Merge pull request #481 from mdr-engineering/feature/jc_MSOCI-2182_tfsec_DNS_Resolver_aws-ec2-enable-at-rest-encryption

Encrypts DNS Resolver EC2 Root block - tfsec HIGH finding

base/dns/resolver_instance/main.tf

@@ -50,6 +50,8 @@ resource "aws_instance" "instance" {
     volume_type           = "gp3"
     volume_size           = 10
     delete_on_termination = true
+    encrypted             = true
+    kms_key_id            = data.aws_kms_key.ebs-key.arn
   }
 
   ebs_block_device {
@@ -194,6 +196,9 @@ data "template_cloudinit_config" "cloud-init" {
   #}
 }
 
+#----------------------------------------------------------------------------
+# DNS Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "dns_security_group" {
   name        = "dns_security_group_${var.instance_number}"
   description = "DNS Security Group"
@@ -201,8 +206,12 @@ resource "aws_security_group" "dns_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "dns-tcp" {
   type              = "ingress"
+  description       = "DNS - Inbound TCP"
   from_port         = 53
   to_port           = 53
   protocol          = "tcp"
@@ -212,6 +221,7 @@ resource "aws_security_group_rule" "dns-tcp" {
 
 resource "aws_security_group_rule" "dns-udp" {
   type              = "ingress"
+  description       = "DNS - Inbound UDP"
   from_port         = 53
   to_port           = 53
   protocol          = "udp"
@@ -219,8 +229,12 @@ resource "aws_security_group_rule" "dns-udp" {
   security_group_id = aws_security_group.dns_security_group.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "dns_outbound_tcp" {
   type              = "egress"
+  description       = "DNS - Outbound TCP"
   from_port         = 53
   to_port           = 53
   protocol          = "tcp"
@@ -230,6 +244,7 @@ resource "aws_security_group_rule" "dns_outbound_tcp" {
 
 resource "aws_security_group_rule" "dns_outbound_udp" {
   type              = "egress"
+  description       = "DNS - Outbound UDP"
   from_port         = 53
   to_port           = 53
   protocol          = "udp"