feat: configurable EBS root volume encryption#14
Merged
leonardosul merged 2 commits intomainfrom Mar 3, 2026
Merged
Conversation
Add `encrypt_root_volume` variable (default: true) so users who prioritize boot speed over root volume encryption can opt out. Encrypted gp3 volumes add ~6s to EC2 pending state vs unencrypted. The NAT instance is a stateless packet forwarder with no sensitive data on the root volume. - Wire variable into launch template and CONFIG_VERSION hash - Test fixture defaults to false to benchmark unencrypted boot - Timing summary now logs encryption state for comparison across runs - Add performance docs section and "Faster Cold Start" example Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…aims - Remove false DLQ claim from README (no SQS DLQ exists; Lambda retries via EventBridge with maximum_retry_attempts=2) - Fix testing.md: phases 1-3 are EventBridge-driven, not direct Lambda invocations - Remove unverified "Root Volume Encryption" performance section and "Faster Cold Start" example (benchmark showed no measurable difference) - Update ConfigVersion hash descriptions to include encryption setting - Strip performance claim from encrypt_root_volume variable description - Reset test fixture default back to encrypted (true) - Regenerate terraform-docs in README and reference.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
encrypt_root_volumevariable (defaulttrue) so users can disable root EBS encryption for faster cold startsBenchmark plan
The test fixture defaults to
encrypt_root_volume = falsein this PR so the integration test runs with encryption disabled. The timing summary now logs encryption state, making it easy to compare against previous runs (which all used encrypted volumes).Key phases to compare:
Wait for NAT running with EIPWait for NAT restarted with EIPWait for workload egress IPMerge criteria: only merge if cold-start timing shows meaningful improvement (~5-6s faster) with no regression on restart or connectivity.
After merging, reset the fixture default back to
trueso future test runs use the secure default.Test plan
encrypt_root_volume = falseWait for NAT running with EIP) is ~5-6s faster than baseline (~60-70s → ~55-65s)terraform validatepasses at root and fixturego vet ./...passes🤖 Generated with Claude Code