Feature request: specify KMS key for EBS encryption in aws_launch_configuration

[hashibot]

This issue was originally opened by @thirstycat as hashicorp/terraform#13299. It was migrated here as part of the provider split. The original body of the issue is below.

---

Currently within an aws_launch_configuration resource, I can specify:

ebs_block_device { device_name = "/dev/xvdcz" volume_type = "gp2" volume_size = 300 encrypted = "True" }

to encrypt an attached EBS volume, but there does not appear to be any way to specify a particular customer-managed key using the kms_key_id parameter as with RDS.

I would like to be able to specify a particular key for EBS volume encryption within a launch configuration.

[anosulchik]

It seems to be not possible to do at this moment since aws cloudformation doesn't support this as well:

Encrypted
Indicates whether the volume is encrypted. Encrypted EBS volumes must be attached to instances that support Amazon EBS encryption. Volumes that you create from encrypted snapshots are automatically encrypted. You cannot create an encrypted volume from an unencrypted snapshot or an unencrypted volume from an encrypted snapshot.

Required: No

Type: Boolean

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig-blockdev-template.html

It means that EBS disks created for EC2 instances in ASG are encrypted by default KMS key.

[joseph-holland]

Just hit this issue now myself and did a quick bit of investigation.

AWS does not allow a user to specify and KMS key when enabling encryption for additional EBS volumes in a launch config. This behavior is also seen when creating a standard EC2 instance and specifying an additional EBS volume, you cannot specify the key and it will just use the "(default) aws/ebs" KMS key.

Although creating a separate EBS volume and enabling encryption will allow you to specify the KMS key (then attaching it to the instance later - obviously no good with a launch config).

Not sure exactly why this is, but I'm raising a support case to ask for more information.

[bperryvt]

It still appears that AWS launch configurations don't allow a kms key to be specified but launch templates do provide this capability.

[bflad]

Hi folks 👋 As mentioned above, Autoscaling Launch Configurations do not allow the specification of a KMS Key. Here's the AWS Go SDK Reference, which only has the Encrypted parameter available for EBS volumes. Since this functionality is not available in the API, its not possible to implement in Terraform and this issue is going to be closed. Please contact AWS Support if you would like this functionality added. 👍

It is worth noting that AWS recently made it possible to support setting a default encryption KMS Key for any EBS volume that is launched in a region. AWS Documentation. Terraform supports managing this functionality via the aws_ebs_default_kms_key resource.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!