Skip to content

Commit

Permalink
EncryptRootVolume Document (awslabs#34)
Browse files Browse the repository at this point in the history
* initial version of EncryptRootVolume Document
  • Loading branch information
awsandrewpark authored and alemartini committed Apr 9, 2019
1 parent 0e7197f commit 1e6b81f
Show file tree
Hide file tree
Showing 6 changed files with 782 additions and 0 deletions.
26 changes: 26 additions & 0 deletions Documents/Automation/EncryptRootVolume/Design/Design.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Encrypt EBS root volume

## Notes

Encrypts the root volume of an EC2 instance. This will be a replace operation and not an in-line encryption operation.

## Document Design

Refer to schema.json

Document Steps:
1. aws:npark-encryptrootvolume - Execute CloudFormation Template to attach the volume.
* Parameters:
* instanceId: (Required) Instance ID of the ec2 instance whose root volume needs to be encrypted
* region: (Required) Region in which the ec2 instance belong
* KmsKeyId: (Required) Customer KMS key to use during the encryption
* devicename: (Optional) Device name of the root volume. Defaults to /dev/sda1
* AutomationAssumeRole: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf

## Test script

Python script will:
# 1. Create a test stack with an instance, a volume and a KMS Key (Customer managed)
# 2. Execute automation document to replace the root volume with the encrypted one (after a copy operation of the root volume snapshot)
# 3. Ensure the Automation has executed successfull
# 4. Clean up test stack
28 changes: 28 additions & 0 deletions Documents/Automation/EncryptRootVolume/Design/schema.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"schemaVersion": "0.3",
"description": "Encrypt Root Volume",
"assumeRole": "{{ AutomationAssumeRole }}",
"parameters": {
"instanceId": {
"description": "Instance ID of the ec2 instance whose root volume needs to be encrypted",
"type": "String"
},
"region": {
"description": "Region in which the ec2 instance belong",
"type": "String"
},
"KmsKeyId": {
"description": "Customer KMS key to use during the encryption",
"type": "String"
},
"devicename": {
"description": "Device name of the root volume. Defaults to /dev/sda1",
"type": "String"
},
"AutomationAssumeRole": {
"description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf",
"type": "String"
}
},
"mainSteps": []
}
Loading

0 comments on commit 1e6b81f

Please sign in to comment.