-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for managing ebs default encryption #8760
Comments
Maybe cleaner to have 2 new resources, one for managing the EBS encryption-by-default value and one for managing the default EBS encryption key as there are two distinct sets of EC2 APIs for these? resource "aws_ebs_encryption_by_default" "ebs" {
enabled = true
}
resource "aws_ebs_default_kms_key" "ebs" {
key_id = "${aws_kms_key.default_ebs_key.arn}"
} |
We need this one so I'll take it on if nobody else has started. |
@ewbankkit I haven't started on it. Regarding splitting into 2 resources I would just make it clear in the docs that setting the default key does not actually enable the default encryption. |
It will probably be useful to have data sources for these two as well. I'll open another issue. |
What value would a data source for Adding a data source for the kms key seems very useful and I'd like to work on that at least but could you clarify your thoughts behind adding one for |
@jukie The value would be that subsequent resources could be conditionally created based on the value of |
Two new resources for managing EBS encryption defaults ( |
This has been released in version 2.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Description
AWS has released the ability to encrypt all new EBS volumes by default, however it is opt-in. It would be great to be able to manage the related settings in TF.
New or Affected Resource(s)
Proposed new resource:
aws_ebs_encryption_by_default
Potential Terraform Configuration
Both arguments are optional.
Default value for
enabled
is true. Setting it false or destroying the resource will disable EBS encryption by default.Removing the kms_key_id or destroying the resource will reset the KMS key ID to the default EBS key.
References
https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/
The text was updated successfully, but these errors were encountered: