Comments (35)
This new feature could (untested so far) also help: https://aws.amazon.com/about-aws/whats-new/2019/05/with-a-single-setting-you-can-encrypt-all-new-amazon-ebs-volumes/
It defines a policy (by region) that all new EBS volumes are encrypted by default..
from terraform-aws-ec2-instance.
Same need here, we'd like to have root device encrypted, which is supported in AWS, but terraform doesn't let us handle it.
Thanks
from terraform-aws-ec2-instance.
Also need it on terraform side
from terraform-aws-ec2-instance.
The way I have done this before is to use aws_ami_copy. Sample below
resource "aws_ami_copy" "ubuntu-xenial-encrypted-ami" {
name = "ubuntu-xenial-encrypted-ami"
description = "An encrypted root ami based off ${data.aws_ami.ubuntu-xenial.id}"
source_ami_id = "${data.aws_ami.ubuntu-xenial.id}"
source_ami_region = "eu-west-2"
encrypted = "true"
tags {
Name = "ubuntu-xenial-encrypted-ami"
}
}
data "aws_ami" "encrypted-ami" {
most_recent = true
filter {
name = "name"
values = ["ubuntu-xenial-encrypted"]
}
owners = ["self"]
}
data "aws_ami" "ubuntu-xenial" {
most_recent = true
owners = ["099720109477"]
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
}
}
Could this be added to the module?
from terraform-aws-ec2-instance.
Of course PR #34
from terraform-aws-ec2-instance.
Thanks to @walbalooshi and the rest!
v2.7.0 has been released with support for root and EBS volumes encryption.
Note that this will only work in Terraform 0.12 and Terraform AWS provider starting from version 2.23.0 (see relevant changelog).
from terraform-aws-ec2-instance.
@robglarsen what exactly do you want to have in the module? Your solution is good, but to my mind, it should not be a part of this module.
from terraform-aws-ec2-instance.
@tehmaspc The following works for me:
ebs_block_device = [{
device_name = "/dev/sdf"
volume_type = "gp2"
volume_size = 100
encrypted = true
}]
from terraform-aws-ec2-instance.
@2solt - awesome! But I'm looking for the main root volume being encrypted as well. I'll update the issue to be more clear. Thanks man!
from terraform-aws-ec2-instance.
@tehmaspc , it looks like Terraform doesn't support encrypting the root volume at a resource level (https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_instance.go#L390).
ebs_block_device
definitions do, but root_block_device
definitions do not yet. If you've got a requirement for it, it's probably worth making an issue on the AWS provider repo.
from terraform-aws-ec2-instance.
Not sure I guess you could have a setting to do this, or if you didn't want it in the module then just something in the docs on how to achieve an encrypted AMI ?
from terraform-aws-ec2-instance.
I like the idea to document it in a readme file very much. Could you send a PR?
from terraform-aws-ec2-instance.
Need this too. But (jet) Amazon does not support launching new Instances from unencrypted AMIs encrypted with an CMK :(
Will try to use @robglarsen aws_ami_copy workaround.
Update: Images with EC2 BillingProduct codes cannot be copied to another AWS account, so this workaround does not work for Windows AMIs :(
from terraform-aws-ec2-instance.
Definitely important.
from terraform-aws-ec2-instance.
+1
from terraform-aws-ec2-instance.
Important one. +1
from terraform-aws-ec2-instance.
+1
from terraform-aws-ec2-instance.
+1
from terraform-aws-ec2-instance.
+1
from terraform-aws-ec2-instance.
The way I have done this before is to use aws_ami_copy. Sample below
resource "aws_ami_copy" "ubuntu-xenial-encrypted-ami" { name = "ubuntu-xenial-encrypted-ami" description = "An encrypted root ami based off ${data.aws_ami.ubuntu-xenial.id}" source_ami_id = "${data.aws_ami.ubuntu-xenial.id}" source_ami_region = "eu-west-2" encrypted = "true" tags { Name = "ubuntu-xenial-encrypted-ami" } } data "aws_ami" "encrypted-ami" { most_recent = true filter { name = "name" values = ["ubuntu-xenial-encrypted"] } owners = ["self"] } data "aws_ami" "ubuntu-xenial" { most_recent = true owners = ["099720109477"] filter { name = "name" values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"] } }
Could this be added to the module?
@robglarsen , could you provide a example of how to use above to launch a EC2 and set the subnet/etc/tags?
here is how i currently was launching EC2's, (fails when the root is encrypted)
resource "aws_instance" "example" {
ami = "ami-example"
instance_type = "t2.xlarge"
subnet_id = "subnet-example"
vpc_security_group_ids = ["sg-example"]
key_name = "example-key"
user_data = <<-EOF
#cloud-config
hostname: example
fqdn: example.example.com
manage_etc_hosts: true
EOF
}
}
from terraform-aws-ec2-instance.
+1 for me as well
from terraform-aws-ec2-instance.
+1 for me too!
from terraform-aws-ec2-instance.
+1 for me
from terraform-aws-ec2-instance.
The problem with aws_ami_copy scenario is the fact that you can't copy images from the marketplace. It errors out with:
- InvalidRequest: Images from AWS Marketplace cannot be copied to another AWS account.
I was trying to use the Centos Image from the marketplace and even though the ami from marketplace doesn't cost anything, you can't copy it to your account and make it encrypted.
from terraform-aws-ec2-instance.
@nunofernandes i copy images from marketplace just fine.
Amazon Linux 1 and 2 and Ubuntu
I assume CentOS requires an agreement before hand?
Is there a marketplace code for that image?
from terraform-aws-ec2-instance.
@FernandoMiguel Yes, CentOS requires an agreement and it was "signed" :). I'm able to launch instances from that image (without boot volume encryption).
It's this (in eu-west-1):
data "aws_ami" "centos7" {
most_recent = true
filter {
name = "name"
values = ["CentOS Linux 7 x86_64 HVM*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["679593333241"] # aws-marketplace
}
from terraform-aws-ec2-instance.
i'll try to create a snapshot of it to see if it works
from terraform-aws-ec2-instance.
@nunofernandes
* aws_ami_copy.ami_encrypted: InvalidRequest: Images from AWS Marketplace cannot be copied to another AWS account.
from terraform-aws-ec2-instance.
yep sounds like not all images can be copied
shrug
from terraform-aws-ec2-instance.
+1 for this as well, with the ability to do so from marketplace images
from terraform-aws-ec2-instance.
+1 for ability to specify key to encrypt volumes. Various security policies require unique (non-shared) keys (not owned / created automagically by AWS).
ebs_block_device = {
device_name = "/dev/sda1"
volume_size = "20"
volume_type = "gp2"
encrypted = true
key = "my-custom-key"
delete_on_termination = true
}
from terraform-aws-ec2-instance.
+1
from terraform-aws-ec2-instance.
from terraform-aws-ec2-instance.
As of version 2.23.0 of the aws provider the aws_instance resource now supports encrypted and kms_key_id as arguments to the root_block_device configuration block. Additionally, kms_key_id has been added as an argument to ebs_block_device configuration block as it already supported encrypted previously.
from terraform-aws-ec2-instance.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
from terraform-aws-ec2-instance.
Related Issues (20)
- EC2 module new variable "kms_create" HOT 1
- updating associate_public_ip_address should not cause ec2_instance to be replaced HOT 2
- Provision EC2 with FSXN filesystem HOT 3
- How can we create multiple ec2 instances with seperate network intefaces ? HOT 2
- Complement PR #239 with the ability to create spot instances which ignore AMI changes HOT 2
- Question: Change size of volumes getting attached when launching EC2 using an AMI that has multiple volumes HOT 3
- override vpc autoassign public_ip_address for created instance HOT 2
- add ignore associate_public_ip_address changes HOT 3
- main.tf line 12, in data "aws_ssm_parameter" "this": 12: count = local.create && var.ami == null ? 1 : 0 HOT 5
- disable_api_termination error HOT 1
- Add feature to specify custom lifecycle rules HOT 2
- ebs_block_device - # forces replacement HOT 2
- Add public static ip support for ec2 HOT 4
- v5.3.1 does not fix "ami variable when using without ssm" for fresh apply HOT 3
- Additional recreate triggers HOT 3
- Add support for network_card_index argument for network interfaces HOT 2
- Add support for launching into EC2 Capacity Blocks reservation HOT 2
- Access to metadata service returns 401 unauthorized HOT 4
- Allow creation of no-delete EC2 instances HOT 1
- Support for Automatic Recovery Configuration HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-ec2-instance.