Encrypted flag cannot be specified since device /dev/sda1 has a snapshot specified

[ghost]

This issue was originally opened by @jayudhandha as hashicorp/terraform#18059. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Hi,

I am migrating my Autoscaling groups to use launch_template instead of launch_configuration. (To support T2 Unlimited)

Below is my code snippet.

resource "aws_launch_template" "test_launch_template" {
  image_id = "ami_id"
  name_prefix     = "test-pref"
  instance_type   = "t2.small"
  key_name        = "jayesh"
  vpc_security_group_ids = ["sg-23423432","sg-23452115"]
  user_data       = "${base64encode(data.template_file.user_data.rendered)}"
  
  iam_instance_profile {
	name = "test"
  } 
  disable_api_termination = true
  instance_initiated_shutdown_behavior = "terminate"

  block_device_mappings {
	device_name = "/dev/sda1"
	ebs {
      delete_on_termination = true
      volume_size           = "${var.volume_size}"
    }
  }
    
  credit_specification {
    cpu_credits = "unlimited"
  }
  lifecycle {
    create_before_destroy = "true"
  }  
}

While running terraform apply I am getting below error.

1 error(s) occurred:

• aws_autoscaling_group.test_asg: 1 error(s) occurred:
• aws_autoscaling_group.test_asg: Error creating AutoScaling Group: ValidationError: You must use a valid fully-formed launch template. the encrypted flag cannot be specified since device /dev/sda1 has a snapshot specified.
  status code: 400, request id: 7902a390-58de-11e8-af77-87d327f8b121

May be any parameter is missing but i am not sure which one.

As per error, It looks that encrypted parameter is specified. But i haven't passed that. Then why this error is coming?

Thanks in advance!

[djdevin]

I'm getting the same thing along with #4570

[snemetz]

Same thing. You guys are faster at submitting the bug report :)
I tried a number of setting to get around it. None worked.
It appears that terraform is always sending the encrypted parameter, but the api only accepts it under some conditions.

[djdevin]

I have it unset in the console and I still got the error

Failed to create Auto Scaling group
You must use a valid fully-formed launch template. the encrypted flag cannot be specified since device /dev/sda1 has a snapshot specified.

Either an issue with AWS or something in the background I'm not seeing...

[ankurkgupta]

The issue is, when creating a launch template from AWS there is an option "Do not include in template" for encrypted flag, but when creating launch template with terraform there is no way to set this option. It defaults to "false".

[cowdude]

Facing the same issue. Removing the block_device_mappings argument fixed it (but I can no longer tweak the root volume size).

[zioalex]

Same problem here. I tried:

 block_device_mappings {
    device_name = "/dev/sda1"
    ebs {
      volume_size = 30
      encrypted   = false
    }
 }

but I get the same results. No problem with not root devices.
Any advice here? How to change the root device size?

[yardensachs]

Anyone has a work around until this is merged?

[cowdude]

@yardensachs We kept using good old AWS launch configurations instead of launch templates for configuring our ASG instances.

https://www.terraform.io/docs/providers/aws/r/launch_configuration.html

[skroll]

I tried patching the provider myself to see what was happening. I attached the patch: dont_send_encrypted.txt

However, even when not setting the "encrypted" flag, it still is getting set. I wonder if it has to do with the aws golang SDK.

I should note that if I create the resource manually, import it into my state, terraform doesn't see any changes with the encrypted flag missing. If I then modify the volume_size, it detects that as the only change, but the new launch template version has "encrypted" set to "no".

[gnieutin]

I ran into the same issue and the following workaround process did the trick :

• create the launch template via terraform without using it in other resources (so don't create resources that need it in the same "apply" command)
• in the aws console manually unset the flag encryption and save the new version
• back to terraform : create the other resources that depend on the launch template

You will see that terraform does not complain about the encryption flag difference on your already created template.

Please note that evreytime you update the launch template with terraform, the same manual trick will be needed in the aws console.

[shuqichen]

@bflad @terraformbot @tf-release-bot Facing the same issue. Removing the block_device_mappings argument fixed it (but I can no longer tweak the root volume size). Hope this issue can be fixed ASAP

[mylokin]

I'm facing exactly the same issue. Generated LaunchTemplateData field contains Encrypted field in BlockDeviceMappings/EBS section even if encrypted param wasn't added and snapshot_id was. It makes launch templates provisioned by terraform unusable.

terraform 0.11.7
provider.aws 1.25.0

Please advise if there is an option to downgrade provider.aws version, I wasn't able to find any notes on when the bug was introduced, but I suppose there should be version w/o bug since documentation of terraform clearly describe that ecrypted param cannot be used along with snapshot_id param.

[chrisandchris]

Same here.

Also same: Removing the block_device_mappings argument fixed it (but I can no longer tweak the root volume size).

[houseofback]

Hit the same problem today with the workaround mentioned above; editing the launch template in AWS Console then continue with Terraform.

[schammah]

This must get fixed, in order to use aws_launch_template in a fully automated way.
I do want to tweak the root device volume size and not to remove it
and need to have this done automatically and not in a manual way

[AnthonyWC]

I ran into this issue and came across this when searching for the error code BUT I was using AWS CLI; not Terraform.

So this issue is really an issue with AWS API itself; in AWS CLI I was able to resolved it by removing the encrypted field altogether. In Terraform it would probably require some code change so that it does not always set encrypted field by default.

[squickone]

I have had to go back to launch configurations which is not desired, but unfortunately necessary. this is a pretty big deal and is hampering our usage of launch templates. any prioritization for fixing this would be greatly appreciated.

[derage]

Ok so I found a way to complete this automatically, although its very hacky.

I figured out the issue here is because terraform auto defaults the encryption if you dont pass an option in, which it shouldnt.

if you use the aws cli to create a new template version, and overwrite the ebs volume options with no encryption passed in, the correct option will be put into the template and will allow you to spin up instance.

So to solve this automatically, I added a local-exec to my launch template that will run the aws command, update the ebs volume with the same name and not pass in the encryption method, and now it works.

resource "aws_launch_template" "launch_temp" {
  name     = "launch_Temp"
  image_id = "${var.ami_ubuntu}"
  key_name = "${var.key_name}"

  instance_type = "t2.2xlarge"

  block_device_mappings {
    device_name = "/dev/sda1"
    ebs {
      volume_size           = 200
      volume_type           = "gp2"
      delete_on_termination = "true"
    }
  }
  vpc_security_group_ids = [
    "${aws_security_group.test.id}",
  ]

  user_data = "${base64encode(data.template_file.userdata.rendered)}"

  provisioner "local-exec" {
    command = "sleep 10; aws ec2 create-launch-template-version --launch-template-id ${aws_launch_template.swarm_manager_launch.id} --version-description turnOffEncryption --source-version 1 --launch-template-data '{\"BlockDeviceMappings\": [{\"DeviceName\": \"/dev/sda1\", \"Ebs\": { \"VolumeSize\": 200, \"VolumeType\": \"gp2\" }}]}'"
  }
}

The sleep 10 was to fix an issues with the id interpolation that I think I found with this resource type. You could probably just remove the ebs block inside the terraform template and just use the aws cli to update the created template with the block if you wanted.

[bflad]

Bug fix pull request submitted: #5632

[bflad]

The fix for this has been merged into master and will release with version 1.34.0 of the AWS provider, likely later today.

[bflad]

This has been released in version 1.34.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[jasonrojas]

Terraform v0.11.8

• provider.aws v1.37.0

Description:DescriptionLaunching a new EC2 instance. Status Reason: the encrypted flag cannot be specified since device /dev/sda1 has a snapshot specified. Launching EC2 instance failed.
--
Cause:CauseAt 2018-09-25T18:00:27Z an instance was started in response to a difference between desired and actual capacity, increasing the capacity from 1 to 2.

Still seeing this issue after setting encrypted=true in the launch template.

[jcejohnson]

Terraform v0.11.8

• provider.aws v1.37.0

Still seeing this issue after setting encrypted=true in the launch template.

provider.aws v1.38.0
I'm also seeing it after setting encrypted=true or encrypted=false in the launch template.
The only way I get success is to set encrypted="" which shows up in the AWS console as 'Default'.

[jcejohnson]

PR submitted: hashicorp/terraform-aws-vault#97

[ozbillwang]

Seems above PR has been hold for a while. When can we get it merged?

We are in terraform 0.12.x now. Hope the fix can work in 0.12 directly.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!