From 8c3b2274d91e1c7e3994eeb4cc5450f17fd966d4 Mon Sep 17 00:00:00 2001
From: Yissachar Radcliffe <yissachar.radcliffe@caseware.com>
Date: Thu, 1 Sep 2016 13:02:17 -0400
Subject: [PATCH] Add option to encrypt Etcd volumes

---
 upup/models/proto/_aws/master_volumes.yaml |  2 ++
 upup/pkg/api/cluster.go                    | 10 ++++++----
 upup/pkg/fi/cloudup/awstasks/ebsvolume.go  | 10 ++++++++++
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/upup/models/proto/_aws/master_volumes.yaml b/upup/models/proto/_aws/master_volumes.yaml
index 703d26a0ae..2352752715 100644
--- a/upup/models/proto/_aws/master_volumes.yaml
+++ b/upup/models/proto/_aws/master_volumes.yaml
@@ -6,6 +6,8 @@ ebsVolume/{{$m.Name}}.etcd-{{$etcd.Name}}.{{ ClusterName }}:
   availabilityZone: {{ $m.Zone }}
   sizeGB: {{ or $m.VolumeSize 20 }}
   volumeType: {{ or $m.VolumeType "gp2" }}
+  kmsKeyId: {{ $m.KmsKeyId }}
+  encrypted: {{ or $m.EncryptedVolume false }}
   tags:
   {{ range $k, $v := EtcdClusterMemberTags $etcd $m }}
     {{ $k }}: "{{ $v }}"
diff --git a/upup/pkg/api/cluster.go b/upup/pkg/api/cluster.go
index 127eaa3851..20f5510c5e 100644
--- a/upup/pkg/api/cluster.go
+++ b/upup/pkg/api/cluster.go
@@ -240,11 +240,13 @@ type EtcdClusterSpec struct {
 
 type EtcdMemberSpec struct {
 	// Name is the name of the member within the etcd cluster
-	Name string `json:"name,omitempty"`
-	Zone string `json:"zone,omitempty"`
+	Name            string `json:"name,omitempty"`
+	Zone            string `json:"zone,omitempty"`
 
-	VolumeType string `json:"volumeType,omitempty"`
-	VolumeSize int    `json:"volumeSize,omitempty"`
+	VolumeType      string `json:"volumeType,omitempty"`
+	VolumeSize      int    `json:"volumeSize,omitempty"`
+	KmsKeyId        string `json:"kmsKeyId,omitempty"`
+	EncryptedVolume bool   `json:"encryptedVolume,omitempty"`
 }
 
 type ClusterZoneSpec struct {
diff --git a/upup/pkg/fi/cloudup/awstasks/ebsvolume.go b/upup/pkg/fi/cloudup/awstasks/ebsvolume.go
index 932407293e..c96adbbe1d 100644
--- a/upup/pkg/fi/cloudup/awstasks/ebsvolume.go
+++ b/upup/pkg/fi/cloudup/awstasks/ebsvolume.go
@@ -17,6 +17,8 @@ type EBSVolume struct {
 	AvailabilityZone *string
 	VolumeType       *string
 	SizeGB           *int64
+	KmsKeyId         *string
+	Encrypted        *bool
 	Tags             map[string]string
 }
 
@@ -76,6 +78,8 @@ func (e *EBSVolume) find(cloud *awsup.AWSCloud) (*EBSVolume, error) {
 		AvailabilityZone: v.AvailabilityZone,
 		VolumeType:       v.VolumeType,
 		SizeGB:           v.Size,
+		KmsKeyId:         v.KmsKeyId,
+		Encrypted:        v.Encrypted,
 		Name:             e.Name,
 	}
 
@@ -111,6 +115,8 @@ func (_ *EBSVolume) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *EBSVolume) e
 			Size:             e.SizeGB,
 			AvailabilityZone: e.AvailabilityZone,
 			VolumeType:       e.VolumeType,
+			KmsKeyId:         e.KmsKeyId,
+			Encrypted:        e.Encrypted,
 		}
 
 		response, err := t.Cloud.EC2.CreateVolume(request)
@@ -128,6 +134,8 @@ type terraformVolume struct {
 	AvailabilityZone *string           `json:"availability_zone"`
 	Size             *int64            `json:"size"`
 	Type             *string           `json:"type"`
+	KmsKeyId         *string           `json:"kmsKeyId"`
+	Encrypted        *bool             `json:"encrypted"`
 	Tags             map[string]string `json:"tags,omitempty"`
 }
 
@@ -136,6 +144,8 @@ func (_ *EBSVolume) RenderTerraform(t *terraform.TerraformTarget, a, e, changes
 		AvailabilityZone: e.AvailabilityZone,
 		Size:             e.SizeGB,
 		Type:             e.VolumeType,
+		KmsKeyId:         e.KmsKeyId,
+		Encrypted:        e.Encrypted,
 		Tags:             e.Tags,
 	}