EBS Encryption Multi Region Module
This module wraps the ebs-encryption core module to configure AWS EBS encryption in all enabled regions for the AWS Account.
Features
-
Enable or disable Elastic Block Storage (EBS) volume encryption by default
-
Designate a default KMS Customer Managed Key (CMK) for EBS volume encryption
Learn
Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
Core concepts
-
EBS encryption including how default keys and the encryption-by-default settings work.
Repo organization
-
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
-
codegen: Code generation utilities that help generate modules in this repo.
-
examples: This folder contains working examples of how to use the submodules.
-
test: Automated tests for the modules and examples.
Deploy
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EBS-ENCRYPTION-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------
module "ebs_encryption_multi_region" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/ebs-encryption-multi-region?ref=v1.1.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# If set to true, all new EBS volumes will have encryption enabled by default
enable_encryption = true
# Optional map of region names to KMS keys to use for EBS volume encryption
# when var.use_existing_kms_keys is enabled.
kms_key_arns = {}
# Whether or not to use the existing keys specified in var.kms_key_arns. If
# false (the default), will use the default aws/ebs key. We need this weird
# parameter because `count` must be a known value at plan time, so we cannot
# calculate whether or not to use the key dynamically.
use_existing_kms_keys = false
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EBS-ENCRYPTION-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/ebs-encryption-multi-region?ref=v1.1.0"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# If set to true, all new EBS volumes will have encryption enabled by default
enable_encryption = true
# Optional map of region names to KMS keys to use for EBS volume encryption
# when var.use_existing_kms_keys is enabled.
kms_key_arns = {}
# Whether or not to use the existing keys specified in var.kms_key_arns. If
# false (the default), will use the default aws/ebs key. We need this weird
# parameter because `count` must be a known value at plan time, so we cannot
# calculate whether or not to use the key dynamically.
use_existing_kms_keys = false
}
Reference
- Inputs
- Outputs
Required
aws_account_id
stringThe AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables.
Optional
If set to true, all new EBS volumes will have encryption enabled by default
true
kms_key_arns
map(string)Optional map of region names to KMS keys to use for EBS volume encryption when use_existing_kms_keys
is enabled.
{}
Whether or not to use the existing keys specified in kms_key_arns
. If false (the default), will use the default aws/ebs key. We need this weird parameter because count
must be a known value at plan time, so we cannot calculate whether or not to use the key dynamically.
false
A map from region to a boolean indicating whether or not EBS encryption is enabled by default for each region.
A map from region to the ARN of the KMS key used for default EBS encryption for each region.