Enable EBS volume encryption via KMS during OM VM-LIFECYCLE for AWS #704
Description
Is your feature request related to a problem? Please describe.
Yes. When deploying Operations Manager on AWS using the create-vm task from Platform Automation which relies on the om vm-lifecycle, our client requires that all EBS volumes be encrypted using a specific AWS KMS key. This is an industry standard across multiple enterprises and the issue has been briefly discussed on the following request - #600.
However, the current implementation of the OM CLI does not support specifying encryption parameters for the AMI or the resulting EC2 instance. This forces us to manually copy and encrypt the public Ops Manager AMI using the AWS CLI before deployment:
aws ec2 copy-image --source-image-id ${OPSMAN_PUBLIC_AMI_ID} --source-region ${S3_REGION} --region ${S3_REGION} --encrypted --kms-key-id <KMS_KEY_ID> --name "encrypted-${AMI_NAME}" --description "encrypted-${AMI_NAME}"
This manual step breaks the automation flow and introduces operational overhead and risk.
Describe the solution you'd like
We’d like the OM VM-LIFECYCLE command to support automatic encryption of the AMI and/or EBS volumes during deployment. Ideally, this would include:
-
A flag or config option to enable encryption (encrypted: true)
-
A way to specify a custom KMS key (kms_key_id: )
-
Automatic use of the encrypted AMI when launching the EC2 instance
om/vmlifecycle/vmmanagers/aws.go
Line 4 in 595e099
This would allow full automation of Operations Manager deployment in compliance with AWS security policies.
Describe alternatives you've considered
-
Manual AMI encryption using aws ec2 copy-image before running the task (current workaround)
-
Custom wrapper tasks that pre-process the AMI and inject it into the pipeline
-
Post-deployment volume encryption (not feasible, as AWS requires encryption at launch time)
None of these alternatives are ideal, as they break the declarative and automated nature of Platform Automation.
Additional context
We're using Platform Automation with Concourse to deploy Ops Manager on AWS.
The client has strict compliance requirements mandating KMS-encrypted EBS volumes.
The create-vm task currently pulls the public Ops Manager AMI and launches it without encryption options.
Adding support for AMI encryption would align with AWS best practices and enterprise security standards.