EBS volume encryption fleet/spot exclusive?

[tibuntu]

Describe the bug

EBS volume encryption only supported for fleet/spot instances.

In the recent 8.0.0 release support for encrypted EBS volumes was announced.

After finally updating to 8.1.0 today, we were quite confused because we only saw that partially for our Runners.
Turned out that the condition in template/runner-docker-machine-config.tftpl is based on the use_fleet parameter.

Is there a specific reason why this only supported for fleet/spot instances? We also use On-Demand instances for a few runners/special jobs.

To Reproduce

Steps to reproduce the behavior:

1. Call the module with

  runner_worker_docker_machine_fleet = {
    enable = true
  }

2. Start a job with the configured runner tag
3. Check the EBS volume of the instance to see that it is unencrypted

Expected behavior

As the 8.0.0 clearly states "[...] encrypt all EBS" we would have expected EBS encryption for all instance types.

[kayman-mk]

Docs: https://gitlab.com/gitlab-org/ci-cd/docker-machine/-/blob/main/docs/drivers/aws.md
PR: #1204

[kayman-mk]

I do not find any comments that it's related to the fleeting plugin. It's a bug.

[tibuntu]

Amazing! As always big thank you for the quick response!