feat!: update docker machine and encrypt all EBS (#1204)

## Description

- updates the docker-machine to `0.16.2-gitlab.19-cki.5` to set the
encryption key for the instances
- fleet: creates new instances with encrypted volumes

## Migrations required

This could be a breaking change as you might have to change the key
policy for the encryption key to allow EBS to access the key.

```
       {
            "Sid": "Allow access through EBS for all principals in the account that are authorized to use EBS",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:CreateGrant",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "990563477234",
                    "kms:ViaService": "ec2.eu-central-1.amazonaws.com"
                }
            }
        }
```

## Verification

Manually tested the new version.

---------

Co-authored-by: Matthias Kay <matthias.kay@hlag.com>
Co-authored-by: Matthias Kay <github@matthiaskay.de>

Author: jonmcewen

README.md

@@ -9,6 +9,7 @@
 # Terraform module for GitLab auto-scaling runners on AWS spot instances <!-- omit in toc -->
 
 💥 See [issue 819](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/819) on how to migrate to v7 smoothly.
+💥 See [pr 1204](https://github.com/cattle-ops/terraform-aws-gitlab-runner/pull/1204) on how to migrate to v8 smoothly.
 
 This [Terraform](https://www.terraform.io/) modules creates a [GitLab Runner](https://docs.gitlab.com/runner/). A blog post
 describes the original version of the runner. See the post at [040code](https://040code.github.io/2017/12/09/runners-on-the-spot/).

docker_autoscaler.tf

@@ -88,6 +88,8 @@ resource "aws_launch_template" "this" {
       volume_type = var.runner_worker_docker_autoscaler_instance.volume_type
       iops        = contains(["gp3", "io1", "io2"], var.runner_worker_docker_autoscaler_instance.volume_type) ? var.runner_worker_docker_autoscaler_instance.volume_iops : null
       throughput  = var.runner_worker_docker_autoscaler_instance.volume_type == "gp3" ? var.runner_worker_docker_autoscaler_instance.volume_throughput : null
+      encrypted   = true
+      kms_key_id  = local.kms_key_arn
     }
   }
 

locals.tf

@@ -95,6 +95,8 @@ locals {
   runner_worker_graceful_terminate_heartbeat_timeout = (var.runner_terminate_ec2_lifecycle_timeout_duration == null
     ? min(7200, tonumber(coalesce(var.runner_gitlab_registration_config.maximum_timeout, 0)) + 300)
   : var.runner_terminate_ec2_lifecycle_timeout_duration)
+
+  kms_key_arn = local.provided_kms_key == "" && var.enable_managed_kms_key ? aws_kms_key.default[0].arn : local.provided_kms_key
 }
 
 resource "local_file" "config_toml" {

logging.tf

@@ -11,7 +11,6 @@ locals {
       log_group_name = var.runner_cloudwatch.log_group_name != null ? var.runner_cloudwatch.log_group_name : var.environment
   })
   provided_kms_key = var.kms_key_id != "" ? var.kms_key_id : ""
-  kms_key          = local.provided_kms_key == "" && var.enable_managed_kms_key ? aws_kms_key.default[0].arn : local.provided_kms_key
 }
 
 resource "aws_cloudwatch_log_group" "environment" {
@@ -25,5 +24,5 @@ resource "aws_cloudwatch_log_group" "environment" {
   # ignored as decided by the user
   # tfsec:ignore:aws-cloudwatch-log-group-customer-key
   # checkov:skip=CKV_AWS_158:Encryption can be enabled by user
-  kms_key_id = local.kms_key
+  kms_key_id = local.kms_key_arn
 }

main.tf

@@ -4,7 +4,7 @@ resource "aws_ssm_parameter" "runner_registration_token" {
   type  = "SecureString"
   value = "null"
 
-  key_id = local.kms_key
+  key_id = local.kms_key_arn
 
   tags = local.tags
 
@@ -18,7 +18,7 @@ resource "aws_ssm_parameter" "runner_sentry_dsn" {
   type  = "SecureString"
   value = "null"
 
-  key_id = local.kms_key
+  key_id = local.kms_key_arn
 
   tags = local.tags
 
@@ -118,6 +118,7 @@ locals {
       launch_template                   = var.runner_worker_docker_machine_fleet.enable == true ? aws_launch_template.fleet_gitlab_runner[0].name : ""
       docker_machine_options            = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string
       runners_max_growth_rate           = var.runner_worker_docker_machine_instance.max_growth_rate
+      runners_volume_kms_key            = local.kms_key_arn
   })
 
   template_runner_docker_autoscaler = templatefile("${path.module}/template/runner-docker-autoscaler-config.tftpl",
@@ -387,6 +388,8 @@ resource "aws_launch_template" "fleet_gitlab_runner" {
       volume_type = var.runner_worker_docker_machine_instance.volume_type
       iops        = contains(["gp3", "io1", "io2"], var.runner_worker_docker_machine_instance.volume_type) ? var.runner_worker_docker_machine_instance.volume_iops : null
       throughput  = var.runner_worker_docker_machine_instance.volume_type == "gp3" ? var.runner_worker_docker_machine_instance.volume_throughput : null
+      encrypted   = true
+      kms_key_id  = local.kms_key_arn
     }
   }
 
@@ -445,7 +448,7 @@ module "cache" {
   cache_logging_bucket                 = var.runner_worker_cache.access_log_bucket_id
   cache_logging_bucket_prefix          = var.runner_worker_cache.access_log_bucket_prefix
 
-  kms_key_id = local.kms_key
+  kms_key_id = local.kms_key_arn
 
   name_iam_objects = local.name_iam_objects
 
@@ -485,7 +488,7 @@ resource "aws_iam_policy" "instance_kms_policy" {
   description = "Allow runner instance the ability to use the KMS key."
   policy = templatefile("${path.module}/policies/instance-kms-policy.json",
     {
-      kms_key_arn = var.enable_managed_kms_key && var.kms_key_id == "" ? aws_kms_key.default[0].arn : var.kms_key_id
+      kms_key_arn = local.kms_key_arn
     }
   )
 
@@ -786,7 +789,7 @@ module "terminate_agent_hook" {
   name_iam_objects                       = local.name_iam_objects
   name_docker_machine_runners            = local.runner_tags_merged["Name"]
   role_permissions_boundary              = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}"
-  kms_key_id                             = local.kms_key
+  kms_key_id                             = local.kms_key_arn
   asg_hook_terminating_heartbeat_timeout = local.runner_worker_graceful_terminate_heartbeat_timeout
 
   tags = local.tags

policies/kms-policy.json

@@ -28,6 +28,45 @@
       "Resource": [
         "*"
       ]
+    },
+    {
+      "Sid": "Allow service-linked role use of the customer managed key",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::${account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
+        ]
+      },
+      "Action": [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "Allow access through EBS for all principals in the account that are authorized to use EBS",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:CreateGrant",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "kms:CallerAccount": "${account_id}",
+          "kms:ViaService": "ec2.${aws_region}.amazonaws.com"
+        }
+      }
     }
   ]
 }

template/runner-docker-machine-config.tftpl

@@ -30,7 +30,9 @@
       %{~ if use_fleet == true ~}
       ,"amazonec2-ssh-keypath=/root/.ssh/id_rsa",
       "amazonec2-use-fleet=${use_fleet}",
-      "amazonec2-launch-template=${launch_template}"
+      "amazonec2-launch-template=${launch_template}",
+      "amazonec2-volume-encrypted=true",
+      "amazonec2-volume-kms-key=${runners_volume_kms_key}"
       %{~ endif ~}
       ${docker_machine_options}
     ]

variables.tf

@@ -273,7 +273,7 @@ variable "runner_install" {
   type = object({
     amazon_ecr_credential_helper = optional(bool, false)
     docker_machine_download_url  = optional(string, "")
-    docker_machine_version       = optional(string, "0.16.2-gitlab.19-cki.2")
+    docker_machine_version       = optional(string, "0.16.2-gitlab.19-cki.5")
     pre_install_script           = optional(string, "")
     post_install_script          = optional(string, "")
     start_script                 = optional(string, "")