Feature request: specify KMS key for EBS encryption in aws_launch_configuration #13299
Comments
|
Would be interested in that as well. We have a use case for having distinct KMS keys for different instance types. We can currently manage that with some trickery involving aws_ebs_volume and aws_volume_attachment . Having the ability to support a specific KMS key within ebs_block_device would be much much preferred. Would be even more awesome if we could do the same for root_block_device as well |
|
Just wanted to add a little bit of color here for anyone curious about why the After doing a little bit of research it seems like the culprit is the AWS API The most straightforward way to create an instance(along with extra volumes attached) with the AWS API is to use the RunInstances action. This action takes a BlockDeviceMapping data type and that takes an EbsBlockDevice. AWS doesn't seem to allow a way to specify a kms_key_id if you're using this data type. So in short there is no real way to do it at the time of calling I'm sure most people have figured out that you can just create the ebs volume separately (The CreateVolume endpoint accommodates kms_key_ids )and attach it to the created instance as a way around: resource "aws_ebs_volume" "example_volume" {
availability_zone = "us-west-1a"
size = 250
type = "gp2"
encrypted = true
kms_key_id = "${var.kms_key_id}"
tags {
Name = "example machine"
}
}
resource "aws_volume_attachment" "example_attach" {
device_name = "/dev/sdf"
volume_id = "${aws_ebs_volume.example_volume.id}"
instance_id = "${aws_instance.example_instance.id}"
}But its not exactly the most succinct code for a single instance. I'm pretty new so not sure what an acceptable workaround programmatically would be. Probably would be better to just wait on a possible AWS addition to the API(Not sure what AWS thinks about this or if its on their roadmap). Implementing from the terraform side of things would probably mean a refactor to instead run a create volume action before the run instances action and then automagically attaching after the instance is available. Which imo, would be an ugly one-off. |
|
This appears to be available now in AWS: https://aws.amazon.com/blogs/security/create-encrypted-amazon-ebs-volumes-custom-encryption-keys-launch-amazon-ec2-instance-2/ |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Currently within an aws_launch_configuration resource, I can specify:
ebs_block_device { device_name = "/dev/xvdcz" volume_type = "gp2" volume_size = 300 encrypted = "True" }to encrypt an attached EBS volume, but there does not appear to be any way to specify a particular customer-managed key using the kms_key_id parameter as with RDS.
I would like to be able to specify a particular key for EBS volume encryption within a launch configuration.
The text was updated successfully, but these errors were encountered: