From 80cb0f2a1b301e442ff33293cfe82a25c0b8e62b Mon Sep 17 00:00:00 2001 From: Brian Flad Date: Thu, 1 Aug 2019 21:50:21 -0400 Subject: [PATCH] service/ec2: Finish aws_instance implementation of ebs_block_device and root_block_device configuration block encryption and kms_key_arn arguments Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/4861 Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/7757 Having combined and resolved conflicts between #4861 and #7757, performed the following changes: * Ensured that existing acceptance testing was untouched and only new tests were added * Ensured data source added new attributes to match resource to prevent panics * Mark new arguments as Computed: true to only show operators differences when a value is configured Output from acceptance testing: ``` --- PASS: TestAccAWSInstance_addSecondaryInterface (105.67s) --- PASS: TestAccAWSInstance_addSecurityGroupNetworkInterface (217.17s) --- PASS: TestAccAWSInstance_associatePublic_defaultPrivate (44.58s) --- PASS: TestAccAWSInstance_associatePublic_defaultPublic (50.90s) --- PASS: TestAccAWSInstance_associatePublic_explicitPrivate (71.19s) --- PASS: TestAccAWSInstance_associatePublic_explicitPublic (71.06s) --- PASS: TestAccAWSInstance_associatePublic_overridePrivate (50.87s) --- PASS: TestAccAWSInstance_associatePublic_overridePublic (50.79s) --- PASS: TestAccAWSInstance_associatePublicIPAndPrivateIP (70.96s) --- PASS: TestAccAWSInstance_basic (115.07s) --- PASS: TestAccAWSInstance_blockDevices (94.01s) --- PASS: TestAccAWSInstance_changeInstanceType (339.11s) --- PASS: TestAccAWSInstance_creditSpecification_isNotAppliedToNonBurstable (91.99s) --- PASS: TestAccAWSInstance_creditSpecification_standardCpuCredits (77.48s) --- PASS: TestAccAWSInstance_creditSpecification_standardCpuCredits_t2Tot3Taint (459.91s) --- PASS: TestAccAWSInstance_creditSpecification_unknownCpuCredits_t2 (111.79s) --- PASS: TestAccAWSInstance_creditSpecification_unknownCpuCredits_t3 (293.73s) --- PASS: TestAccAWSInstance_creditSpecification_unlimitedCpuCredits (76.85s) --- PASS: TestAccAWSInstance_creditSpecification_unlimitedCpuCredits_t2Tot3Taint (350.73s) --- PASS: TestAccAWSInstance_creditSpecification_unspecifiedDefaultsToStandard (193.72s) --- PASS: TestAccAWSInstance_creditSpecification_updateCpuCredits (92.51s) --- PASS: TestAccAWSInstance_creditSpecificationT3_standardCpuCredits (279.61s) --- PASS: TestAccAWSInstance_creditSpecificationT3_unlimitedCpuCredits (312.14s) --- PASS: TestAccAWSInstance_creditSpecificationT3_unspecifiedDefaultsToUnlimited (305.64s) --- PASS: TestAccAWSInstance_creditSpecificationT3_updateCpuCredits (129.74s) --- PASS: TestAccAWSInstance_disableApiTermination (106.76s) --- PASS: TestAccAWSInstance_disappears (208.33s) --- PASS: TestAccAWSInstance_EbsBlockDevice_KmsKeyArn (96.43s) --- PASS: TestAccAWSInstance_forceNewAndTagsDrift (91.27s) --- PASS: TestAccAWSInstance_getPasswordData_falseToTrue (157.57s) --- PASS: TestAccAWSInstance_getPasswordData_trueToFalse (187.90s) --- PASS: TestAccAWSInstance_GP2IopsDevice (178.60s) --- PASS: TestAccAWSInstance_GP2WithIopsValue (192.05s) --- PASS: TestAccAWSInstance_importBasic (206.86s) --- PASS: TestAccAWSInstance_importInDefaultVpcBySgId (196.44s) --- PASS: TestAccAWSInstance_importInDefaultVpcBySgName (198.84s) --- PASS: TestAccAWSInstance_instanceProfileChange (284.21s) --- PASS: TestAccAWSInstance_ipv6_supportAddressCount (91.12s) --- PASS: TestAccAWSInstance_ipv6_supportAddressCountWithIpv4 (61.07s) --- PASS: TestAccAWSInstance_ipv6_supportAddressCountWithIpv4 (91.69s) --- PASS: TestAccAWSInstance_ipv6AddressCountAndSingleAddressCausesError (6.80s) --- PASS: TestAccAWSInstance_keyPairCheck (71.27s) --- PASS: TestAccAWSInstance_multipleRegions (130.07s) --- PASS: TestAccAWSInstance_NetworkInstanceRemovingAllSecurityGroups (75.58s) --- PASS: TestAccAWSInstance_NetworkInstanceSecurityGroups (82.36s) --- PASS: TestAccAWSInstance_NetworkInstanceVPCSecurityGroupIDs (72.07s) --- PASS: TestAccAWSInstance_noAMIEphemeralDevices (172.12s) --- PASS: TestAccAWSInstance_placementGroup (171.05s) --- PASS: TestAccAWSInstance_primaryNetworkInterface (62.85s) --- PASS: TestAccAWSInstance_primaryNetworkInterfaceSourceDestCheck (45.98s) --- PASS: TestAccAWSInstance_privateIP (215.31s) --- PASS: TestAccAWSInstance_RootBlockDevice_KmsKeyArn (294.73s) --- PASS: TestAccAWSInstance_rootBlockDeviceMismatch (60.88s) --- PASS: TestAccAWSInstance_rootInstanceStore (77.11s) --- PASS: TestAccAWSInstance_sourceDestCheck (106.55s) --- PASS: TestAccAWSInstance_tags (344.66s) --- PASS: TestAccAWSInstance_UserData_EmptyStringToUnspecified (83.89s) --- PASS: TestAccAWSInstance_UserData_UnspecifiedToEmptyString (84.78s) --- PASS: TestAccAWSInstance_userDataBase64 (209.29s) --- PASS: TestAccAWSInstance_volumeTags (106.31s) --- PASS: TestAccAWSInstance_volumeTagsComputed (121.81s) --- PASS: TestAccAWSInstance_vpc (109.39s) --- PASS: TestAccAWSInstance_withIamInstanceProfile (118.89s) --- PASS: TestAccAWSInstanceDataSource_AzUserData (229.07s) --- PASS: TestAccAWSInstanceDataSource_basic (118.88s) --- PASS: TestAccAWSInstanceDataSource_blockDevices (88.20s) --- PASS: TestAccAWSInstanceDataSource_creditSpecification (86.16s) --- PASS: TestAccAWSInstanceDataSource_EbsBlockDevice_KmsKeyArn (110.83s) --- PASS: TestAccAWSInstanceDataSource_getPasswordData_falseToTrue (161.42s) --- PASS: TestAccAWSInstanceDataSource_getPasswordData_trueToFalse (169.14s) --- PASS: TestAccAWSInstanceDataSource_GetUserData (163.49s) --- PASS: TestAccAWSInstanceDataSource_GetUserData_NoUserData (116.04s) --- PASS: TestAccAWSInstanceDataSource_gp2IopsDevice (186.51s) --- PASS: TestAccAWSInstanceDataSource_keyPair (84.88s) --- PASS: TestAccAWSInstanceDataSource_PlacementGroup (71.30s) --- PASS: TestAccAWSInstanceDataSource_privateIP (57.50s) --- PASS: TestAccAWSInstanceDataSource_RootBlockDevice_KmsKeyArn (106.82s) --- PASS: TestAccAWSInstanceDataSource_rootInstanceStore (86.51s) --- PASS: TestAccAWSInstanceDataSource_tags (243.25s) --- PASS: TestAccAWSInstanceDataSource_VPC (105.44s) --- PASS: TestAccAWSInstanceDataSource_VPCSecurityGroups (131.62s) --- SKIP: TestAccAWSInstance_importInEc2Classic (1.10s) ``` --- aws/data_source_aws_instance.go | 18 +++- aws/data_source_aws_instance_test.go | 87 +++++++++++++++-- aws/resource_aws_instance.go | 9 +- aws/resource_aws_instance_test.go | 130 ++++++++++++++------------ website/docs/d/instance.html.markdown | 4 +- website/docs/r/instance.html.markdown | 8 +- 6 files changed, 177 insertions(+), 79 deletions(-) diff --git a/aws/data_source_aws_instance.go b/aws/data_source_aws_instance.go index 7a47d60236c..3516810b26c 100644 --- a/aws/data_source_aws_instance.go +++ b/aws/data_source_aws_instance.go @@ -182,13 +182,13 @@ func dataSourceAwsInstance() *schema.Resource { Computed: true, }, - "kms_key_id": { - Type: schema.TypeString, + "iops": { + Type: schema.TypeInt, Computed: true, }, - "iops": { - Type: schema.TypeInt, + "kms_key_id": { + Type: schema.TypeString, Computed: true, }, @@ -224,11 +224,21 @@ func dataSourceAwsInstance() *schema.Resource { Computed: true, }, + "encrypted": { + Type: schema.TypeBool, + Computed: true, + }, + "iops": { Type: schema.TypeInt, Computed: true, }, + "kms_key_id": { + Type: schema.TypeString, + Computed: true, + }, + "volume_size": { Type: schema.TypeInt, Computed: true, diff --git a/aws/data_source_aws_instance_test.go b/aws/data_source_aws_instance_test.go index 3881ad58ccb..9aec62f5a97 100644 --- a/aws/data_source_aws_instance_test.go +++ b/aws/data_source_aws_instance_test.go @@ -1,11 +1,9 @@ package aws import ( - "regexp" - "testing" - "fmt" "regexp" + "testing" "github.com/hashicorp/terraform/helper/acctest" "github.com/hashicorp/terraform/helper/resource" @@ -102,13 +100,38 @@ func TestAccAWSInstanceDataSource_blockDevices(t *testing.T) { resource.TestCheckResourceAttr("aws_instance.foo", "root_block_device.0.volume_type", "gp2"), resource.TestCheckResourceAttr("aws_instance.foo", "ebs_block_device.#", "3"), resource.TestCheckResourceAttr("aws_instance.foo", "ephemeral_block_device.#", "1"), - resource.TestMatchResourceAttr("aws_instance.foo", "ebs_block_device.2634515331.kms_key_id", regexp.MustCompile("^arn:aws[\\w-]*:kms:us-west-2:[0-9]{12}:key/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")), ), }, }, }) } +// Test to verify that ebs_block_device kms_key_id does not elicit a panic +func TestAccAWSInstanceDataSource_EbsBlockDevice_KmsKeyId(t *testing.T) { + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccInstanceDataSourceConfig_EbsBlockDevice_KmsKeyId, + }, + }, + }) +} + +// Test to verify that root_block_device kms_key_id does not elicit a panic +func TestAccAWSInstanceDataSource_RootBlockDevice_KmsKeyId(t *testing.T) { + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccInstanceDataSourceConfig_RootBlockDevice_KmsKeyId, + }, + }, + }) +} + func TestAccAWSInstanceDataSource_rootInstanceStore(t *testing.T) { resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -450,11 +473,6 @@ data "aws_instance" "foo" { // Block Device const testAccInstanceDataSourceConfig_blockDevices = ` -resource "aws_kms_key" "foo" { - description = "Dummy key for terraform test" - deletion_window_in_days = 7 -} - resource "aws_instance" "foo" { # us-west-2 ami = "ami-55a7ea65" @@ -480,7 +498,6 @@ resource "aws_instance" "foo" { device_name = "/dev/sdd" volume_size = 12 encrypted = true - kms_key_id = "${aws_kms_key.foo.arn}" } ephemeral_block_device { @@ -494,6 +511,56 @@ data "aws_instance" "foo" { } ` +const testAccInstanceDataSourceConfig_EbsBlockDevice_KmsKeyId = ` +resource "aws_kms_key" "foo" { + deletion_window_in_days = 7 +} + +resource "aws_instance" "foo" { + # us-west-2 + ami = "ami-55a7ea65" + instance_type = "m3.medium" + + root_block_device { + volume_type = "gp2" + volume_size = 11 + } + ebs_block_device { + device_name = "/dev/sdb" + encrypted = true + kms_key_id = "${aws_kms_key.foo.arn}" + volume_size = 9 + } +} + +data "aws_instance" "foo" { + instance_id = "${aws_instance.foo.id}" +} +` + +const testAccInstanceDataSourceConfig_RootBlockDevice_KmsKeyId = ` +resource "aws_kms_key" "foo" { + deletion_window_in_days = 7 +} + +resource "aws_instance" "foo" { + # us-west-2 + ami = "ami-55a7ea65" + instance_type = "m3.medium" + + root_block_device { + encrypted = true + kms_key_id = "${aws_kms_key.foo.arn}" + volume_type = "gp2" + volume_size = 11 + } +} + +data "aws_instance" "foo" { + instance_id = "${aws_instance.foo.id}" +} +` + const testAccInstanceDataSourceConfig_rootInstanceStore = ` resource "aws_instance" "foo" { ami = "ami-44c36524" diff --git a/aws/resource_aws_instance.go b/aws/resource_aws_instance.go index 9e2fdf425bc..afda83246c6 100644 --- a/aws/resource_aws_instance.go +++ b/aws/resource_aws_instance.go @@ -339,6 +339,7 @@ func resourceAwsInstance() *schema.Resource { "kms_key_id": { Type: schema.TypeString, Optional: true, + Computed: true, ForceNew: true, }, @@ -448,6 +449,7 @@ func resourceAwsInstance() *schema.Resource { "kms_key_id": { Type: schema.TypeString, Optional: true, + Computed: true, ForceNew: true, }, @@ -1579,10 +1581,13 @@ func readBlockDeviceMappingsFromConfig( bd := v.(map[string]interface{}) ebs := &ec2.EbsBlockDevice{ DeleteOnTermination: aws.Bool(bd["delete_on_termination"].(bool)), - Encrypted: aws.Bool(bd["encrypted"].(bool)), } - if v, ok := bd["kms_key_id"].(int); ok && v != 0 { + if v, ok := bd["encrypted"].(bool); ok && v { + ebs.Encrypted = aws.Bool(v) + } + + if v, ok := bd["kms_key_id"].(string); ok && v != "" { ebs.KmsKeyId = aws.String(bd["kms_key_id"].(string)) } diff --git a/aws/resource_aws_instance_test.go b/aws/resource_aws_instance_test.go index 18b38040b02..260d67be5b3 100644 --- a/aws/resource_aws_instance_test.go +++ b/aws/resource_aws_instance_test.go @@ -317,26 +317,46 @@ func TestAccAWSInstance_basic(t *testing.T) { }) } -func TestAccAWSInstance_encryptedRootVolume(t *testing.T) { - var v ec2.Instance +func TestAccAWSInstance_EbsBlockDevice_KmsKeyArn(t *testing.T) { + var instance ec2.Instance + kmsKeyResourceName := "aws_kms_key.foo" + resourceName := "aws_instance.foo" resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - IDRefreshName: "aws_instance.foo", - Providers: testAccProviders, - CheckDestroy: testAccCheckInstanceDestroy, + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckInstanceDestroy, Steps: []resource.TestStep{ { - Config: testAccCheckInstanceEncryptedRootVolume, + Config: testAccInstanceConfigEbsBlockDeviceKmsKeyArn, Check: resource.ComposeTestCheckFunc( - testAccCheckInstanceExists( - "aws_instance.foo", &v), - resource.TestCheckResourceAttr( - "aws_instance.foo", "root_block_device.#", "1"), - resource.TestCheckResourceAttr( - "aws_instance.foo", "root_block_device.0.encrypted", "true"), - resource.TestCheckResourceAttrSet( - "aws_instance.foo", "root_block_device.0.kms_key_id"), + testAccCheckInstanceExists(resourceName, &instance), + resource.TestCheckResourceAttr(resourceName, "ebs_block_device.#", "1"), + resource.TestCheckResourceAttr(resourceName, "ebs_block_device.2634515331.encrypted", "true"), + resource.TestCheckResourceAttrPair(resourceName, "ebs_block_device.2634515331.kms_key_id", kmsKeyResourceName, "arn"), + ), + }, + }, + }) +} + +func TestAccAWSInstance_RootBlockDevice_KmsKeyArn(t *testing.T) { + var instance ec2.Instance + kmsKeyResourceName := "aws_kms_key.foo" + resourceName := "aws_instance.foo" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckInstanceDestroy, + Steps: []resource.TestStep{ + { + Config: testAccInstanceConfigRootBlockDeviceKmsKeyArn, + Check: resource.ComposeTestCheckFunc( + testAccCheckInstanceExists(resourceName, &instance), + resource.TestCheckResourceAttr(resourceName, "root_block_device.#", "1"), + resource.TestCheckResourceAttr(resourceName, "root_block_device.0.encrypted", "true"), + resource.TestCheckResourceAttrPair(resourceName, "root_block_device.0.kms_key_id", kmsKeyResourceName, "arn"), ), }, }, @@ -505,7 +525,7 @@ func TestAccAWSInstance_blockDevices(t *testing.T) { resource.TestCheckResourceAttr( "aws_instance.foo", "ebs_block_device.2576023345.volume_size", "9"), resource.TestCheckResourceAttr( - "aws_instance.foo", "ebs_block_device.2576023345.volume_type", "standard"), + "aws_instance.foo", "ebs_block_device.2576023345.volume_type", "gp2"), resource.TestCheckResourceAttr( "aws_instance.foo", "ebs_block_device.2554893574.device_name", "/dev/sdc"), resource.TestMatchResourceAttr( @@ -522,8 +542,6 @@ func TestAccAWSInstance_blockDevices(t *testing.T) { "aws_instance.foo", "ebs_block_device.2634515331.volume_id", regexp.MustCompile("vol-[a-z0-9]+")), resource.TestCheckResourceAttr( "aws_instance.foo", "ebs_block_device.2634515331.encrypted", "true"), - resource.TestMatchResourceAttr( - "aws_instance.foo", "ebs_block_device.2634515331.kms_key_id", regexp.MustCompile("^arn:aws[\\w-]*:kms:us-west-2:[0-9]{12}:key/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")), resource.TestCheckResourceAttr( "aws_instance.foo", "ebs_block_device.2634515331.volume_size", "12"), resource.TestCheckResourceAttr( @@ -1043,8 +1061,6 @@ func TestAccAWSInstance_volumeTags(t *testing.T) { "aws_instance.foo", "volume_tags.%", "1"), resource.TestCheckResourceAttr( "aws_instance.foo", "volume_tags.Name", "acceptance-test-volume-tag"), - resource.TestMatchResourceAttr( - "aws_instance.foo", "ebs_block_device.2634515331.kms_key_id", regexp.MustCompile("^arn:aws[\\w-]*:kms:us-west-2:[0-9]{12}:key/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")), ), }, { @@ -2496,30 +2512,9 @@ resource "aws_instance" "foo" { ` const testAccInstanceConfigBlockDevices = ` -resource "aws_vpc" "foo" { - cidr_block = "10.1.0.0/16" - - tags { - Name = "terraform-testacc-instance-source-dest-enable" - } -} - -resource "aws_subnet" "foo" { - cidr_block = "10.1.1.0/24" - vpc_id = "${aws_vpc.foo.id}" - availability_zone = "us-west-2a" - - tags { - Name = "tf-acc-instance-source-dest-enable" - } -} - -resource "aws_kms_key" "foo" {} - resource "aws_instance" "foo" { # us-west-2 - ami = "ami-55a7ea65" - subnet_id = "${aws_subnet.foo.id}" + ami = "ami-55a7ea65" # In order to attach an encrypted volume to an instance you need to have an # m3.medium or larger. See "Supported Instance Types" in: @@ -2548,7 +2543,6 @@ resource "aws_instance" "foo" { device_name = "/dev/sdd" volume_size = 12 encrypted = true - kms_key_id = "${aws_kms_key.foo.arn}" } ephemeral_block_device { @@ -2833,11 +2827,40 @@ resource "aws_instance" "foo" { } ` -const testAccCheckInstanceEncryptedRootVolume = ` +const testAccInstanceConfigEbsBlockDeviceKmsKeyArn = ` +resource "aws_kms_key" "foo" { + deletion_window_in_days = 7 +} + +resource "aws_instance" "foo" { + # us-west-2 + ami = "ami-55a7ea65" + + # In order to attach an encrypted volume to an instance you need to have an + # m3.medium or larger. See "Supported Instance Types" in: + # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html + instance_type = "m3.medium" + + root_block_device { + volume_type = "gp2" + volume_size = 11 + } + + # Encrypted ebs block device + ebs_block_device { + device_name = "/dev/sdd" + encrypted = true + kms_key_id = "${aws_kms_key.foo.arn}" + volume_size = 12 + } +} +` + +const testAccInstanceConfigRootBlockDeviceKmsKeyArn = ` resource "aws_vpc" "foo" { cidr_block = "10.1.0.0/16" - tags { + tags = { Name = "terraform-testacc-instance-source-dest-enable" } } @@ -2847,12 +2870,14 @@ resource "aws_subnet" "foo" { vpc_id = "${aws_vpc.foo.id}" availability_zone = "us-west-2a" - tags { + tags = { Name = "tf-acc-instance-source-dest-enable" } } -resource "aws_kms_key" "foo" {} +resource "aws_kms_key" "foo" { + deletion_window_in_days = 7 +} resource "aws_instance" "foo" { ami = "ami-08692d171e3cf02d6" @@ -2961,16 +2986,6 @@ resource "aws_instance" "foo" { ` const testAccCheckInstanceConfigWithVolumeTags = ` -resource "aws_kms_key" "foo" { - description = "Dummy key for terraform test" - deletion_window_in_days = 7 -} - -resource "aws_kms_alias" "foo" { - name = "alias/acceptance-test-kms-alias" - target_key_id = "${aws_kms_key.foo.key_id}" -} - resource "aws_instance" "foo" { ami = "ami-55a7ea65" @@ -2995,7 +3010,6 @@ resource "aws_instance" "foo" { device_name = "/dev/sdd" volume_size = 12 encrypted = true - kms_key_id = "alias/acceptance-test-kms-alias" } ephemeral_block_device { diff --git a/website/docs/d/instance.html.markdown b/website/docs/d/instance.html.markdown index 7610f34f0fc..9671cbc6e68 100644 --- a/website/docs/d/instance.html.markdown +++ b/website/docs/d/instance.html.markdown @@ -66,8 +66,8 @@ interpolation. * `delete_on_termination` - If the EBS volume will be deleted on termination. * `device_name` - The physical name of the device. * `encrypted` - If the EBS volume is encrypted. - * `kms_key_id` - If the EBS volume is encrypted with a CMK KMS * `iops` - `0` If the EBS volume is not a provisioned IOPS image, otherwise the supported IOPS count. + * `kms_key_arn` - Amazon Resource Name (ARN) of KMS Key, if EBS volume is encrypted. * `snapshot_id` - The ID of the snapshot. * `volume_size` - The size of the volume, in GiB. * `volume_type` - The volume type. @@ -97,7 +97,9 @@ interpolation. * `public_ip` - The public IP address assigned to the Instance, if applicable. **NOTE**: If you are using an [`aws_eip`](/docs/providers/aws/r/eip.html) with your instance, you should refer to the EIP's address directly and not use `public_ip`, as this field will change after the EIP is attached. * `root_block_device` - The root block device mappings of the Instance * `delete_on_termination` - If the root block device will be deleted on termination. + * `encrypted` - If the EBS volume is encrypted. * `iops` - `0` If the volume is not a provisioned IOPS image, otherwise the supported IOPS count. + * `kms_key_arn` - Amazon Resource Name (ARN) of KMS Key, if EBS volume is encrypted. * `volume_size` - The size of the volume, in GiB. * `volume_type` - The type of the volume. * `security_groups` - The associated security groups. diff --git a/website/docs/r/instance.html.markdown b/website/docs/r/instance.html.markdown index 7d6635a2515..7cb56a7905e 100644 --- a/website/docs/r/instance.html.markdown +++ b/website/docs/r/instance.html.markdown @@ -131,8 +131,8 @@ The `root_block_device` mapping supports the following: using that type * `delete_on_termination` - (Optional) Whether the volume should be destroyed on instance termination (Default: `true`). -* `encrypted` - (Optional) Enable volume encryption. (Default: `false`). -* `kms_key_id` - (Optional) The KMS key to use when encrypting the volume. +* `encrypted` - (Optional) Enable volume encryption. (Default: `false`). Must be configured to perform drift detection. +* `kms_key_id` - (Optional) Amazon Resource Name (ARN) of the KMS Key to use when encrypting the volume. Must be configured to perform drift detection. Modifying any of the `root_block_device` settings requires resource replacement. @@ -151,8 +151,8 @@ Each `ebs_block_device` supports the following: on instance termination (Default: `true`). * `encrypted` - (Optional) Enables [EBS encryption](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) - on the volume (Default: `false`). Cannot be used with `snapshot_id`. -* `kms_key_id` - (Optional) The KMS key to use when encrypting the volume. + on the volume (Default: `false`). Cannot be used with `snapshot_id`. Must be configured to perform drift detection. +* `kms_key_id` - (Optional) Amazon Resource Name (ARN) of the KMS Key to use when encrypting the volume. Must be configured to perform drift detection. ~> **NOTE:** Currently, changes to the `ebs_block_device` configuration of _existing_ resources cannot be automatically detected by Terraform. To manage changes and attachments of an EBS block to an instance, use the `aws_ebs_volume` and `aws_volume_attachment` resources instead. If you use `ebs_block_device` on an `aws_instance`, Terraform will assume management over the full set of non-root EBS block devices for the instance, treating additional block devices as drift. For this reason, `ebs_block_device` cannot be mixed with external `aws_ebs_volume` and `aws_volume_attachment` resources for a given instance.