Skip to main content
Security Modules 0.71.0Last updated in version 0.70.0

EBS Encryption Multi Region Module

View SourceRelease Notes

This module wraps the ebs-encryption core module to configure AWS EBS encryption in all enabled regions for the AWS Account.

Features

  • Enable or disable Elastic Block Storage (EBS) volume encryption by default

  • Designate a default KMS Customer Managed Key (CMK) for EBS volume encryption

Learn

Note

This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Core concepts

Repo organization

  • modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.

  • codegen: Code generation utilities that help generate modules in this repo.

  • examples: This folder contains working examples of how to use the submodules.

  • test: Automated tests for the modules and examples.

Deploy

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EBS-ENCRYPTION-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------

module "ebs_encryption_multi_region" {

source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/ebs-encryption-multi-region?ref=v0.71.0"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# If set to true, all new EBS volumes will have encryption enabled by default
enable_encryption = true

# Optional map of region names to KMS keys to use for EBS volume encryption
# when var.use_existing_kms_keys is enabled.
kms_key_arns = {}

# Whether or not to use the existing keys specified in var.kms_key_arns. If
# false (the default), will use the default aws/ebs key. We need this weird
# parameter because `count` must be a known value at plan time, so we cannot
# calculate whether or not to use the key dynamically.
use_existing_kms_keys = false

}


Reference

Required

aws_account_idstringrequired

The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables.

Optional

enable_encryptionbooloptional

If set to true, all new EBS volumes will have encryption enabled by default

true
kms_key_arnsmap(string)optional

Optional map of region names to KMS keys to use for EBS volume encryption when use_existing_kms_keys is enabled.

{}

Whether or not to use the existing keys specified in kms_key_arns. If false (the default), will use the default aws/ebs key. We need this weird parameter because count must be a known value at plan time, so we cannot calculate whether or not to use the key dynamically.

false