Support encrypted option

[tehmaspc]

Need support for root EBS Encrypted devices: https://www.terraform.io/docs/providers/aws/r/instance.html#encrypted

[2solt]

@tehmaspc The following works for me:

  ebs_block_device = [{
    device_name           = "/dev/sdf"
    volume_type           = "gp2"
    volume_size           = 100
    encrypted             = true
  }]

[tehmaspc]

@2solt - awesome! But I'm looking for the main root volume being encrypted as well. I'll update the issue to be more clear. Thanks man!

[kwerey]

@tehmaspc , it looks like Terraform doesn't support encrypting the root volume at a resource level (https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_instance.go#L390).

ebs_block_device definitions do, but root_block_device definitions do not yet. If you've got a requirement for it, it's probably worth making an issue on the AWS provider repo.

[robglarsen]

The way I have done this before is to use aws_ami_copy. Sample below

resource "aws_ami_copy" "ubuntu-xenial-encrypted-ami" {
  name              = "ubuntu-xenial-encrypted-ami"
  description       = "An encrypted root ami based off ${data.aws_ami.ubuntu-xenial.id}"
  source_ami_id     = "${data.aws_ami.ubuntu-xenial.id}"
  source_ami_region = "eu-west-2"
  encrypted         = "true"

  tags {
    Name = "ubuntu-xenial-encrypted-ami"
  }
}

data "aws_ami" "encrypted-ami" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu-xenial-encrypted"]
  }

  owners = ["self"]
}

data "aws_ami" "ubuntu-xenial" {
  most_recent = true
  owners      = ["099720109477"]

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }
}

Could this be added to the module?

[antonbabenko]

@robglarsen what exactly do you want to have in the module? Your solution is good, but to my mind, it should not be a part of this module.

[robglarsen]

Not sure I guess you could have a setting to do this, or if you didn't want it in the module then just something in the docs on how to achieve an encrypted AMI ?

[antonbabenko]

I like the idea to document it in a readme file very much. Could you send a PR?

[robglarsen]

Of course PR #34

[wenwolf]

Same need here, we'd like to have root device encrypted, which is supported in AWS, but terraform doesn't let us handle it.

Thanks

[hatched-DavidMichon]

Also need it on terraform side

[Stephan1984]

Need this too. But (jet) Amazon does not support launching new Instances from unencrypted AMIs encrypted with an CMK :(
Will try to use @robglarsen aws_ami_copy workaround.

Update: Images with EC2 BillingProduct codes cannot be copied to another AWS account, so this workaround does not work for Windows AMIs :(

[smaslennikov]

Definitely important.

[o6uoq]

+1

[Frearexis]

Important one. +1

[mgruesen]

+1

[magnusthorne]

+1

[JoshuaEdwards1991]

+1

[kosmoit]

The way I have done this before is to use aws_ami_copy. Sample below

resource "aws_ami_copy" "ubuntu-xenial-encrypted-ami" {
  name              = "ubuntu-xenial-encrypted-ami"
  description       = "An encrypted root ami based off ${data.aws_ami.ubuntu-xenial.id}"
  source_ami_id     = "${data.aws_ami.ubuntu-xenial.id}"
  source_ami_region = "eu-west-2"
  encrypted         = "true"

  tags {
    Name = "ubuntu-xenial-encrypted-ami"
  }
}

data "aws_ami" "encrypted-ami" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu-xenial-encrypted"]
  }

  owners = ["self"]
}

data "aws_ami" "ubuntu-xenial" {
  most_recent = true
  owners      = ["099720109477"]

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }
}

Could this be added to the module?

@robglarsen , could you provide a example of how to use above to launch a EC2 and set the subnet/etc/tags?

here is how i currently was launching EC2's, (fails when the root is encrypted)

resource "aws_instance" "example" {
ami = "ami-example"
instance_type = "t2.xlarge"
subnet_id = "subnet-example"
vpc_security_group_ids = ["sg-example"]
key_name = "example-key"

user_data = <<-EOF
#cloud-config
hostname: example
fqdn: example.example.com
manage_etc_hosts: true
EOF

}
}

[kmishra9]

+1 for me as well

[awgraf]

+1 for me too!

[slayer201]

+1 for me

[nunofernandes]

The problem with aws_ami_copy scenario is the fact that you can't copy images from the marketplace. It errors out with:

• InvalidRequest: Images from AWS Marketplace cannot be copied to another AWS account.

I was trying to use the Centos Image from the marketplace and even though the ami from marketplace doesn't cost anything, you can't copy it to your account and make it encrypted.

[FernandoMiguel]

@nunofernandes i copy images from marketplace just fine.
Amazon Linux 1 and 2 and Ubuntu

I assume CentOS requires an agreement before hand?
Is there a marketplace code for that image?

[nunofernandes]

@FernandoMiguel Yes, CentOS requires an agreement and it was "signed" :). I'm able to launch instances from that image (without boot volume encryption).

It's this (in eu-west-1):

data "aws_ami" "centos7" {
  most_recent = true

  filter {
    name   = "name"
    values = ["CentOS Linux 7 x86_64 HVM*"]
  } 
    
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }    
  owners = ["679593333241"] # aws-marketplace                                                                                                                 
}

[FernandoMiguel]

i'll try to create a snapshot of it to see if it works

[FernandoMiguel]

@nunofernandes
* aws_ami_copy.ami_encrypted: InvalidRequest: Images from AWS Marketplace cannot be copied to another AWS account.

[FernandoMiguel]

yep sounds like not all images can be copied
shrug

[jamespatetz]

+1 for this as well, with the ability to do so from marketplace images

[k7faq]

+1 for ability to specify key to encrypt volumes. Various security policies require unique (non-shared) keys (not owned / created automagically by AWS).

  ebs_block_device = {

    device_name        = "/dev/sda1"

    volume_size          = "20"

    volume_type         = "gp2"

    encrypted             = true

    key                         = "my-custom-key"
    delete_on_termination = true

  }

[guillermo-menjivar]

+1

[bjornrog]

https://aws.amazon.com/about-aws/whats-new/2019/05/enable-hibernation-on-ec2-instances-when-launching-with-an-ami-without-an-encrypted-ebs-snapshot/

[nunofernandes]

This new feature could (untested so far) also help: https://aws.amazon.com/about-aws/whats-new/2019/05/with-a-single-setting-you-can-encrypt-all-new-amazon-ebs-volumes/

It defines a policy (by region) that all new EBS volumes are encrypted by default..

[walbalooshi]

As of version 2.23.0 of the aws provider the aws_instance resource now supports encrypted and kms_key_id as arguments to the root_block_device configuration block. Additionally, kms_key_id has been added as an argument to ebs_block_device configuration block as it already supported encrypted previously.

[antonbabenko]

Thanks to @walbalooshi and the rest!

v2.7.0 has been released with support for root and EBS volumes encryption.

Note that this will only work in Terraform 0.12 and Terraform AWS provider starting from version 2.23.0 (see relevant changelog).

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.