From 16a36f6fb0ae436d55e89faaaf45a369e7af9cea Mon Sep 17 00:00:00 2001 From: Noel Georgi <18496730+frezbo@users.noreply.github.com> Date: Sun, 17 Jun 2018 19:44:10 +0530 Subject: [PATCH 1/3] Adding KMS support for ebs_block_devices Signed-off-by: Noel Georgi <18496730+frezbo@users.noreply.github.com> --- aws/data_source_aws_instance.go | 5 +++++ aws/resource_aws_instance.go | 13 +++++++++++++ 2 files changed, 18 insertions(+) diff --git a/aws/data_source_aws_instance.go b/aws/data_source_aws_instance.go index d2ff51ab7720..b8c23bda6aef 100644 --- a/aws/data_source_aws_instance.go +++ b/aws/data_source_aws_instance.go @@ -163,6 +163,11 @@ func dataSourceAwsInstance() *schema.Resource { Computed: true, }, + "kms_key_id": { + Type: schema.TypeString, + Computed: true, + }, + "iops": { Type: schema.TypeInt, Computed: true, diff --git a/aws/resource_aws_instance.go b/aws/resource_aws_instance.go index 609baf3b830f..0984f42dbb8c 100644 --- a/aws/resource_aws_instance.go +++ b/aws/resource_aws_instance.go @@ -308,6 +308,12 @@ func resourceAwsInstance() *schema.Resource { ForceNew: true, }, + "kms_key_id": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + }, + "iops": { Type: schema.TypeInt, Optional: true, @@ -1279,6 +1285,9 @@ func readBlockDevicesFromInstance(instance *ec2.Instance, conn *ec2.EC2) (map[st if vol.Encrypted != nil { bd["encrypted"] = *vol.Encrypted } + if vol.KmsKeyId != nil { + bd["kms_key_id"] = *vol.KmsKeyId + } if vol.SnapshotId != nil { bd["snapshot_id"] = *vol.SnapshotId } @@ -1439,6 +1448,10 @@ func readBlockDeviceMappingsFromConfig( ebs.Encrypted = aws.Bool(v) } + if v, ok := bd["kms_key_id"].(string); ok && v != "" { + ebs.KmsKeyId = aws.String(v) + } + if v, ok := bd["volume_size"].(int); ok && v != 0 { ebs.VolumeSize = aws.Int64(int64(v)) } From 51034a7f6311e98e819a1dfecea3d712ba04b6ef Mon Sep 17 00:00:00 2001 From: Noel Georgi <18496730+frezbo@users.noreply.github.com> Date: Mon, 18 Jun 2018 17:04:37 +0530 Subject: [PATCH 2/3] Adding Accetance tests Signed-off-by: Noel Georgi <18496730+frezbo@users.noreply.github.com> --- aws/resource_aws_instance_test.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/aws/resource_aws_instance_test.go b/aws/resource_aws_instance_test.go index 151483fcb302..32a0c7551968 100644 --- a/aws/resource_aws_instance_test.go +++ b/aws/resource_aws_instance_test.go @@ -339,8 +339,12 @@ func TestAccAWSInstance_blockDevices(t *testing.T) { "aws_instance.foo", "ebs_block_device.2554893574.iops", "100"), resource.TestCheckResourceAttr( "aws_instance.foo", "ebs_block_device.2634515331.device_name", "/dev/sdd"), + resource.TestMatchResourceAttr( + "aws_instance.foo", "ebs_block_device.2634515331.volume_id", regexp.MustCompile("vol-[a-z0-9]+")), resource.TestCheckResourceAttr( "aws_instance.foo", "ebs_block_device.2634515331.encrypted", "true"), + resource.TestMatchResourceAttr( + "aws_instance.foo", "ebs_block_device.2634515331.kms_key_id", regexp.MustCompile("^arn:aws[\\w-]*:kms:us-west-2:[0-9]{12}:key/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")), resource.TestCheckResourceAttr( "aws_instance.foo", "ebs_block_device.2634515331.volume_size", "12"), resource.TestCheckResourceAttr( @@ -860,6 +864,8 @@ func TestAccAWSInstance_volumeTags(t *testing.T) { "aws_instance.foo", "volume_tags.%", "1"), resource.TestCheckResourceAttr( "aws_instance.foo", "volume_tags.Name", "acceptance-test-volume-tag"), + resource.TestMatchResourceAttr( + "aws_instance.foo", "ebs_block_device.2634515331.kms_key_id", regexp.MustCompile("^arn:aws[\\w-]*:kms:us-west-2:[0-9]{12}:key/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")), ), }, { @@ -1825,6 +1831,11 @@ resource "aws_instance" "foo" { ` const testAccInstanceConfigBlockDevices = ` +resource "aws_kms_key" "foo" { + description = "Dummy key for terraform test" + deletion_window_in_days = 7 +} + resource "aws_instance" "foo" { # us-west-2 ami = "ami-55a7ea65" @@ -1854,6 +1865,7 @@ resource "aws_instance" "foo" { device_name = "/dev/sdd" volume_size = 12 encrypted = true + kms_key_id = "${aws_kms_key.foo.arn}" } ephemeral_block_device { @@ -2231,6 +2243,16 @@ resource "aws_instance" "foo" { ` const testAccCheckInstanceConfigWithVolumeTags = ` +resource "aws_kms_key" "foo" { + description = "Dummy key for terraform test" + deletion_window_in_days = 7 +} + +resource "aws_kms_alias" "foo" { + name = "alias/acceptance-test-kms-alias" + target_key_id = "${aws_kms_key.foo.key_id}" +} + resource "aws_instance" "foo" { ami = "ami-55a7ea65" @@ -2255,6 +2277,7 @@ resource "aws_instance" "foo" { device_name = "/dev/sdd" volume_size = 12 encrypted = true + kms_key_id = "alias/acceptance-test-kms-alias" } ephemeral_block_device { From 2c3ed114f6528d67b63e9a244255fcc1a22edc4b Mon Sep 17 00:00:00 2001 From: Noel Georgi <18496730+frezbo@users.noreply.github.com> Date: Mon, 18 Jun 2018 18:16:02 +0530 Subject: [PATCH 3/3] Updating docs and adding acceptance test for data resource Signed-off-by: Noel Georgi <18496730+frezbo@users.noreply.github.com> --- aws/data_source_aws_instance_test.go | 8 ++++++++ website/docs/d/instance.html.markdown | 1 + website/docs/r/instance.html.markdown | 1 + 3 files changed, 10 insertions(+) diff --git a/aws/data_source_aws_instance_test.go b/aws/data_source_aws_instance_test.go index cd15e1aca2a8..ddb427088381 100644 --- a/aws/data_source_aws_instance_test.go +++ b/aws/data_source_aws_instance_test.go @@ -1,6 +1,7 @@ package aws import ( + "regexp" "testing" "fmt" @@ -98,6 +99,7 @@ func TestAccAWSInstanceDataSource_blockDevices(t *testing.T) { resource.TestCheckResourceAttr("aws_instance.foo", "root_block_device.0.volume_type", "gp2"), resource.TestCheckResourceAttr("aws_instance.foo", "ebs_block_device.#", "3"), resource.TestCheckResourceAttr("aws_instance.foo", "ephemeral_block_device.#", "1"), + resource.TestMatchResourceAttr("aws_instance.foo", "ebs_block_device.2634515331.kms_key_id", regexp.MustCompile("^arn:aws[\\w-]*:kms:us-west-2:[0-9]{12}:key/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")), ), }, }, @@ -380,6 +382,11 @@ data "aws_instance" "foo" { // Block Device const testAccInstanceDataSourceConfig_blockDevices = ` +resource "aws_kms_key" "foo" { + description = "Dummy key for terraform test" + deletion_window_in_days = 7 +} + resource "aws_instance" "foo" { # us-west-2 ami = "ami-55a7ea65" @@ -405,6 +412,7 @@ resource "aws_instance" "foo" { device_name = "/dev/sdd" volume_size = 12 encrypted = true + kms_key_id = "${aws_kms_key.foo.arn}" } ephemeral_block_device { diff --git a/website/docs/d/instance.html.markdown b/website/docs/d/instance.html.markdown index ed3cbd10fc7e..a38d56ebe981 100644 --- a/website/docs/d/instance.html.markdown +++ b/website/docs/d/instance.html.markdown @@ -63,6 +63,7 @@ interpolation. * `delete_on_termination` - If the EBS volume will be deleted on termination. * `device_name` - The physical name of the device. * `encrypted` - If the EBS volume is encrypted. + * `kms_key_id` - If the EBS volume is encrypted with a CMK KMS * `iops` - `0` If the EBS volume is not a provisioned IOPS image, otherwise the supported IOPS count. * `snapshot_id` - The ID of the snapshot. * `volume_size` - The size of the volume, in GiB. diff --git a/website/docs/r/instance.html.markdown b/website/docs/r/instance.html.markdown index ef9833c0c323..e2cbd051353d 100644 --- a/website/docs/r/instance.html.markdown +++ b/website/docs/r/instance.html.markdown @@ -137,6 +137,7 @@ Each `ebs_block_device` supports the following: * `encrypted` - (Optional) Enables [EBS encryption](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) on the volume (Default: `false`). Cannot be used with `snapshot_id`. +* `kms_key_id` - (Optional) Uses a CMK KMS key for encrypting the EBS block device. Either the KMS key arn or the alias name can be used. Modifying any `ebs_block_device` currently requires resource replacement.