fix: add support for KMS key EBS volume encryption (closes #19) (#20)

93jeffboggess · web-flow · commit 4e527301e8ed · 2025-10-22T11:27:06.000-05:00
diff --git a/README.md b/README.md
@@ -46,6 +46,9 @@ module "sensor" {
   fleet_token = "<the pairing token from the Fleet UI>"
   fleet_url   = "<the URL of the fleet instance from the Fleet UI>"
   fleet_server_sslname = "<the ssl name provided by Fleet>"
+
+  # optional KMS key, if set will encrpyt the EBS volumes launched by the auto scaler group
+  kms_key_id  = "<the ID of the KMS key used to encrypt the EBS volumes>"
 }
 
 
diff --git a/launch_template.tf b/launch_template.tf
@@ -14,6 +14,18 @@ resource "aws_launch_template" "sensor_launch_template" {
     }
   }
 
+  block_device_mappings {
+    device_name = var.sensor_launch_template_volume_name
+
+    ebs {
+      volume_size           = var.sensor_launch_template_volume_size
+      volume_type           = "gp3"
+      encrypted             = var.kms_key_id == "" ? false : true
+      kms_key_id            = var.kms_key_id == "" ? null : var.kms_key_id
+      delete_on_termination = true
+    }
+  }
+
   network_interfaces {
     device_index          = 0
     security_groups       = [aws_security_group.monitoring.id]
@@ -23,4 +35,4 @@ resource "aws_launch_template" "sensor_launch_template" {
   user_data = module.sensor_config.cloudinit_config.rendered
 
   tags = var.tags
-}
+}
diff --git a/variables.tf b/variables.tf
@@ -50,6 +50,12 @@ variable "fleet_server_sslname" {
   description = "SSL hostname for the fleet server"
 }
 
+variable "kms_key_id" {
+  description = "The KMS key ID to be used for EBS volume encryption for the auto-scale group instances"
+  type        = string
+  default     = null
+}
+
 variable "license_key" {
   description = "Your Corelight sensor license key. Optional if fleet_url is configured."
   sensitive   = true
@@ -111,6 +117,18 @@ variable "sensor_launch_template_instance_type" {
   default     = "c5.2xlarge"
 }
 
+variable "sensor_launch_template_volume_name" {
+  description = "The name of the volume for the sensor launch template"
+  type        = string
+  default     = "/dev/xvda"
+}
+
+variable "sensor_launch_template_volume_size" {
+  description = "The size of the volume for the sensor launch template"
+  type        = number
+  default     = 500
+}
+
 variable "lb_health_check_target_group_name" {
   description = "The name of the health check target group which determines if the sensor in the ASG comes up and is ready to accept traffic"
   type        = string
@@ -200,4 +218,3 @@ variable "fleet_no_proxy" {
   default     = ""
   description = "(optional) hosts or domains to bypass the proxy for fleet traffic"
 }
-

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,9 @@ module "sensor" {`
`46`	`46`	`fleet_token = "<the pairing token from the Fleet UI>"`
`47`	`47`	`fleet_url = "<the URL of the fleet instance from the Fleet UI>"`
`48`	`48`	`fleet_server_sslname = "<the ssl name provided by Fleet>"`
	`49`	`+`
	`50`	`+ # optional KMS key, if set will encrpyt the EBS volumes launched by the auto scaler group`
	`51`	`+ kms_key_id = "<the ID of the KMS key used to encrypt the EBS volumes>"`
`49`	`52`	`}`
`50`	`53`
`51`	`54`