Elastic Block Storage Encryption
This module configures EC2 Elastic Block Storage encryption defaults, allowing encryption to be enabled for all new EBS volumes and selection of a KMS Customer Managed Key to use by default.
This module is not meant to be used directly. Instead, it's used under the hood in the account-baseline-* modules. Please see those modules for more information.
Background Information
- EBS encryption including how default keys and the encryption-by-default settings work.
- AWS blog: Opt-in to Default Encryption for New EBS Volumes
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EBS-ENCRYPTION MODULE
# ------------------------------------------------------------------------------------------------------
module "ebs_encryption" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/ebs-encryption?ref=v0.75.0"
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Set to false to have this module skip creating resources. This weird
# parameter exists solely because Terraform does not support conditional
# modules. Therefore, this is a hack to allow you to conditionally decide if
# the resources in this module should be created or not.
create_resources = false
# If set to true, all new EBS volumes will have encryption enabled by default
enable_encryption = true
# Optional KMS key ARN used for EBS volume encryption when
# var.use_existing_kms_key is true.
kms_key_arn = null
# Whether or not to use the existing key specified in var.kms_key_arn. We need
# this weird parameter because `count` must be a known value at plan time, so
# we cannot calculate whether or not to use the key dynamically.
use_existing_kms_key = false
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EBS-ENCRYPTION MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/ebs-encryption?ref=v0.75.0"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Set to false to have this module skip creating resources. This weird
# parameter exists solely because Terraform does not support conditional
# modules. Therefore, this is a hack to allow you to conditionally decide if
# the resources in this module should be created or not.
create_resources = false
# If set to true, all new EBS volumes will have encryption enabled by default
enable_encryption = true
# Optional KMS key ARN used for EBS volume encryption when
# var.use_existing_kms_key is true.
kms_key_arn = null
# Whether or not to use the existing key specified in var.kms_key_arn. We need
# this weird parameter because `count` must be a known value at plan time, so
# we cannot calculate whether or not to use the key dynamically.
use_existing_kms_key = false
}
Reference
- Inputs
- Outputs
Optional
create_resources
boolSet to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the resources in this module should be created or not.
false
If set to true, all new EBS volumes will have encryption enabled by default
true
kms_key_arn
stringOptional KMS key ARN used for EBS volume encryption when use_existing_kms_key
is true.
null
Whether or not to use the existing key specified in kms_key_arn
. We need this weird parameter because count
must be a known value at plan time, so we cannot calculate whether or not to use the key dynamically.
false
Whether or not EBS volume encryption is enabled by default.
The default KMS key used for EBS encryption.