feat: (IAC-1386) EncryptAtHost changes for NIST

[riragh]

Changes:

This PR adds EncryptAtHost requirements in the VMs and AKS nodes.

• Virtual machines and virtual machine scale sets should have encryption at host enabled.
• Temp disks and cache for agent node pools in AKS clusters should be encrypted at host.

Note: You must enable the feature for your subscription before you use the EncryptionAtHost property for your VM/VMSS. Use the following steps to enable the feature for your subscription:

Execute the following command to register the feature for your subscription
  az feature register --namespace Microsoft.Compute --name EncryptionAtHost

Check that the registration state is Registered (takes a few minutes) using the command below before trying out the feature.
  az feature show --namespace Microsoft.Compute --name EncryptionAtHost

This is an optional features, to enable encryption at host for nodes and VMs you would set the following variables:

Name	Description	Type	Default
enable_vm_host_encryption	Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. This setting applies to both Jump and NFS VM.	bool	false
vm_disk_encryption_set_id	The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. This setting applies to both Jump and NFS VM.	string	null
aks_cluster_enable_host_encryption	Enables host encryption on all the nodes in the Node Pool.	bool	false
aks_node_disk_encryption_set_id	The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. Changing this forces a new resource to be created.	string	null

By default, when using AKS, OS and data disks use server-side encryption with platform-managed keys. The caches for these disks are encrypted at rest with platform-managed keys. You can specify your own managed keys following Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service. The caches for these disks are also encrypted using the key you specify.

When using customer-managed-keys, ensure you have the proper AKS credentials. The managed identity needs to have contributor access to the resource group where the diskencryptionset is deployed. Otherwise, you'll get an error suggesting that the managed identity does not have permissions.
Also, make sure the VNet of your deployment has access to the Key Vault which has the diskencryptionset.
Note: Adding the subnet service endpoints makes the process smooth.

Tests:

Scenario	Description	Order Cadence	Verification
1	Defaults, no changes	Fast 2020	Transparent to user, no changes
2	Set enable_vm_host_encryption = true, aks_cluster_enable_host_encryption = true	fast:2020	Encryption at host enabled with platform-managed keys on VM and nodes in nodepools
3	Set enable_vm_host_encryption = true, vm_disk_encryption_set_id = "<disk_encryption_set_id>", aks_cluster_enable_host_encryption = true, aks_node_disk_encryption_set_id = "<disk_encryption_set_id>"	fast:2020	Encryption at host enabled with customer-managed keys on VM and nodes in nodepools

[thpang]

Are these breaking changes? I see where we are adding items into the node pool definitions and how the vms are being created as well.

[riragh]

Are these breaking changes? I see where we are adding items into the node pool definitions and how the vms are being created as well.

No not a breaking change. The default values are set for the variables as false and null, which guards this. So it doesn't affect the existing user.

[thpang]

LGTM