Add support for creating encrypted volume

Fixes: kubernetes-sigs#16

pkg/cloud/cloud.go

@@ -102,6 +102,10 @@ type DiskOptions struct {
 	VolumeType       string
 	IOPSPerGB        int
 	AvailabilityZone string
+	Encrypted        bool
+	// fully qualified resource name to the key to use for encryption.
+	// example: arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef
+	KmsKeyID string
 }
 
 // EC2 abstracts aws.EC2 to facilitate its mocking.
@@ -215,6 +219,11 @@ func (c *cloud) CreateDisk(ctx context.Context, volumeName string, diskOptions *
 		Size:              aws.Int64(capacityGiB),
 		VolumeType:        aws.String(createType),
 		TagSpecifications: []*ec2.TagSpecification{&tagSpec},
+		Encrypted:         aws.Bool(diskOptions.Encrypted),
+	}
+	if len(diskOptions.KmsKeyID) > 0 {
+		request.KmsKeyId = aws.String(diskOptions.KmsKeyID)
+		request.Encrypted = aws.Bool(true)
 	}
 	if iops > 0 {
 		request.Iops = aws.Int64(iops)

pkg/cloud/cloud_test.go

@@ -77,6 +77,22 @@ func TestCreateDisk(t *testing.T) {
 			},
 			expErr: fmt.Errorf("CreateVolume generic error"),
 		},
+		{
+			name:       "success: normal with encrypted volume",
+			volumeName: "vol-test-name",
+			diskOptions: &DiskOptions{
+				CapacityBytes:    util.GiBToBytes(1),
+				Tags:             map[string]string{VolumeNameTagKey: "vol-test"},
+				AvailabilityZone: "us-west-2",
+				Encrypted:        true,
+				KmsKeyID:         "arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef",
+			},
+			expDisk: &Disk{
+				VolumeID:    "vol-test",
+				CapacityGiB: 1,
+			},
+			expErr: nil,
+		},
 	}
 
 	for _, tc := range testCases {

pkg/driver/controller.go

@@ -86,12 +86,23 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		}
 	}
 
+	var (
+		isEncrypted bool
+		kmsKeyId    string
+	)
+	if volumeParams["encrypted"] == "true" {
+		isEncrypted = true
+		kmsKeyId = volumeParams["kmsKeyId"]
+	}
+
 	opts := &cloud.DiskOptions{
 		CapacityBytes:    volSizeBytes,
 		Tags:             map[string]string{cloud.VolumeNameTagKey: volName},
 		VolumeType:       volumeType,
 		IOPSPerGB:        iopsPerGB,
 		AvailabilityZone: zone,
+		Encrypted:        isEncrypted,
+		KmsKeyID:         kmsKeyId,
 	}
 	disk, err = d.cloud.CreateDisk(ctx, volName, opts)
 	if err != nil {

pkg/driver/controller_test.go

@@ -182,6 +182,39 @@ func TestCreateVolume(t *testing.T) {
 				Attributes:    map[string]string{"fsType": ""},
 			},
 		},
+		{
+			name: "success with volume encrpytion",
+			req: &csi.CreateVolumeRequest{
+				Name:               "vol-test",
+				CapacityRange:      stdCapRange,
+				VolumeCapabilities: stdVolCap,
+				Parameters: map[string]string{
+					"encrypted": "true",
+				},
+			},
+			expVol: &csi.Volume{
+				CapacityBytes: stdVolSize,
+				Id:            "vol-test",
+				Attributes:    map[string]string{"fsType": ""},
+			},
+		},
+		{
+			name: "success with volume encrpytion with KMS key",
+			req: &csi.CreateVolumeRequest{
+				Name:               "vol-test",
+				CapacityRange:      stdCapRange,
+				VolumeCapabilities: stdVolCap,
+				Parameters: map[string]string{
+					"encrypted": "true",
+					"kmsKeyId":  "arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef",
+				},
+			},
+			expVol: &csi.Volume{
+				CapacityBytes: stdVolSize,
+				Id:            "vol-test",
+				Attributes:    map[string]string{"fsType": ""},
+			},
+		},
 	}
 
 	for _, tc := range testCases {