Security Modules 0.74.5Last updated in version 0.74.0

EBS Encryption Multi Region Module

This module wraps the ebs-encryption core module to configure AWS EBS encryption in all enabled regions for the AWS Account.

Features

Enable or disable Elastic Block Storage (EBS) volume encryption by default
Designate a default KMS Customer Managed Key (CMK) for EBS volume encryption

Learn

Note

This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Core concepts

EBS encryption including how default keys and the encryption-by-default settings work.
AWS blog: Opt-in to Default Encryption for New EBS Volumes
How to use a multi-region module

Repo organization

modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
codegen: Code generation utilities that help generate modules in this repo.
examples: This folder contains working examples of how to use the submodules.
test: Automated tests for the modules and examples.

Deploy

How to configure a production-grade AWS account structure

Sample Usage

Terraform
Terragrunt

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EBS-ENCRYPTION-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------

module "ebs_encryption_multi_region" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/ebs-encryption-multi-region?ref=v0.74.5"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The AWS Account ID the template should be operated on. This avoids
  # misconfiguration errors caused by environment variables.
  aws_account_id = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # If set to true, all new EBS volumes will have encryption enabled by default
  enable_encryption = true

  # Optional map of region names to KMS keys to use for EBS volume encryption
  # when var.use_existing_kms_keys is enabled.
  kms_key_arns = {}

  # Whether or not to use the existing keys specified in var.kms_key_arns. If
  # false (the default), will use the default aws/ebs key. We need this weird
  # parameter because `count` must be a known value at plan time, so we cannot
  # calculate whether or not to use the key dynamically.
  use_existing_kms_keys = false

}

terragrunt.hcl

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EBS-ENCRYPTION-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------

terraform {
  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/ebs-encryption-multi-region?ref=v0.74.5"
}

inputs = {

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The AWS Account ID the template should be operated on. This avoids
  # misconfiguration errors caused by environment variables.
  aws_account_id = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # If set to true, all new EBS volumes will have encryption enabled by default
  enable_encryption = true

  # Optional map of region names to KMS keys to use for EBS volume encryption
  # when var.use_existing_kms_keys is enabled.
  kms_key_arns = {}

  # Whether or not to use the existing keys specified in var.kms_key_arns. If
  # false (the default), will use the default aws/ebs key. We need this weird
  # parameter because `count` must be a known value at plan time, so we cannot
  # calculate whether or not to use the key dynamically.
  use_existing_kms_keys = false

}

Reference

Inputs
Outputs

Required

aws_account_idstringrequired

The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables.

Optional

enable_encryptionbooloptional

If set to true, all new EBS volumes will have encryption enabled by default

Default:true

kms_key_arnsmap(string)optional

Optional map of region names to KMS keys to use for EBS volume encryption when use_existing_kms_keys is enabled.

Default:{}

use_existing_kms_keysbooloptional

Whether or not to use the existing keys specified in kms_key_arns. If false (the default), will use the default aws/ebs key. We need this weird parameter because count must be a known value at plan time, so we cannot calculate whether or not to use the key dynamically.

Default:false

aws_ebs_encryption_by_default_enabled

A map from region to a boolean indicating whether or not EBS encryption is enabled by default for each region.

aws_ebs_encryption_default_kms_key

A map from region to the ARN of the KMS key used for default EBS encryption for each region.

Features​

Learn​

Core concepts​

Repo organization​

Deploy​

Sample Usage​

Reference​

Required​

Optional​