UPD: Enabled EBS encryption on EMR. Added managed scaling policy

2024-01-06 10:25:56 +08:00 · 2024-01-06 10:25:56 +08:00 · 7bdc1ea455
commit 7bdc1ea455
parent f3cd4b79bb
2 changed files with 38 additions and 9 deletions
--- a/examples/emr/main.tf
+++ b/examples/emr/main.tf
@ -45,6 +45,11 @@ module "emr" {
    instance_type_configs = [
      {
        instance_type = "c6g.xlarge"
+        ebs_config = {
+          size                 = 20
+          type                 = "gp3"
+          volumes_per_instance = 1
+        }
      }
    ]
  }
@ -109,6 +114,18 @@ module "emr" {
    AmazonEMRServicePolicy_v2 = "arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2"
    PowerUser                 = "arn:aws:iam::aws:policy/PowerUserAccess"
  }
+  iam_instance_profile_policies = {
+    AmazonElasticMapReduceforEC2Role = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"
+    PowerUser                        = "arn:aws:iam::aws:policy/PowerUserAccess"
+  }
+  # Use managed scaling policy to refill spot instances
+  managed_scaling_policy = {
+    unit_type                       = "InstanceFleetUnits"
+    minimum_capacity_units          = 1
+    maximum_capacity_units          = 4
+    maximum_ondemand_capacity_units = 0
+    maximum_core_capacity_units     = 4
+  }
 }

 resource "random_id" "this" {
@ -142,20 +159,33 @@ module "s3_bucket" {
  }
 }

+resource "aws_kms_key" "ebs" {
+  description             = "KMS key for EBS volumes"
+  deletion_window_in_days = 7
+}

 resource "aws_emr_security_configuration" "security_config" {
  name = "${local.name}-emr-security-config"

  configuration = jsonencode(
    {
-      "EncryptionConfiguration" : {
-        "AtRestEncryptionConfiguration" : {
-          "S3EncryptionConfiguration" : {
-            "EncryptionMode" : "SSE-S3"
-          },
-        },
-        "EnableInTransitEncryption" : false,
-        "EnableAtRestEncryption" : true
+      EncryptionConfiguration = {
+        AtRestEncryptionConfiguration = {
+          LocalDiskEncryptionConfiguration = {
+            AwsKmsKey                 = aws_kms_key.ebs.arn
+            EnableEbsEncryption       = true
+            EncryptionKeyProviderType = "AwsKms"
+          }
+          S3EncryptionConfiguration = {
+            EncryptionMode = "SSE-S3"
+          }
+        }
+        EnableAtRestEncryption    = true
+        EnableInTransitEncryption = false
+      }
+      InstanceMetadataServiceConfiguration = {
+        HttpPutResponseHopLimit               = 1
+        MinimumInstanceMetadataServiceVersion = 2
      }
    }
  )
--- a/examples/emr/provider.tf
+++ b/examples/emr/provider.tf
@ -2,7 +2,6 @@ provider "aws" {
  region = var.aws-region
  default_tags {
    tags = {
-      ServiceProvider = "RackspaceTechnology"
      Environment     = var.environment
      Project         = var.project
      Application     = var.application