Makes Resolver Partition Sizes Consistent Again

Test and prod were all over the map. I used the console to make them
consistent, and then set this to match.

To be tagged v3.2.6

base/dns/resolver_instance/amis.tf

@@ -1,89 +0,0 @@
-locals {
-  ami_map = {
-    "base"       = data.aws_ami.base.image_id,
-    "minion"     = data.aws_ami.minion.image_id,
-    "master"     = data.aws_ami.master.image_id,
-    #    "ubuntu1804" = data.aws_ami.ubuntu1804.image_id,
-  }
-}
-
-data "aws_ami" "base" {
-  most_recent = true
-  owners = [ var.common_services_account ]
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
-  filter {
-    name = "root-device-type"
-    values = ["ebs"]
-  }
-
-  filter {
-    name = "name"
-    values = [ "MSOC_RedHat_Base_*" ]
-  }
-}
-
-data "aws_ami" "minion" {
-  most_recent = true
-  owners = [ var.common_services_account ]
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
-  filter {
-    name = "root-device-type"
-    values = ["ebs"]
-  }
-
-  filter {
-    name = "name"
-    values = [ "MSOC_RedHat_Minion_*" ]
-  }
-}
-
-data "aws_ami" "master" {
-  most_recent = true
-  owners = [ var.common_services_account ]
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
-  filter {
-    name = "root-device-type"
-    values = ["ebs"]
-  }
-
-  filter {
-    name = "name"
-    values = [ "MSOC_RedHat_Master_*" ]
-  }
-}
-
-# Not presently in commercial
-#data "aws_ami" "ubuntu1804" {
-#  most_recent = true
-#  owners = [ var.common_services_account ]
-#
-#  filter {
-#    name   = "virtualization-type"
-#    values = ["hvm"]
-#  }
-#
-#  filter {
-#    name = "root-device-type"
-#    values = ["ebs"]
-#  }
-#
-#  filter {
-#    name = "name"
-#    values = [ "MSOC_Ubuntu_1804_*" ]
-#  }
-#}

base/dns/resolver_instance/amis.tf

@@ -0,0 +1 @@
+../../amis.tf

base/dns/resolver_instance/main.tf

@@ -1,4 +1,5 @@
 locals {
+  ami_selection = "minion" # master, minion, ...
   instance_name = "${var.instance_prefix}-${var.instance_number}"
 }
 
@@ -9,6 +10,10 @@ data "aws_security_group" "typical-host" {
   vpc_id = var.vpc_id
 }
 
+data "aws_kms_key" "ebs-key" {
+  key_id = "alias/ebs_root_encrypt_decrypt"
+}
+
 resource "aws_network_interface" "instance" {
   subnet_id = var.subnet_id
   security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.dns_security_group.id ]
@@ -39,14 +44,90 @@ resource "aws_instance" "instance" {
   iam_instance_profile = "msoc-default-instance-profile"
 
   ami = local.ami_map["minion"]
-  lifecycle { ignore_changes = [ ami, key_name, user_data ] }
+  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
 
   root_block_device {
-      volume_type = "gp2"
-      #volume_size = "60"
+      volume_type = "gp3"
+      volume_size = 10
       delete_on_termination = true
   }
 
+  ebs_block_device {
+    # swap
+    device_name = "/dev/xvdm"
+    volume_size = 8
+    volume_type = "gp3"
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly.
+    # This may prompt replacement when the AMI is updated.
+    # See:
+    #   https://github.com/hashicorp/terraform/issues/19958
+    #   https://github.com/terraform-providers/terraform-provider-aws/issues/13118
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdm"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /home
+    device_name = "/dev/xvdn"
+    volume_size = 8
+    volume_type = "gp3"
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var
+    device_name = "/dev/xvdo"
+    volume_size = 4
+    volume_type = "gp3"
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var/tmp
+    device_name = "/dev/xvdp"
+    volume_size = 4
+    volume_type = "gp3"
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var/log
+    device_name = "/dev/xvdq"
+    volume_size = 8
+    volume_type = "gp3"
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var/log/audit
+    device_name = "/dev/xvdr"
+    volume_size = 8
+    volume_type = "gp3"
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /tmp
+    device_name = "/dev/xvds"
+    volume_size = 4
+    volume_type = "gp3"
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
+  }
+
   network_interface {
     device_index = 0
     network_interface_id = aws_network_interface.instance.id