Support `encrypted` option about terraform-aws-ec2-instance HOT 35 CLOSED

This new feature could (untested so far) also help: https://aws.amazon.com/about-aws/whats-new/2019/05/with-a-single-setting-you-can-encrypt-all-new-amazon-ebs-volumes/

It defines a policy (by region) that all new EBS volumes are encrypted by default..

from terraform-aws-ec2-instance.

Same need here, we'd like to have root device encrypted, which is supported in AWS, but terraform doesn't let us handle it.

Thanks

from terraform-aws-ec2-instance.

Also need it on terraform side

from terraform-aws-ec2-instance.

The way I have done this before is to use aws_ami_copy. Sample below

resource "aws_ami_copy" "ubuntu-xenial-encrypted-ami" {
  name              = "ubuntu-xenial-encrypted-ami"
  description       = "An encrypted root ami based off ${data.aws_ami.ubuntu-xenial.id}"
  source_ami_id     = "${data.aws_ami.ubuntu-xenial.id}"
  source_ami_region = "eu-west-2"
  encrypted         = "true"

  tags {
    Name = "ubuntu-xenial-encrypted-ami"
  }
}

data "aws_ami" "encrypted-ami" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu-xenial-encrypted"]
  }

  owners = ["self"]
}

data "aws_ami" "ubuntu-xenial" {
  most_recent = true
  owners      = ["099720109477"]

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }
}

Could this be added to the module?

from terraform-aws-ec2-instance.

Of course PR #34

from terraform-aws-ec2-instance.

Thanks to @walbalooshi and the rest!

v2.7.0 has been released with support for root and EBS volumes encryption.

Note that this will only work in Terraform 0.12 and Terraform AWS provider starting from version 2.23.0 (see relevant changelog).

from terraform-aws-ec2-instance.

@robglarsen what exactly do you want to have in the module? Your solution is good, but to my mind, it should not be a part of this module.

from terraform-aws-ec2-instance.

@tehmaspc The following works for me:

  ebs_block_device = [{
    device_name           = "/dev/sdf"
    volume_type           = "gp2"
    volume_size           = 100
    encrypted             = true
  }]

from terraform-aws-ec2-instance.

@2solt - awesome! But I'm looking for the main root volume being encrypted as well. I'll update the issue to be more clear. Thanks man!

from terraform-aws-ec2-instance.

@tehmaspc , it looks like Terraform doesn't support encrypting the root volume at a resource level (https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_instance.go#L390).

ebs_block_device definitions do, but root_block_device definitions do not yet. If you've got a requirement for it, it's probably worth making an issue on the AWS provider repo.

from terraform-aws-ec2-instance.

Not sure I guess you could have a setting to do this, or if you didn't want it in the module then just something in the docs on how to achieve an encrypted AMI ?

from terraform-aws-ec2-instance.

I like the idea to document it in a readme file very much. Could you send a PR?

from terraform-aws-ec2-instance.

Need this too. But (jet) Amazon does not support launching new Instances from unencrypted AMIs encrypted with an CMK :(
Will try to use @robglarsen aws_ami_copy workaround.

Update: Images with EC2 BillingProduct codes cannot be copied to another AWS account, so this workaround does not work for Windows AMIs :(

from terraform-aws-ec2-instance.

Definitely important.

from terraform-aws-ec2-instance.

+1

from terraform-aws-ec2-instance.

Important one. +1

from terraform-aws-ec2-instance.

+1

from terraform-aws-ec2-instance.

+1

from terraform-aws-ec2-instance.

+1

from terraform-aws-ec2-instance.

The way I have done this before is to use aws_ami_copy. Sample below

resource "aws_ami_copy" "ubuntu-xenial-encrypted-ami" {
  name              = "ubuntu-xenial-encrypted-ami"
  description       = "An encrypted root ami based off ${data.aws_ami.ubuntu-xenial.id}"
  source_ami_id     = "${data.aws_ami.ubuntu-xenial.id}"
  source_ami_region = "eu-west-2"
  encrypted         = "true"

  tags {
    Name = "ubuntu-xenial-encrypted-ami"
  }
}

data "aws_ami" "encrypted-ami" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu-xenial-encrypted"]
  }

  owners = ["self"]
}

data "aws_ami" "ubuntu-xenial" {
  most_recent = true
  owners      = ["099720109477"]

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }
}

Could this be added to the module?

@robglarsen , could you provide a example of how to use above to launch a EC2 and set the subnet/etc/tags?

here is how i currently was launching EC2's, (fails when the root is encrypted)

resource "aws_instance" "example" {
ami = "ami-example"
instance_type = "t2.xlarge"
subnet_id = "subnet-example"
vpc_security_group_ids = ["sg-example"]
key_name = "example-key"

user_data = <<-EOF
#cloud-config
hostname: example
fqdn: example.example.com
manage_etc_hosts: true
EOF

}
}

from terraform-aws-ec2-instance.

+1 for me as well

from terraform-aws-ec2-instance.

+1 for me too!

from terraform-aws-ec2-instance.

+1 for me

from terraform-aws-ec2-instance.

The problem with aws_ami_copy scenario is the fact that you can't copy images from the marketplace. It errors out with:

• InvalidRequest: Images from AWS Marketplace cannot be copied to another AWS account.

I was trying to use the Centos Image from the marketplace and even though the ami from marketplace doesn't cost anything, you can't copy it to your account and make it encrypted.

from terraform-aws-ec2-instance.

@nunofernandes i copy images from marketplace just fine.
Amazon Linux 1 and 2 and Ubuntu

I assume CentOS requires an agreement before hand?
Is there a marketplace code for that image?

from terraform-aws-ec2-instance.

@FernandoMiguel Yes, CentOS requires an agreement and it was "signed" :). I'm able to launch instances from that image (without boot volume encryption).

It's this (in eu-west-1):

data "aws_ami" "centos7" {
  most_recent = true

  filter {
    name   = "name"
    values = ["CentOS Linux 7 x86_64 HVM*"]
  } 
    
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }    
  owners = ["679593333241"] # aws-marketplace                                                                                                                 
}

from terraform-aws-ec2-instance.

i'll try to create a snapshot of it to see if it works

from terraform-aws-ec2-instance.

@nunofernandes
* aws_ami_copy.ami_encrypted: InvalidRequest: Images from AWS Marketplace cannot be copied to another AWS account.

from terraform-aws-ec2-instance.

yep sounds like not all images can be copied
shrug

from terraform-aws-ec2-instance.

+1 for this as well, with the ability to do so from marketplace images

from terraform-aws-ec2-instance.

+1 for ability to specify key to encrypt volumes. Various security policies require unique (non-shared) keys (not owned / created automagically by AWS).

  ebs_block_device = {

    device_name        = "/dev/sda1"

    volume_size          = "20"

    volume_type         = "gp2"

    encrypted             = true

    key                         = "my-custom-key"
    delete_on_termination = true

  }

from terraform-aws-ec2-instance.

+1

from terraform-aws-ec2-instance.

https://aws.amazon.com/about-aws/whats-new/2019/05/enable-hibernation-on-ec2-instances-when-launching-with-an-ami-without-an-encrypted-ebs-snapshot/

from terraform-aws-ec2-instance.

As of version 2.23.0 of the aws provider the aws_instance resource now supports encrypted and kms_key_id as arguments to the root_block_device configuration block. Additionally, kms_key_id has been added as an argument to ebs_block_device configuration block as it already supported encrypted previously.

from terraform-aws-ec2-instance.

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

from terraform-aws-ec2-instance.