data: Docs for encrypted volumes for compute machines

Partially reverts 0c370dd (data/aws: Encrypt the AMI used by the bootstrap and master machines, 2019-02-22, #1296). This isn't a clean revert; for example, I left the ability to destroy images which are tagged as owned by the cluster. And we're still copy-and-encrypting for the bootstrap machine and control-plane machines until the AWS Terraform provider supports requesting encrypted root volumes [1]. But with this commit, we're now documenting the encryption in a way that covers both the previous AMI-based encryption used for bootstrap/control-plane and the new root-volume-based encryption used for the compute machines, because they come down to encrypted root volumes regardless of their approach. [1]: hashicorp/terraform-provider-aws#8624
openshift · Aug 5, 2019 · 58c6413 · 58c6413
1 parent 82ecfef
commit 58c6413
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 6 deletions.
diff --git a/data/data/aws/variables-aws.tf b/data/data/aws/variables-aws.tf
@@ -19,7 +19,7 @@ variable "aws_master_instance_type" {
 
 variable "aws_ami" {
   type = string
-  description = "AMI for all nodes.  An encrypted copy of this AMI will be used.  Example: `ami-foobar123`."
+  description = "AMI for all nodes.  Example: `ami-foobar123`."
 }
 
 variable "aws_extra_tags" {

diff --git a/docs/user/aws/install.md b/docs/user/aws/install.md
@@ -49,12 +49,9 @@ In EC2, there will be 6 running instances:
 
 ![EC2 instances after install](images/install_nodes.png)
 
-The installation creates an encrypted AMI for the bootstrap and control-plane machines.
-The encrypted AMI is [copied][encrypted-copy] from the AMI configured in the control-plane machine-API provider spec,
-which is RHCOS by default.
+Instance root volumes for the bootstrap and contro-plane machines are encrypted.
 The encryption uses the default EBS key for your target account and region
 (`aws kms describe-key --key-id alias/aws/ebs`).
-The encrypted AMI is deregistered by `destroy cluster`.
 
 An architecture diagram for the AWS elements created by the full installation is as depicted:
 
@@ -69,4 +66,3 @@ The OpenShift console is available via the kubeadmin login provided by the insta
 ![OpenShift web console](images/install_console.png)
 
 [cloud-install]: https://cloud.openshift.com/clusters/install
-[encrypted-copy]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html#create-ami-encrypted-root-snapshot