EBS root block encryption not available in EC2

[georgesvachulay]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I would like the following to work:

    root_block_device = {
      volume_type = "gp2"
      volume_size = "10"
      encrypted   = true
    }

Current state if used:

root_block_device.0: invalid or unknown key: encrypted

Works fine with the ebs_block_device resource (https://www.terraform.io/docs/providers/aws/r/instance.html#block-devices). This is a fairly general use case in AWS, without this the most used volume of an instance won't be encrypted.

New or Affected Resource(s)

• aws_instance
• aws_ebs_volume (potentially)

Potential Terraform Configuration

resource "aws_instance" "xy" {
    root_block_device = {
      volume_type = "gp2"
      volume_size = "10"
      encrypted   = true
    }
}

References

• Support encrypted option terraform-aws-modules/terraform-aws-ec2-instance#6

[jcreyf]

Please also add support for kms_key_id

[a-h]

aws_launch_configuration would also need updating to allow machines to have their root volumes encrypted.

Input

resource "aws_launch_configuration" "example_config" {
  image_id             = "ami-0274e11dced17bb5b"
  instance_type        = "t2.micro"
  root_block_device {
    encrypted = true
  }
}

Current Output

aws_launch_configuration.example_config: root_block_device.0: invalid or unknown key: encrypted

The current workaround for this is use an encrypted AMI (see terraform-aws-modules/terraform-aws-ec2-instance#6 (comment)).

[johnjelinek]

I hacked on this functionality and got it to read the root block encrypted state, but I could not get it to encrypt an AMI that was unencrypted.

--- FAIL: TestAccAWSInstance_blockDevices (7.80s)
    testing.go:538: Step 0 error: Error applying: 1 error occurred:
                * aws_instance.foo: 1 error occurred:
                * aws_instance.foo: Error launching source instance: InvalidBlockDeviceMapping: the encrypted flag cannot be specified since device /dev/sda1 has a snapshot specified.
                status code: 400, request id: eafc2b82-1ce1-47e4-9b4a-c5949696c7d4

[joestump]

@johnjelinek I got this working in #7757 with unencrypted AMIs. The acceptance tests use vanilla public Ubuntu AMIs. @jcreyf I also added kms_key_id to both ebs_block_device and root_block_device.

@a-h sadly, I didn't get to aws_launch_configuration. I'll try to get to that in another PR.

[joestump]

@a-h #7759 adds encrypted to root_block_device on aws_launch_configuration. 👍

[felixb]

@joestump what about launch templates? do you plan to add a third PR for that?

[joestump]

@felixb I'll take a look.

[captn3m0]

Relevant to this issue: AWS now supports sharing encrypted AMIs across accounts now

[nywilken]

Hi Folks thanks for pushing this request forward. To help consolidate this EBS encryption request, I am going to roll this issue into this new parent #8624. Where we can continue to track progress and discuss implementation details.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!