Terraform-provider-aws: EBS root block encryption not available in EC2
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
I would like the following to work:
root_block_device = {
volume_type = "gp2"
volume_size = "10"
encrypted = true
}
Current state if used:
root_block_device.0: invalid or unknown key: encrypted
Works fine with the ebs_block_deviceresource (https://www.terraform.io/docs/providers/aws/r/instance.html#block-devices). This is a fairly general use case in AWS, without this the most used volume of an instance won't be encrypted.
New or Affected Resource(s)
- aws_instance
- aws_ebs_volume (potentially)
Potential Terraform Configuration
resource "aws_instance" "xy" {
root_block_device = {
volume_type = "gp2"
volume_size = "10"
encrypted = true
}
}
References
georgesvachulay
All 10 comments
Please also add support for kms_key_id
jcreyf
on 13 Nov 2018
aws_launch_configuration would also need updating to allow machines to have their root volumes encrypted.
Input
resource "aws_launch_configuration" "example_config" {
image_id = "ami-0274e11dced17bb5b"
instance_type = "t2.micro"
root_block_device {
encrypted = true
}
}
Current Output
aws_launch_configuration.example_config: root_block_device.0: invalid or unknown key: encrypted
The current workaround for this is use an encrypted AMI (see https://github.com/terraform-aws-modules/terraform-aws-ec2-instance/issues/6#issuecomment-387003402).
a-h
on 19 Dec 2018
I hacked on this functionality and got it to read the root block encrypted state, but I could not get it to encrypt an AMI that was unencrypted.
--- FAIL: TestAccAWSInstance_blockDevices (7.80s)
testing.go:538: Step 0 error: Error applying: 1 error occurred:
* aws_instance.foo: 1 error occurred:
* aws_instance.foo: Error launching source instance: InvalidBlockDeviceMapping: the encrypted flag cannot be specified since device /dev/sda1 has a snapshot specified.
status code: 400, request id: eafc2b82-1ce1-47e4-9b4a-c5949696c7d4
johnjelinek
on 20 Dec 2018
@johnjelinek I got this working in #7757 with unencrypted AMIs. The acceptance tests use vanilla public Ubuntu AMIs. @jcreyf I also added kms_key_id to both ebs_block_device and root_block_device.
@a-h sadly, I didn't get to aws_launch_configuration. I'll try to get to that in another PR.
joestump
on 28 Feb 2019
@a-h #7759 adds encrypted to root_block_device on aws_launch_configuration. 👍
joestump
on 28 Feb 2019
@joestump what about launch templates? do you plan to add a third PR for that?
felixb
on 2 Apr 2019
@felixb I'll take a look.
joestump
on 2 Apr 2019
Relevant to this issue: AWS now supports sharing encrypted AMIs across accounts now
captn3m0
on 12 May 2019
Hi Folks thanks for pushing this request forward. To help consolidate this EBS encryption request, I am going to roll this issue into this new parent #8624. Where we can continue to track progress and discuss implementation details.
nywilken
on 11 Jun 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 3 Nov 2019
Related issues
blaltarriba
·
3Comments
ghost
·
3Comments
hashibot
·
3Comments
hashibot
·
3Comments
hashibot
·
3Comments
Most helpful comment
Please also add support for
kms_key_id