Security Modules 1.1.0Last updated in version 1.1.0

Elastic Block Storage Encryption

This module configures EC2 Elastic Block Storage encryption defaults, allowing encryption to be enabled for all new EBS volumes and selection of a KMS Customer Managed Key to use by default.

This module is not meant to be used directly. Instead, it's used under the hood in the account-baseline-* modules. Please see those modules for more information.

Background Information

EBS encryption including how default keys and the encryption-by-default settings work.
AWS blog: Opt-in to Default Encryption for New EBS Volumes

Sample Usage

Terraform
Terragrunt

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EBS-ENCRYPTION MODULE
# ------------------------------------------------------------------------------------------------------

module "ebs_encryption" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/ebs-encryption?ref=v1.1.0"

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # Set to false to have this module skip creating resources. This weird
  # parameter exists solely because Terraform does not support conditional
  # modules. Therefore, this is a hack to allow you to conditionally decide if
  # the resources in this module should be created or not.
  create_resources = false

  # If set to true, all new EBS volumes will have encryption enabled by default
  enable_encryption = true

  # Optional KMS key ARN used for EBS volume encryption when
  # var.use_existing_kms_key is true.
  kms_key_arn = null

  # Whether or not to use the existing key specified in var.kms_key_arn. We need
  # this weird parameter because `count` must be a known value at plan time, so
  # we cannot calculate whether or not to use the key dynamically.
  use_existing_kms_key = false

}

terragrunt.hcl

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EBS-ENCRYPTION MODULE
# ------------------------------------------------------------------------------------------------------

terraform {
  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/ebs-encryption?ref=v1.1.0"
}

inputs = {

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # Set to false to have this module skip creating resources. This weird
  # parameter exists solely because Terraform does not support conditional
  # modules. Therefore, this is a hack to allow you to conditionally decide if
  # the resources in this module should be created or not.
  create_resources = false

  # If set to true, all new EBS volumes will have encryption enabled by default
  enable_encryption = true

  # Optional KMS key ARN used for EBS volume encryption when
  # var.use_existing_kms_key is true.
  kms_key_arn = null

  # Whether or not to use the existing key specified in var.kms_key_arn. We need
  # this weird parameter because `count` must be a known value at plan time, so
  # we cannot calculate whether or not to use the key dynamically.
  use_existing_kms_key = false

}

Reference

Inputs
Outputs

Optional

create_resourcesbooloptional

Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the resources in this module should be created or not.

Default:false

enable_encryptionbooloptional

If set to true, all new EBS volumes will have encryption enabled by default

Default:true

kms_key_arnstringoptional

Optional KMS key ARN used for EBS volume encryption when use_existing_kms_key is true.

Default:null

use_existing_kms_keybooloptional

Whether or not to use the existing key specified in kms_key_arn. We need this weird parameter because count must be a known value at plan time, so we cannot calculate whether or not to use the key dynamically.

Default:false

aws_ebs_encryption_by_default_enabled

Whether or not EBS volume encryption is enabled by default.

aws_ebs_encryption_default_kms_key

The default KMS key used for EBS encryption.

Background Information​

Sample Usage​

Reference​

Optional​

Background Information

Sample Usage

Reference

Optional