.image.name }}" - kms_key_id: "{{ kms_key_id | default(omit) }}" - region: "{{ algo_region }}" - source_image_id: "{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}" - source_region: "{{ algo_region }}" - wait: true - tags: - Algo: "encrypted" - image: "{{ cloud_providers.ec2.image.name }}" - register: ami_search_encrypted - when: search_crypt.images|length|int == 0 diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 7d63217..5811b21 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -16,15 +16,9 @@ name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-amd64-server-*" register: ami_search - - import_tasks: encrypt_image.yml - when: encrypted - - name: Set the ami id as a fact set_fact: - ami_image: >- - {% if ami_search_encrypted.image_id is defined %}{{ ami_search_encrypted.image_id }} - {%- elif search_crypt.images is defined and search_crypt.images|length >= 1 %}{{ (search_crypt.images | sort(attribute='creation_date') | last)['image_id'] }} - {%- else %}{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}{% endif %} + ami_image: "{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}" - name: Deploy the stack import_tasks: cloudformation.yml