Merge branch 'f-aws_instance-root_block_device-encryption'

hashicorp · Aug 2, 2019 · 7d0ca42 · 7d0ca42
2 parents 851304e + 80cb0f2
commit 7d0ca42
Show file tree

Hide file tree

Showing 6 changed files with 266 additions and 27 deletions.
diff --git a/aws/data_source_aws_instance.go b/aws/data_source_aws_instance.go
@@ -187,6 +187,11 @@ func dataSourceAwsInstance() *schema.Resource {
 							Computed: true,
 						},
 
+						"kms_key_id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
 						"snapshot_id": {
 							Type:     schema.TypeString,
 							Computed: true,
@@ -219,11 +224,21 @@ func dataSourceAwsInstance() *schema.Resource {
 							Computed: true,
 						},
 
+						"encrypted": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+
 						"iops": {
 							Type:     schema.TypeInt,
 							Computed: true,
 						},
 
+						"kms_key_id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
 						"volume_size": {
 							Type:     schema.TypeInt,
 							Computed: true,

diff --git a/aws/data_source_aws_instance_test.go b/aws/data_source_aws_instance_test.go
@@ -1,10 +1,9 @@
 package aws
 
 import (
-	"testing"
-
 	"fmt"
 	"regexp"
+	"testing"
 
 	"github.com/hashicorp/terraform/helper/acctest"
 	"github.com/hashicorp/terraform/helper/resource"
@@ -107,6 +106,32 @@ func TestAccAWSInstanceDataSource_blockDevices(t *testing.T) {
 	})
 }
 
+// Test to verify that ebs_block_device kms_key_id does not elicit a panic
+func TestAccAWSInstanceDataSource_EbsBlockDevice_KmsKeyId(t *testing.T) {
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccInstanceDataSourceConfig_EbsBlockDevice_KmsKeyId,
+			},
+		},
+	})
+}
+
+// Test to verify that root_block_device kms_key_id does not elicit a panic
+func TestAccAWSInstanceDataSource_RootBlockDevice_KmsKeyId(t *testing.T) {
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccInstanceDataSourceConfig_RootBlockDevice_KmsKeyId,
+			},
+		},
+	})
+}
+
 func TestAccAWSInstanceDataSource_rootInstanceStore(t *testing.T) {
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
@@ -486,6 +511,56 @@ data "aws_instance" "foo" {
 }
 `
 
+const testAccInstanceDataSourceConfig_EbsBlockDevice_KmsKeyId = `
+resource "aws_kms_key" "foo" {
+  deletion_window_in_days = 7
+}
+
+resource "aws_instance" "foo" {
+  # us-west-2
+  ami = "ami-55a7ea65"
+  instance_type = "m3.medium"
+
+  root_block_device {
+    volume_type = "gp2"
+    volume_size = 11
+  }
+  ebs_block_device {
+    device_name = "/dev/sdb"
+    encrypted   = true
+    kms_key_id = "${aws_kms_key.foo.arn}"
+    volume_size = 9
+  }
+}
+
+data "aws_instance" "foo" {
+  instance_id = "${aws_instance.foo.id}"
+}
+`
+
+const testAccInstanceDataSourceConfig_RootBlockDevice_KmsKeyId = `
+resource "aws_kms_key" "foo" {
+  deletion_window_in_days = 7
+}
+
+resource "aws_instance" "foo" {
+  # us-west-2
+  ami = "ami-55a7ea65"
+  instance_type = "m3.medium"
+
+  root_block_device {
+    encrypted   = true
+    kms_key_id = "${aws_kms_key.foo.arn}"
+    volume_type = "gp2"
+    volume_size = 11
+  }
+}
+
+data "aws_instance" "foo" {
+  instance_id = "${aws_instance.foo.id}"
+}
+`
+
 const testAccInstanceDataSourceConfig_rootInstanceStore = `
 resource "aws_instance" "foo" {
   ami = "ami-44c36524"

diff --git a/aws/resource_aws_instance.go b/aws/resource_aws_instance.go
@@ -336,6 +336,13 @@ func resourceAwsInstance() *schema.Resource {
 							ForceNew: true,
 						},
 
+						"kms_key_id": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Computed: true,
+							ForceNew: true,
+						},
+
 						"iops": {
 							Type:             schema.TypeInt,
 							Optional:         true,
@@ -432,6 +439,20 @@ func resourceAwsInstance() *schema.Resource {
 							ForceNew: true,
 						},
 
+						"encrypted": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Computed: true,
+							ForceNew: true,
+						},
+
+						"kms_key_id": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Computed: true,
+							ForceNew: true,
+						},
+
 						"iops": {
 							Type:             schema.TypeInt,
 							Optional:         true,
@@ -1328,16 +1349,19 @@ func readBlockDevicesFromInstance(instance *ec2.Instance, conn *ec2.EC2) (map[st
 		if vol.Iops != nil {
 			bd["iops"] = *vol.Iops
 		}
+		if vol.Encrypted != nil {
+			bd["encrypted"] = *vol.Encrypted
+		}
+		if vol.KmsKeyId != nil {
+			bd["kms_key_id"] = *vol.KmsKeyId
+		}
 
 		if blockDeviceIsRoot(instanceBd, instance) {
 			blockDevices["root"] = bd
 		} else {
 			if instanceBd.DeviceName != nil {
 				bd["device_name"] = *instanceBd.DeviceName
 			}
-			if vol.Encrypted != nil {
-				bd["encrypted"] = *vol.Encrypted
-			}
 			if vol.SnapshotId != nil {
 				bd["snapshot_id"] = *vol.SnapshotId
 			}
@@ -1370,15 +1394,15 @@ func fetchRootDeviceName(ami string, conn *ec2.EC2) (*string, error) {
 
 	// For a bad image, we just return nil so we don't block a refresh
 	if len(res.Images) == 0 {
-		return nil, nil
+		return nil, fmt.Errorf("No images found for AMI %s", ami)
 	}
 
 	image := res.Images[0]
 	rootDeviceName := image.RootDeviceName
 
 	// Instance store backed AMIs do not provide a root device name.
 	if *image.RootDeviceType == ec2.DeviceTypeInstanceStore {
-		return nil, nil
+		return nil, fmt.Errorf("Instance store backed AMIs do not provide a root device name - Use an EBS AMI")
 	}
 
 	// Some AMIs have a RootDeviceName like "/dev/sda1" that does not appear as a
@@ -1498,6 +1522,10 @@ func readBlockDeviceMappingsFromConfig(
 				ebs.Encrypted = aws.Bool(v)
 			}
 
+			if v, ok := bd["kms_key_id"].(string); ok && v != "" {
+				ebs.KmsKeyId = aws.String(v)
+			}
+
 			if v, ok := bd["volume_size"].(int); ok && v != 0 {
 				ebs.VolumeSize = aws.Int64(int64(v))
 			}
@@ -1555,6 +1583,14 @@ func readBlockDeviceMappingsFromConfig(
 				DeleteOnTermination: aws.Bool(bd["delete_on_termination"].(bool)),
 			}
 
+			if v, ok := bd["encrypted"].(bool); ok && v {
+				ebs.Encrypted = aws.Bool(v)
+			}
+
+			if v, ok := bd["kms_key_id"].(string); ok && v != "" {
+				ebs.KmsKeyId = aws.String(bd["kms_key_id"].(string))
+			}
+
 			if v, ok := bd["volume_size"].(int); ok && v != 0 {
 				ebs.VolumeSize = aws.Int64(int64(v))
 			}
@@ -1575,20 +1611,15 @@ func readBlockDeviceMappingsFromConfig(
 				log.Print("[WARN] IOPs is only valid for storate type io1 for EBS Volumes")
 			}
 
-			if dn, err := fetchRootDeviceName(d.Get("ami").(string), conn); err == nil {
-				if dn == nil {
-					return nil, fmt.Errorf(
-						"Expected 1 AMI for ID: %s, got none",
-						d.Get("ami").(string))
-				}
-
-				blockDevices = append(blockDevices, &ec2.BlockDeviceMapping{
-					DeviceName: dn,
-					Ebs:        ebs,
-				})
-			} else {
-				return nil, err
+			dn, err := fetchRootDeviceName(d.Get("ami").(string), conn)
+			if err != nil {
+				return nil, fmt.Errorf("Expected 1 AMI for ID: %s (%s)", d.Get("ami").(string), err)
 			}
+
+			blockDevices = append(blockDevices, &ec2.BlockDeviceMapping{
+				DeviceName: dn,
+				Ebs:        ebs,
+			})
 		}
 	}