EBS default encryption

[ewbankkit]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Fixes #8760.

Release note for CHANGELOG:

FEATURES:

* New Resource: `aws_ebs_encryption_by_default`
* New Resource: `aws_ebs_default_kms_key`

Output from acceptance testing:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEBSEncryptionByDefault_'==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSEBSEncryptionByDefault_ -timeout 120m
=== RUN   TestAccAWSEBSEncryptionByDefault_basic
=== PAUSE TestAccAWSEBSEncryptionByDefault_basic
=== CONT  TestAccAWSEBSEncryptionByDefault_basic
--- PASS: TestAccAWSEBSEncryptionByDefault_basic (24.04s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	24.079s
$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEBSDefaultKmsKey_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSEBSDefaultKmsKey_ -timeout 120m
=== RUN   TestAccAWSEBSDefaultKmsKey_basic
=== PAUSE TestAccAWSEBSDefaultKmsKey_basic
=== CONT  TestAccAWSEBSDefaultKmsKey_basic
--- PASS: TestAccAWSEBSDefaultKmsKey_basic (56.43s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	56.464s

[bflad]

Thanks for this @ewbankkit! Overall nice work. Please reach out if you have any questions or do not have time for the items. 😄

[bflad]

Since the API requires the ARN instead of just the ID, it seems like we should prefer to naming this more clearly (even though its slightly off from the API itself 👍 )

Suggested change

	"key_id": {
	"key_arn": {

[bflad]

Should we set this to the key ARN/ID instead of a random identifier so its usable in downstream resources? 😄

[ewbankkit]

Currently we are allowing the ARN to change and doing a resource update - If we go with using the ARN as the ID then we need to add ForceNew: true to the key_arn attribute and remove resourceAwsEbsDefaultKmsKeyUpdate(). IMHO this is actually a better way of modeling the resource.

[bflad]

We should add import support from the get-go, e.g. via the key ARN as the ID 🚀

Importer: &schema.ResourceImporter{
	State: schema.ImportStatePassthrough,
},

In the testing:

{
	ResourceName:      resourceName,
	ImportState:       true,
	ImportStateVerify: true,
},

And the documentation:

## Import

EBS Default KMS Key can be imported with the KMS Key ARN, e.g.

```console
$ terraform import aws_ebs_default_kms_key.example arn:aws:kms:us-east-1:123456789012:key/abcd-1234
```

[ewbankkit]

Since resourceAwsEbsDefaultKmsKeyRead() doesn't actually use the resource's ID for the AWS API call (there's a single default EBS CMK per region per account) do we want to check that the KMS key ARN passed to terraform import is really the current default EBS CMK?

[ewbankkit]

If the Terraform code corresponding to the imported resource has the same key_arn value as the ARN passed to terraform import then I think that having ForceNew on the key_arn attribute will cause the resource to be recreated.

[bflad]

Nice!

[bflad]

Is it worth having this function do the inverse of the destroy check?

[bflad]

If we are going to do nothing in the Delete function, this can use schema.Noop instead of a custom function.

Suggested change

	Delete: resourceAwsEbsEncryptionByDefaultDelete,
	Delete: schema.Noop,

The documentation in that case should also explicitly state that it is only removing Terraform's management of the setting.

Instead of an empty Delete function though, I think a better user experience would be do disable encryption when this resource is removed. 👍

[bflad]

If the Delete function is to remain empty, can you please add an explicit CheckDestroy: nil, to this TestCase?

Ideally though, this resource seems like it should enable encryption by default when its added and disable encryption when its removed. The CheckDestroy in that case would verify that encryption is disabled. 😄

[bflad]

💯

[ewbankkit]

Review comments addressed.
Re-ran acceptance tests:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEBSEncryptionByDefault_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSEBSEncryptionByDefault_ -timeout 120m
=== RUN   TestAccAWSEBSEncryptionByDefault_basic
=== PAUSE TestAccAWSEBSEncryptionByDefault_basic
=== CONT  TestAccAWSEBSEncryptionByDefault_basic
--- PASS: TestAccAWSEBSEncryptionByDefault_basic (25.52s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	25.542s
$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEBSDefaultKmsKey_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSEBSDefaultKmsKey_ -timeout 120m
=== RUN   TestAccAWSEBSDefaultKmsKey_basic
=== PAUSE TestAccAWSEBSDefaultKmsKey_basic
=== CONT  TestAccAWSEBSDefaultKmsKey_basic
--- PASS: TestAccAWSEBSDefaultKmsKey_basic (46.26s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	46.284s

[bflad]

Looks great, thanks so much, @ewbankkit 🚀

--- PASS: TestAccAWSEBSEncryptionByDefault_basic (15.29s)
--- PASS: TestAccAWSEBSDefaultKmsKey_basic (40.03s)

[bflad]

This has been released in version 2.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!