Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS Feature Release: Encrypt Root Volumes at Launch #8624

Closed
dannyleesmith opened this issue May 14, 2019 · 23 comments · Fixed by #9599
Closed

AWS Feature Release: Encrypt Root Volumes at Launch #8624

dannyleesmith opened this issue May 14, 2019 · 23 comments · Fixed by #9599
Assignees
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ec2 Issues and PRs that pertain to the ec2 service.
Milestone

Comments

@dannyleesmith
Copy link

dannyleesmith commented May 14, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS have released functionality to launch instances with encrypted root volumes in a single step and some AWS resources will need to be updated to take advantage of this useful feature. According to the release post the SDK's have been updated with these changes so hopefully updates can be made. Some of the AWS documentation, at time of writing, still refer to encrypting unencrypted snapshots at point of use as impossible.

New or Affected Resource(s)

This may not be an exhaustive list:

  • aws_instance (root_block_device map change)
  • aws_launch_configuration (root_block_device map change)
  • aws_launch_template (add option to encrypt AMI volumes and potentially ebs.encrypted can be used with snapshots)
  • aws_spot_fleet_request (perhaps launch_specification, documentation for spot fleet hasn't been updated)
  • aws_ebs_volume (may already work as it doesn't state encrypted won't work with snapshot_id)

Potential Terraform Configuration

# aws_instance

resource "aws_instance" "example" {
  ami = "ami-00000000000000000"
  
  root_block_device {
    [..]
    encrypted = true
  }

  ebs_block_device {
    [..]
    snapshot_id = "snap-00000000000000000"
    encrypted   = true
  }
}

# aws_launch_configuration

resource "aws_launch_configuration" "example" {
  [..]
  encrypted = true
  image_id  = "ami-00000000000000000"
}

# aws_launch_template

resource "aws_launch_template" "example" {
  [..]
  encrypted = true
  image_id  = "ami-00000000000000000"
}

# aws_spot_fleet_request

resource "aws_spot_fleet_request" "example" {
  [..]
  launch_specification {
    ami       = "ami-d06a90b0"
    encrypted = true
  }
}

# aws_ebs_volume

resource "aws_ebs_volume" "example" {
  encrypted   = true
  snapshot_id = snap-00000000000000000
}

References

@dannyleesmith dannyleesmith added the enhancement Requests to existing resources that expand the functionality or scope. label May 14, 2019
@bflad bflad added the service/ec2 Issues and PRs that pertain to the ec2 service. label May 14, 2019
@bfleming-ciena
Copy link

Is there any work-around till support is added in TF?

@dannyleesmith
Copy link
Author

Is there any work-around till support is added in TF?

I guess business-as-usual, @stonefury, so still having to create encrypted root AMI's rather than specifying the encryption at launch. Unless anyone else has any hacky alternatives?

@michaelahern
Copy link
Contributor

Related, would also add this should also include specifying a different kms_key_id.

resource "aws_instance" "example" {
  ami = "ami-00000000000000000"
  
  root_block_device {
    [..]
    encrypted = true
    kms_key_id = "00000000-0000-0000-0000-000000000000"
  }

  ebs_block_device {
    [..]
    snapshot_id = "snap-00000000000000000"
    encrypted   = true
    kms_key_id = "00000000-0000-0000-0000-000000000000"
  }
}

More details at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html

@dayglojesus
Copy link

This is a duplicate of #6246, but 👍 .

@dannyleesmith
Copy link
Author

Hi @dayglojesus, thanks for pointing out that one. Didn't see it and didn't think it would exist given this is a new feature and wasn't possible before now. I'll let the mods decide whether to work from this or the other.

Cheers,

-- Danny

@trj922
Copy link

trj922 commented May 23, 2019

Our server engineer recreated our corporate linux AMI without encrypting the root volume after this feature came out. We really need this!

@dannyleesmith
Copy link
Author

@trj922 in the meantime this release from yesterday may be of interest to you to solve for that problem: https://aws.amazon.com/about-aws/whats-new/2019/05/with-a-single-setting-you-can-encrypt-all-new-amazon-ebs-volumes/

@rmarable
Copy link

Unfortunately that encrypts all EBS volumes within the account which in turn limits the instance types that can be launched:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances

It would be super helpful if this feature could be made available in the root EBS volume template.

@FernandoMiguel
Copy link
Contributor

@rmarable limits to almost every single instance ehe

@thanura1988
Copy link

need this very badly folks

@FernandoMiguel
Copy link
Contributor

@thanura1988 this is out already.
I've already deployed this yesterday in our accounts

@Nklya
Copy link

Nklya commented Jun 27, 2019

@FernandoMiguel what do you mean?
This issue is still open, linked PRs too. Where it's out?

@FernandoMiguel
Copy link
Contributor

@thanura1988
Copy link

Thanks @FernandoMiguel
this did what i wanted
Eventho its not doing it with "root_block_device", this solves my issue
https://www.terraform.io/docs/providers/aws/r/ebs_encryption_by_default.html

@atiftw
Copy link

atiftw commented Jul 6, 2019

More details here-:

https://aws.amazon.com/blogs/security/how-to-quickly-launch-encrypted-ebs-backed-ec2-instances-from-unencrypted-amis/

I've started working on this,modified resource_aws_instance, will continue with other changes once i get an AWS account where i can try out acceptance tests for other scenarios

@jeroen-nijssen
Copy link

👍 Would like to see this.

@bflad bflad added this to the v2.23.0 milestone Aug 2, 2019
@bflad bflad self-assigned this Aug 2, 2019
bflad added a commit that referenced this issue Aug 2, 2019
…device kms_key_id argument (support encryption on launch)

Reference: #8624

NOTE: No documentation updates because the `launch_specification` argument documentation points to the `aws_instance` resource documentation.

Output from acceptance testing:

```
--- PASS: TestAccAWSSpotFleetRequest_associatePublicIpAddress (270.69s)
--- PASS: TestAccAWSSpotFleetRequest_basic (405.39s)
--- PASS: TestAccAWSSpotFleetRequest_changePriceForcesNewRequest (529.67s)
--- PASS: TestAccAWSSpotFleetRequest_diversifiedAllocation (327.08s)
--- PASS: TestAccAWSSpotFleetRequest_fleetType (261.37s)
--- PASS: TestAccAWSSpotFleetRequest_iamInstanceProfileArn (324.47s)
--- PASS: TestAccAWSSpotFleetRequest_instanceInterruptionBehavior (195.94s)
--- PASS: TestAccAWSSpotFleetRequest_LaunchSpecification_EbsBlockDevice_KmsKeyId (142.16s)
--- PASS: TestAccAWSSpotFleetRequest_LaunchSpecification_RootBlockDevice_KmsKeyId (141.99s)
--- PASS: TestAccAWSSpotFleetRequest_lowestPriceAzInGivenList (334.76s)
--- PASS: TestAccAWSSpotFleetRequest_lowestPriceAzOrSubnetInRegion (260.11s)
--- PASS: TestAccAWSSpotFleetRequest_lowestPriceSubnetInGivenList (262.82s)
--- PASS: TestAccAWSSpotFleetRequest_multipleInstancePools (327.36s)
--- PASS: TestAccAWSSpotFleetRequest_multipleInstanceTypesInSameAz (263.10s)
--- PASS: TestAccAWSSpotFleetRequest_multipleInstanceTypesInSameSubnet (260.47s)
--- PASS: TestAccAWSSpotFleetRequest_overriddingSpotPrice (263.28s)
--- PASS: TestAccAWSSpotFleetRequest_placementTenancy (68.47s)
--- PASS: TestAccAWSSpotFleetRequest_updateExcessCapacityTerminationPolicy (517.31s)
--- PASS: TestAccAWSSpotFleetRequest_updateTargetCapacity (797.62s)
--- PASS: TestAccAWSSpotFleetRequest_withEBSDisk (404.38s)
--- PASS: TestAccAWSSpotFleetRequest_WithELBs (313.70s)
--- PASS: TestAccAWSSpotFleetRequest_withoutSpotPrice (263.82s)
--- PASS: TestAccAWSSpotFleetRequest_withTags (261.37s)
--- PASS: TestAccAWSSpotFleetRequest_WithTargetGroups (429.61s)
--- PASS: TestAccAWSSpotFleetRequest_withWeightedCapacity (334.88s)
```
@bflad
Copy link
Contributor

bflad commented Aug 2, 2019

Hi everyone 👋

The following were previously supported:

  • aws_ebs_default_kms_key resource to set region KMS Key for encyrption for all newly launched volumes
  • aws_ebs_encryption_by_default resource to enable KMS encryption by default for all newly launched volumes
  • aws_ebs_volume resource already supported the encrypted and kms_key_id arguments
  • aws_launch_template resource block_device_mappings ebs configuration block already supported the encrypted and kms_key_id arguments

The following were just merged and will be releasing in version 2.23.0 of the Terraform AWS Provider, next week:

  • aws_instance resource ebs_block_device and root_block_device configuration block encryption and kms_key_id arguments
  • aws_launch_configuration resource root_block_device configuration block encrypted argument

The following were just submitted and likely to also release in version 2.23.0 of the Terraform AWS Provider, next week:

  • aws_spot_fleet_request resource ebs_block_device and root_block_device kms_key_id arguments

Cheers 🎉

wking added a commit to wking/openshift-installer that referenced this issue Aug 5, 2019
Partially reverts 0c370dd (data/aws: Encrypt the AMI used by the
bootstrap and master machines, 2019-02-22, openshift#1296).  This isn't a clean
revert; for example, I left the ability to destroy images which are
tagged as owned by the cluster.  And we're still copy-and-encrypting
for the bootstrap machine and control-plane machines until the AWS
Terraform provider supports requesting encrypted root volumes [1].
But with this commit, we're now documenting the encryption in a way
that covers both the previous AMI-based encryption used for
bootstrap/control-plane and the new root-volume-based encryption used
for the compute machines, because they come down to encrypted root
volumes regardless of their approach.

[1]: hashicorp/terraform-provider-aws#8624
@bflad
Copy link
Contributor

bflad commented Aug 7, 2019

Hi again 👋

This functionality was also just merged:

  • aws_spot_fleet_request resource ebs_block_device and root_block_device kms_key_id arguments

We should be releasing version 2.23.0 of the Terraform AWS Provider in the next day or two. 👍

@dannyleesmith
Copy link
Author

@bflad are we sure everything this issue requested has been resolved? As one example, looking at aws_instance I see no option to set encryption on a root volume that may not be encrypted at the AMI level.

@bflad
Copy link
Contributor

bflad commented Aug 7, 2019

@dannyleesmith #8624 (comment)

The following were just merged and will be releasing in version 2.23.0 of the Terraform AWS Provider, next week:

aws_instance resource ebs_block_device and root_block_device configuration block encryption and kms_key_id arguments

@dannyleesmith
Copy link
Author

@bflad ah the phrasing confused me, I read it as those might be properties of the aws_spot_fleet_request resource as they were all on the same bullet point

I look forward to seeing the changes, thank you very much

@ghost
Copy link

ghost commented Aug 7, 2019

This has been released in version 2.23.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Nov 1, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Nov 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
13 participants