From 7bdc1ea45587cea51e4b86c10dca9f0c6d02e1d1 Mon Sep 17 00:00:00 2001
From: xpk <xpk@headdesk.me>
Date: Sat, 6 Jan 2024 10:25:56 +0800
Subject: [PATCH] UPD: Enabled EBS encryption on EMR. Added managed scaling
 policy

---
 examples/emr/main.tf     | 46 +++++++++++++++++++++++++++++++++-------
 examples/emr/provider.tf |  1 -
 2 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/examples/emr/main.tf b/examples/emr/main.tf
index 77d4fe8..bd48e21 100644
--- a/examples/emr/main.tf
+++ b/examples/emr/main.tf
@@ -45,6 +45,11 @@ module "emr" {
     instance_type_configs = [
       {
         instance_type = "c6g.xlarge"
+        ebs_config = {
+          size                 = 20
+          type                 = "gp3"
+          volumes_per_instance = 1
+        }
       }
     ]
   }
@@ -109,6 +114,18 @@ module "emr" {
     AmazonEMRServicePolicy_v2 = "arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2"
     PowerUser                 = "arn:aws:iam::aws:policy/PowerUserAccess"
   }
+  iam_instance_profile_policies = {
+    AmazonElasticMapReduceforEC2Role = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"
+    PowerUser                        = "arn:aws:iam::aws:policy/PowerUserAccess"
+  }
+  # Use managed scaling policy to refill spot instances
+  managed_scaling_policy = {
+    unit_type                       = "InstanceFleetUnits"
+    minimum_capacity_units          = 1
+    maximum_capacity_units          = 4
+    maximum_ondemand_capacity_units = 0
+    maximum_core_capacity_units     = 4
+  }
 }
 
 resource "random_id" "this" {
@@ -142,20 +159,33 @@ module "s3_bucket" {
   }
 }
 
+resource "aws_kms_key" "ebs" {
+  description             = "KMS key for EBS volumes"
+  deletion_window_in_days = 7
+}
 
 resource "aws_emr_security_configuration" "security_config" {
   name = "${local.name}-emr-security-config"
 
   configuration = jsonencode(
     {
-      "EncryptionConfiguration" : {
-        "AtRestEncryptionConfiguration" : {
-          "S3EncryptionConfiguration" : {
-            "EncryptionMode" : "SSE-S3"
-          },
-        },
-        "EnableInTransitEncryption" : false,
-        "EnableAtRestEncryption" : true
+      EncryptionConfiguration = {
+        AtRestEncryptionConfiguration = {
+          LocalDiskEncryptionConfiguration = {
+            AwsKmsKey                 = aws_kms_key.ebs.arn
+            EnableEbsEncryption       = true
+            EncryptionKeyProviderType = "AwsKms"
+          }
+          S3EncryptionConfiguration = {
+            EncryptionMode = "SSE-S3"
+          }
+        }
+        EnableAtRestEncryption    = true
+        EnableInTransitEncryption = false
+      }
+      InstanceMetadataServiceConfiguration = {
+        HttpPutResponseHopLimit               = 1
+        MinimumInstanceMetadataServiceVersion = 2
       }
     }
   )
diff --git a/examples/emr/provider.tf b/examples/emr/provider.tf
index e0ccfdc..24be2dd 100644
--- a/examples/emr/provider.tf
+++ b/examples/emr/provider.tf
@@ -2,7 +2,6 @@ provider "aws" {
   region = var.aws-region
   default_tags {
     tags = {
-      ServiceProvider = "RackspaceTechnology"
       Environment     = var.environment
       Project         = var.project
       Application     = var.application