Merge pull request #26 from base2Services/feature/volumeEncryption

adding volume-type and volume-encryption paramaters
base2Services · Oct 10, 2024 · dc698c3 · dc698c3
2 parents 2cd9ab2 + 470736f
commit dc698c3
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 4 deletions.
diff --git a/bastion/ec2.go b/bastion/ec2.go
@@ -11,7 +11,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/ec2"
 )
 
-func StartEc2(id string, sess *session.Session, ami string, instanceProfile string, subnetId string, securitygroupId string, instanceType string, launchedBy string, userdata string, keyName string, spot bool, public bool) (string, error) {
+func StartEc2(id string, sess *session.Session, ami string, instanceProfile string, subnetId string, securitygroupId string, instanceType string, launchedBy string, userdata string, keyName string, spot bool, public bool, volumeEncryption bool, volumeType string) (string, error) {
 	client := ec2.New(sess)
 
 	input := &ec2.RunInstancesInput{
@@ -45,6 +45,24 @@ func StartEc2(id string, sess *session.Session, ami string, instanceProfile stri
 		},
 	}
 
+
+
+	blockDeviceMapping := &ec2.BlockDeviceMapping{
+		DeviceName: aws.String("/dev/xvda"), // Using default mapping
+		Ebs: &ec2.EbsBlockDevice{
+			VolumeSize:          aws.Int64(8),                 // Default size GiB; 
+			VolumeType:          aws.String(volumeType),
+			Encrypted:           aws.Bool(volumeEncryption),
+			DeleteOnTermination: aws.Bool(true),               // Default behavior
+		},
+	}
+
+	input.BlockDeviceMappings = []*ec2.BlockDeviceMapping{
+		blockDeviceMapping,
+	}
+
+
+
 	if public {
 		input.NetworkInterfaces = []*ec2.InstanceNetworkInterfaceSpecification{
 			{

diff --git a/bastion/launch.go b/bastion/launch.go
@@ -76,6 +76,8 @@ func CreateBastion(c *cli.Context) (string, string, error) {
 		spot              bool
 		publicIpAddress   bool
 		bastionInstanceId string
+		volumeEncryption  bool
+		volumeType        string
 	)
 	//Check if theres a better way to create a default instance? eg: call CmdLaunchLinuxBastion with some spoofed cli context? but somehow return instance id
 
@@ -124,6 +126,16 @@ func CreateBastion(c *cli.Context) (string, string, error) {
 		publicIpAddress = false
 	}
 
+	volumeEncryption = true
+	if c.Bool("volume-encryption") {
+		volumeEncryption = false
+	}
+	volumeType = c.String("volume-type")
+
+	if volumeType == "" {
+		volumeType = "gp2" //Default volume-type
+	}
+
 	subnetId = c.String("subnet-id")
 	if subnetId == "" {
 		subnets, err := GetSubnets(sess)
@@ -153,7 +165,7 @@ func CreateBastion(c *cli.Context) (string, string, error) {
 
 	userdata = BuildLinuxUserdata(sshKey, c.String("ssh-user"), expire, expireAfter, c.String("efs"), c.String("access-points"))
 
-	bastionInstanceId, err = StartEc2(id, sess, ami, instanceProfile, subnetId, securitygroupId, instanceType, launchedBy, userdata, keyName, spot, publicIpAddress)
+	bastionInstanceId, err = StartEc2(id, sess, ami, instanceProfile, subnetId, securitygroupId, instanceType, launchedBy, userdata, keyName, spot, publicIpAddress, volumeEncryption, volumeType)
 	if err != nil {
 		return "", "", err
 	}
@@ -178,6 +190,8 @@ func CmdLaunchWindowsBastion(c *cli.Context) error {
 		spot              bool
 		publicIpAddress   bool
 		bastionInstanceId string
+		volumeEncryption  bool
+		volumeType        string
 	)
 
 	id = GenerateSessionId()
@@ -210,6 +224,17 @@ func CmdLaunchWindowsBastion(c *cli.Context) error {
 		publicIpAddress = false
 	}
 
+	volumeEncryption = true
+	if c.Bool("volume-encryption") {
+		volumeEncryption = false
+	}
+
+	volumeType = c.String("volume-type")
+
+	if volumeType == "" {
+		volumeType = "gp2" //Default volume-type
+	}
+
 	subnetId = c.String("subnet-id")
 	if subnetId == "" {
 		subnets, err := GetSubnets(sess)
@@ -238,7 +263,6 @@ func CmdLaunchWindowsBastion(c *cli.Context) error {
 	}
 
 	instanceType = c.String("instance-type")
-
 	if c.Bool("rdp") {
 		log.Println("creating keypair for rdp password decryption ...")
 
@@ -257,7 +281,7 @@ func CmdLaunchWindowsBastion(c *cli.Context) error {
 
 	userdata = BuildWindowsUserdata()
 
-	bastionInstanceId, err = StartEc2(id, sess, ami, instanceProfile, subnetId, securitygroupId, instanceType, launchedBy, userdata, keyName, spot, publicIpAddress)
+	bastionInstanceId, err = StartEc2(id, sess, ami, instanceProfile, subnetId, securitygroupId, instanceType, launchedBy, userdata, keyName, spot, publicIpAddress, volumeEncryption, volumeType)
 	if err != nil {
 		return err
 	}

diff --git a/entrypoint/main.go b/entrypoint/main.go
@@ -105,6 +105,14 @@ func CliMain() {
 						Aliases: []string{"o"},
 						Usage:   "any additional ssh options such as tunnels '-L 3306:db.internal.example.com:3306'",
 					},
+					&cli.BoolFlag{
+						Name:  "volume-encryption",
+						Usage: "enable volume encryption",
+					},
+					&cli.StringFlag{
+						Name:  "volume-type",
+						Usage: "specify volume volume type [gp2, gp3, io2, io1]",
+					},
 				},
 			},
 			{
@@ -165,6 +173,14 @@ func CliMain() {
 						Name:  "private",
 						Usage: "don't attach a public IP to the bastion",
 					},
+					&cli.BoolFlag{
+						Name:  "volume-encryption",
+						Usage: "enable volume encryption",
+					},
+					&cli.StringFlag{
+						Name:  "volume-type",
+						Usage: "specify volume volume type [gp2, gp3, io2, io1]",
+					},
 				},
 			},
 			{