AWS Feature Release: Encrypt Root Volumes at Launch

[dannyleesmith]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS have released functionality to launch instances with encrypted root volumes in a single step and some AWS resources will need to be updated to take advantage of this useful feature. According to the release post the SDK's have been updated with these changes so hopefully updates can be made. Some of the AWS documentation, at time of writing, still refer to encrypting unencrypted snapshots at point of use as impossible.

New or Affected Resource(s)

This may not be an exhaustive list:

• aws_instance (root_block_device map change)
• aws_launch_configuration (root_block_device map change)
• aws_launch_template (add option to encrypt AMI volumes and potentially ebs.encrypted can be used with snapshots)
• aws_spot_fleet_request (perhaps launch_specification, documentation for spot fleet hasn't been updated)
• aws_ebs_volume (may already work as it doesn't state encrypted won't work with snapshot_id)

Potential Terraform Configuration

# aws_instance

resource "aws_instance" "example" {
  ami = "ami-00000000000000000"
  
  root_block_device {
    [..]
    encrypted = true
  }

  ebs_block_device {
    [..]
    snapshot_id = "snap-00000000000000000"
    encrypted   = true
  }
}

# aws_launch_configuration

resource "aws_launch_configuration" "example" {
  [..]
  encrypted = true
  image_id  = "ami-00000000000000000"
}

# aws_launch_template

resource "aws_launch_template" "example" {
  [..]
  encrypted = true
  image_id  = "ami-00000000000000000"
}

# aws_spot_fleet_request

resource "aws_spot_fleet_request" "example" {
  [..]
  launch_specification {
    ami       = "ami-d06a90b0"
    encrypted = true
  }
}

# aws_ebs_volume

resource "aws_ebs_volume" "example" {
  encrypted   = true
  snapshot_id = snap-00000000000000000
}

References

• https://aws.amazon.com/about-aws/whats-new/2019/05/launch-encrypted-ebs-backed-ec2-instances-from-unencrypted-amis-in-a-single-step/

[bfleming-ciena]

Is there any work-around till support is added in TF?

[dannyleesmith]

Is there any work-around till support is added in TF?

I guess business-as-usual, @stonefury, so still having to create encrypted root AMI's rather than specifying the encryption at launch. Unless anyone else has any hacky alternatives?

[michaelahern]

Related, would also add this should also include specifying a different kms_key_id.

resource "aws_instance" "example" {
  ami = "ami-00000000000000000"
  
  root_block_device {
    [..]
    encrypted = true
    kms_key_id = "00000000-0000-0000-0000-000000000000"
  }

  ebs_block_device {
    [..]
    snapshot_id = "snap-00000000000000000"
    encrypted   = true
    kms_key_id = "00000000-0000-0000-0000-000000000000"
  }
}

More details at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html

[dayglojesus]

This is a duplicate of #6246, but 👍 .

[dannyleesmith]

Hi @dayglojesus, thanks for pointing out that one. Didn't see it and didn't think it would exist given this is a new feature and wasn't possible before now. I'll let the mods decide whether to work from this or the other.

Cheers,

-- Danny

[trj922]

Our server engineer recreated our corporate linux AMI without encrypting the root volume after this feature came out. We really need this!

[dannyleesmith]

@trj922 in the meantime this release from yesterday may be of interest to you to solve for that problem: https://aws.amazon.com/about-aws/whats-new/2019/05/with-a-single-setting-you-can-encrypt-all-new-amazon-ebs-volumes/

[rmarable]

Unfortunately that encrypts all EBS volumes within the account which in turn limits the instance types that can be launched:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances

It would be super helpful if this feature could be made available in the root EBS volume template.

[FernandoMiguel]

@rmarable limits to almost every single instance ehe

[thanura1988]

need this very badly folks

[FernandoMiguel]

@thanura1988 this is out already.
I've already deployed this yesterday in our accounts

[Nklya]

@FernandoMiguel what do you mean?
This issue is still open, linked PRs too. Where it's out?

[FernandoMiguel]

@Nklya https://github.com/terraform-providers/terraform-provider-aws/blob/master/CHANGELOG.md#2160-june-20-2019

New Resource: aws_ebs_encryption_by_default (#8771)

[thanura1988]

Thanks @FernandoMiguel
this did what i wanted
Eventho its not doing it with "root_block_device", this solves my issue
https://www.terraform.io/docs/providers/aws/r/ebs_encryption_by_default.html

[atiftw]

More details here-:

https://aws.amazon.com/blogs/security/how-to-quickly-launch-encrypted-ebs-backed-ec2-instances-from-unencrypted-amis/

I've started working on this,modified resource_aws_instance, will continue with other changes once i get an AWS account where i can try out acceptance tests for other scenarios

[jeroen-nijssen]

👍 Would like to see this.

[bflad]

Hi everyone 👋

The following were previously supported:

• aws_ebs_default_kms_key resource to set region KMS Key for encyrption for all newly launched volumes
• aws_ebs_encryption_by_default resource to enable KMS encryption by default for all newly launched volumes
• aws_ebs_volume resource already supported the encrypted and kms_key_id arguments
• aws_launch_template resource block_device_mappings ebs configuration block already supported the encrypted and kms_key_id arguments

The following were just merged and will be releasing in version 2.23.0 of the Terraform AWS Provider, next week:

• aws_instance resource ebs_block_device and root_block_device configuration block encryption and kms_key_id arguments
• aws_launch_configuration resource root_block_device configuration block encrypted argument

The following were just submitted and likely to also release in version 2.23.0 of the Terraform AWS Provider, next week:

• aws_spot_fleet_request resource ebs_block_device and root_block_device kms_key_id arguments

Cheers 🎉

[bflad]

Hi again 👋

This functionality was also just merged:

• aws_spot_fleet_request resource ebs_block_device and root_block_device kms_key_id arguments

We should be releasing version 2.23.0 of the Terraform AWS Provider in the next day or two. 👍

[dannyleesmith]

@bflad are we sure everything this issue requested has been resolved? As one example, looking at aws_instance I see no option to set encryption on a root volume that may not be encrypted at the AMI level.

[bflad]

@dannyleesmith #8624 (comment)

The following were just merged and will be releasing in version 2.23.0 of the Terraform AWS Provider, next week:

aws_instance resource ebs_block_device and root_block_device configuration block encryption and kms_key_id arguments

[dannyleesmith]

@bflad ah the phrasing confused me, I read it as those might be properties of the aws_spot_fleet_request resource as they were all on the same bullet point

I look forward to seeing the changes, thank you very much

[ghost]

This has been released in version 2.23.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!