Terraform-provider-aws: Add support for managing ebs default encryption
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
AWS has released the ability to encrypt all new EBS volumes by default, however it is opt-in. It would be great to be able to manage the related settings in TF.
New or Affected Resource(s)
Proposed new resource: aws_ebs_encryption_by_default
Potential Terraform Configuration
resource "aws_ebs_encryption_by_default" "ebs" {
enabled = true
kms_key_id = "${aws_kms_key.default_ebs_key.arn}"
}
Both arguments are optional.
Default value for enabled is true. Setting it false or destroying the resource will disable EBS encryption by default.
Removing the kms_key_id or destroying the resource will reset the KMS key ID to the default EBS key.
References
https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/
devonbleak
All 10 comments
ewbankkit
on 23 May 2019
Maybe cleaner to have 2 new resources, one for managing the EBS encryption-by-default value and one for managing the default EBS encryption key as there are two distinct sets of EC2 APIs for these?
e.g.
resource "aws_ebs_encryption_by_default" "ebs" {
enabled = true
}
resource "aws_ebs_default_kms_key" "ebs" {
key_id = "${aws_kms_key.default_ebs_key.arn}"
}
We need this one so I'll take it on if nobody else has started.
ewbankkit
on 24 May 2019
@ewbankkit I haven't started on it.
Regarding splitting into 2 resources I would just make it clear in the docs that setting the default key does not actually enable the default encryption.
devonbleak
on 24 May 2019
It will probably be useful to have data sources for these two as well. I'll open another issue.
ewbankkit
on 24 May 2019
What value would a data source for aws_ebs_encryption_by_default add and what would the potential parameters be?
Adding a data source for the kms key seems very useful and I'd like to work on that at least but could you clarify your thoughts behind adding one for aws_ebs_encryption_by_default @ewbankkit ?
Jukie
on 31 May 2019
@Jukie The value would be that subsequent resources could be conditionally created based on the value of "${data.aws_ebs_encryption_by_default.ebs.enabled}".
ewbankkit
on 31 May 2019
Two new resources for managing EBS encryption defaults (aws_ebs_default_kms_key and
aws_ebs_encryption_by_default) have been merged and will release with version 2.16.0 of the Terraform AWS Provider, likely tomorrow. 👍 Thanks to @ewbankkit!
bflad
on 20 Jun 2019
This has been released in version 2.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 21 Jun 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 3 Nov 2019
Related issues
hashibot
·
3Comments
dvishniakov
·
3Comments
carmas
·
3Comments
EmmN
·
3Comments
hashibot
·
3Comments
Most helpful comment
Maybe cleaner to have 2 new resources, one for managing the EBS encryption-by-default value and one for managing the default EBS encryption key as there are two distinct sets of EC2 APIs for these?
e.g.