-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS Feature Release: Encrypt Root Volumes at Launch #8624
Comments
Is there any work-around till support is added in TF? |
I guess business-as-usual, @stonefury, so still having to create encrypted root AMI's rather than specifying the encryption at launch. Unless anyone else has any hacky alternatives? |
Related, would also add this should also include specifying a different kms_key_id.
More details at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html |
This is a duplicate of #6246, but 👍 . |
Hi @dayglojesus, thanks for pointing out that one. Didn't see it and didn't think it would exist given this is a new feature and wasn't possible before now. I'll let the mods decide whether to work from this or the other. Cheers, -- Danny |
Our server engineer recreated our corporate linux AMI without encrypting the root volume after this feature came out. We really need this! |
@trj922 in the meantime this release from yesterday may be of interest to you to solve for that problem: https://aws.amazon.com/about-aws/whats-new/2019/05/with-a-single-setting-you-can-encrypt-all-new-amazon-ebs-volumes/ |
Unfortunately that encrypts all EBS volumes within the account which in turn limits the instance types that can be launched: It would be super helpful if this feature could be made available in the root EBS volume template. |
@rmarable limits to almost every single instance ehe |
need this very badly folks |
@thanura1988 this is out already. |
@FernandoMiguel what do you mean? |
@Nklya https://github.com/terraform-providers/terraform-provider-aws/blob/master/CHANGELOG.md#2160-june-20-2019
|
Thanks @FernandoMiguel |
More details here-: I've started working on this,modified resource_aws_instance, will continue with other changes once i get an AWS account where i can try out acceptance tests for other scenarios |
👍 Would like to see this. |
…device kms_key_id argument (support encryption on launch) Reference: #8624 NOTE: No documentation updates because the `launch_specification` argument documentation points to the `aws_instance` resource documentation. Output from acceptance testing: ``` --- PASS: TestAccAWSSpotFleetRequest_associatePublicIpAddress (270.69s) --- PASS: TestAccAWSSpotFleetRequest_basic (405.39s) --- PASS: TestAccAWSSpotFleetRequest_changePriceForcesNewRequest (529.67s) --- PASS: TestAccAWSSpotFleetRequest_diversifiedAllocation (327.08s) --- PASS: TestAccAWSSpotFleetRequest_fleetType (261.37s) --- PASS: TestAccAWSSpotFleetRequest_iamInstanceProfileArn (324.47s) --- PASS: TestAccAWSSpotFleetRequest_instanceInterruptionBehavior (195.94s) --- PASS: TestAccAWSSpotFleetRequest_LaunchSpecification_EbsBlockDevice_KmsKeyId (142.16s) --- PASS: TestAccAWSSpotFleetRequest_LaunchSpecification_RootBlockDevice_KmsKeyId (141.99s) --- PASS: TestAccAWSSpotFleetRequest_lowestPriceAzInGivenList (334.76s) --- PASS: TestAccAWSSpotFleetRequest_lowestPriceAzOrSubnetInRegion (260.11s) --- PASS: TestAccAWSSpotFleetRequest_lowestPriceSubnetInGivenList (262.82s) --- PASS: TestAccAWSSpotFleetRequest_multipleInstancePools (327.36s) --- PASS: TestAccAWSSpotFleetRequest_multipleInstanceTypesInSameAz (263.10s) --- PASS: TestAccAWSSpotFleetRequest_multipleInstanceTypesInSameSubnet (260.47s) --- PASS: TestAccAWSSpotFleetRequest_overriddingSpotPrice (263.28s) --- PASS: TestAccAWSSpotFleetRequest_placementTenancy (68.47s) --- PASS: TestAccAWSSpotFleetRequest_updateExcessCapacityTerminationPolicy (517.31s) --- PASS: TestAccAWSSpotFleetRequest_updateTargetCapacity (797.62s) --- PASS: TestAccAWSSpotFleetRequest_withEBSDisk (404.38s) --- PASS: TestAccAWSSpotFleetRequest_WithELBs (313.70s) --- PASS: TestAccAWSSpotFleetRequest_withoutSpotPrice (263.82s) --- PASS: TestAccAWSSpotFleetRequest_withTags (261.37s) --- PASS: TestAccAWSSpotFleetRequest_WithTargetGroups (429.61s) --- PASS: TestAccAWSSpotFleetRequest_withWeightedCapacity (334.88s) ```
Hi everyone 👋 The following were previously supported:
The following were just merged and will be releasing in version 2.23.0 of the Terraform AWS Provider, next week:
The following were just submitted and likely to also release in version 2.23.0 of the Terraform AWS Provider, next week:
Cheers 🎉 |
Partially reverts 0c370dd (data/aws: Encrypt the AMI used by the bootstrap and master machines, 2019-02-22, openshift#1296). This isn't a clean revert; for example, I left the ability to destroy images which are tagged as owned by the cluster. And we're still copy-and-encrypting for the bootstrap machine and control-plane machines until the AWS Terraform provider supports requesting encrypted root volumes [1]. But with this commit, we're now documenting the encryption in a way that covers both the previous AMI-based encryption used for bootstrap/control-plane and the new root-volume-based encryption used for the compute machines, because they come down to encrypted root volumes regardless of their approach. [1]: hashicorp/terraform-provider-aws#8624
Hi again 👋 This functionality was also just merged:
We should be releasing version 2.23.0 of the Terraform AWS Provider in the next day or two. 👍 |
@bflad are we sure everything this issue requested has been resolved? As one example, looking at aws_instance I see no option to set encryption on a root volume that may not be encrypted at the AMI level. |
@dannyleesmith #8624 (comment)
|
@bflad ah the phrasing confused me, I read it as those might be properties of the I look forward to seeing the changes, thank you very much |
This has been released in version 2.23.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Description
AWS have released functionality to launch instances with encrypted root volumes in a single step and some AWS resources will need to be updated to take advantage of this useful feature. According to the release post the SDK's have been updated with these changes so hopefully updates can be made. Some of the AWS documentation, at time of writing, still refer to encrypting unencrypted snapshots at point of use as impossible.
New or Affected Resource(s)
This may not be an exhaustive list:
root_block_device
map change)root_block_device
map change)ebs.encrypted
can be used with snapshots)launch_specification
, documentation for spot fleet hasn't been updated)encrypted
won't work withsnapshot_id
)Potential Terraform Configuration
References
The text was updated successfully, but these errors were encountered: