Skip to main content
Security Modules 0.75.0Last updated in version 0.74.0

Elastic Block Storage Encryption

View Source Release Notes

This module configures EC2 Elastic Block Storage encryption defaults, allowing encryption to be enabled for all new EBS volumes and selection of a KMS Customer Managed Key to use by default.

This module is not meant to be used directly. Instead, it's used under the hood in the account-baseline-* modules. Please see those modules for more information.

Background Information

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EBS-ENCRYPTION MODULE
# ------------------------------------------------------------------------------------------------------

module "ebs_encryption" {

source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/ebs-encryption?ref=v0.75.0"

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# Set to false to have this module skip creating resources. This weird
# parameter exists solely because Terraform does not support conditional
# modules. Therefore, this is a hack to allow you to conditionally decide if
# the resources in this module should be created or not.
create_resources = false

# If set to true, all new EBS volumes will have encryption enabled by default
enable_encryption = true

# Optional KMS key ARN used for EBS volume encryption when
# var.use_existing_kms_key is true.
kms_key_arn = null

# Whether or not to use the existing key specified in var.kms_key_arn. We need
# this weird parameter because `count` must be a known value at plan time, so
# we cannot calculate whether or not to use the key dynamically.
use_existing_kms_key = false

}


Reference

Optional

create_resourcesbooloptional

Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the resources in this module should be created or not.

false
enable_encryptionbooloptional

If set to true, all new EBS volumes will have encryption enabled by default

true
kms_key_arnstringoptional

Optional KMS key ARN used for EBS volume encryption when use_existing_kms_key is true.

null

Whether or not to use the existing key specified in kms_key_arn. We need this weird parameter because count must be a known value at plan time, so we cannot calculate whether or not to use the key dynamically.

false