Add support for managing ebs default encryption

[devonbleak]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS has released the ability to encrypt all new EBS volumes by default, however it is opt-in. It would be great to be able to manage the related settings in TF.

New or Affected Resource(s)

Proposed new resource: aws_ebs_encryption_by_default

Potential Terraform Configuration

resource "aws_ebs_encryption_by_default" "ebs" {
  enabled    = true
  kms_key_id = "${aws_kms_key.default_ebs_key.arn}"
}

Both arguments are optional.

Default value for enabled is true. Setting it false or destroying the resource will disable EBS encryption by default.

Removing the kms_key_id or destroying the resource will reset the KMS key ID to the default EBS key.

References

https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/

[ewbankkit]

Requires:

• Update module aws/aws-sdk-go to v1.19.37 #8758

[ewbankkit]

Maybe cleaner to have 2 new resources, one for managing the EBS encryption-by-default value and one for managing the default EBS encryption key as there are two distinct sets of EC2 APIs for these?
e.g.

resource "aws_ebs_encryption_by_default" "ebs" {
  enabled = true
}

resource "aws_ebs_default_kms_key" "ebs" {
  key_id = "${aws_kms_key.default_ebs_key.arn}"
}

[ewbankkit]

We need this one so I'll take it on if nobody else has started.

[devonbleak]

@ewbankkit I haven't started on it.

Regarding splitting into 2 resources I would just make it clear in the docs that setting the default key does not actually enable the default encryption.

[ewbankkit]

It will probably be useful to have data sources for these two as well. I'll open another issue.

[jukie]

What value would a data source for aws_ebs_encryption_by_default add and what would the potential parameters be?

Adding a data source for the kms key seems very useful and I'd like to work on that at least but could you clarify your thoughts behind adding one for aws_ebs_encryption_by_default @ewbankkit ?

[ewbankkit]

@jukie The value would be that subsequent resources could be conditionally created based on the value of "${data.aws_ebs_encryption_by_default.ebs.enabled}".

[bflad]

Two new resources for managing EBS encryption defaults (aws_ebs_default_kms_key and
aws_ebs_encryption_by_default) have been merged and will release with version 2.16.0 of the Terraform AWS Provider, likely tomorrow. 👍 Thanks to @ewbankkit!

[bflad]

This has been released in version 2.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!