Add the ability to encrypt root_block_device in aws_launch_configuration

[joestump]

Refs #6246
Refs #8624

Changes proposed in this pull request:

• Adds the encrypted attribute to the root_block_device on aws_launch_configuration.

NOTE: It appears KmsKeyId is not supported by this API.

Output from acceptance testing:

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -parallel 20 -run=TestAccAWSLaunchConfiguration_encryptedRootBlockDevice -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAWSLaunchConfiguration_encryptedRootBlockDevice
=== PAUSE TestAccAWSLaunchConfiguration_encryptedRootBlockDevice
=== CONT  TestAccAWSLaunchConfiguration_encryptedRootBlockDevice
--- PASS: TestAccAWSLaunchConfiguration_encryptedRootBlockDevice (34.95s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	36.220s

[bflad]

The API documentation for this parameter is pretty confusing 😅

Specifies whether the volume should be encrypted. Encrypted EBS volumes must be attached to instances that support Amazon EBS encryption. Volumes that are created from encrypted snapshots are automatically encrypted. There is no way to create an encrypted volume from an unencrypted snapshot or an unencrypted volume from an encrypted snapshot. If your AMI uses encrypted volumes, you can only launch it on supported instance types. For more information, see Amazon EBS Encryption in the Amazon EC2 User Guide for Linux Instances.

Are we sure this actually does anything for unencrypted root block devices to encrypt them? It might be worth spinning this up in an autoscaling group and verifying. We've seen this a bunch with EC2 Launch Templates where the template will create but its actual usage will cause an error.

[joestump]

Are we sure this actually does anything for unencrypted root block devices to encrypt them?

It will definitely not do this. This only works if the instance type supports it. If you're using a snapshot, it must be encrypted. Also, like I said no KMS support so it'll be encrypted with your aws/ebs key. I suspect if you provide an unencrypted snapshot or an instance type that doesn't support encryption, you'd end up with ASG errors.

I'll run a more manual test and report back. I did verify in the console that aws_instance works as advertised. Presumably with the right instance type and no snapshot, you'd be good to go.

[jhmartin]

If you're using a snapshot, it must be encrypted.

https://aws.amazon.com/about-aws/whats-new/2019/05/launch-encrypted-ebs-backed-ec2-instances-from-unencrypted-amis-in-a-single-step/ may have changed that

[atiftw]

Yep - AWS now allows you to launch instances with encrypted root block devices from amis with unencrypted ones.Also supports adding a KMS key, i can add support for the latter once this is merged to master.We need this badly.

More documentation here-:
https://aws.amazon.com/blogs/security/how-to-quickly-launch-encrypted-ebs-backed-ec2-instances-from-unencrypted-amis/

Edit-:
Sadly, the AWS GO SDK does not support passing the kms key id yet.Opened a feature request.

[hankhan425]

Can we have this merged now and create a new PR for supporting KMS key ID once that feature is in?

[bflad]

Thanks so much for this, @joestump 🚀 Only change on merge was switching from Default: false to Computed: true just to prevent any oddities with existing Terraform configurations.

Output from acceptance testing:

--- PASS: TestAccAWSLaunchConfiguration_importBasic (15.77s)
--- PASS: TestAccAWSLaunchConfiguration_withSpotPrice (16.30s)
--- PASS: TestAccAWSLaunchConfiguration_withBlockDevices (18.98s)
--- PASS: TestAccAWSLaunchConfiguration_ebs_noDevice (19.10s)
--- PASS: TestAccAWSLaunchConfiguration_withEncryption (19.28s)
--- PASS: TestAccAWSLaunchConfiguration_withIAMProfile (30.49s)
--- PASS: TestAccAWSLaunchConfiguration_basic (31.32s)
--- PASS: TestAccAWSLaunchConfiguration_encryptedRootBlockDevice (31.67s)
--- PASS: TestAccAWSLaunchConfiguration_updateEbsBlockDevices (32.94s)
--- PASS: TestAccAWSLaunchConfiguration_updateRootBlockDevice (33.81s)
--- PASS: TestAccAWSLaunchConfiguration_userData (34.58s)
--- PASS: TestAccAWSLaunchConfiguration_withVpcClassicLink (42.25s)

[ghost]

This has been released in version 2.23.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[jc-asdf]

NOTE - this seems to have broken the instance store case.

When creating an instance-store launch template, it fails with:

Error: Error applying plan:

1 error occurred:
	* aws_launch_configuration.yes_i_used_an_instance_store_ami: 1 error occurred:
	* aws_launch_configuration.yes_i_used_an_instance_store_ami: Instance store backed AMIs do not provide a root device name - Use an EBS AMI

EDIT - full issue in #9775

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!