Adding KMS support for ebs_block_devices for aws_instance

aws/data_source_aws_instance.go

@@ -163,6 +163,11 @@ func dataSourceAwsInstance() *schema.Resource {
 							Computed: true,
 						},
 
+						"kms_key_id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
 						"iops": {
 							Type:     schema.TypeInt,
 							Computed: true,

aws/data_source_aws_instance_test.go

@@ -1,6 +1,7 @@
 package aws
 
 import (
+	"regexp"
 	"testing"
 
 	"fmt"
@@ -98,6 +99,7 @@ func TestAccAWSInstanceDataSource_blockDevices(t *testing.T) {
 					resource.TestCheckResourceAttr("aws_instance.foo", "root_block_device.0.volume_type", "gp2"),
 					resource.TestCheckResourceAttr("aws_instance.foo", "ebs_block_device.#", "3"),
 					resource.TestCheckResourceAttr("aws_instance.foo", "ephemeral_block_device.#", "1"),
+					resource.TestMatchResourceAttr("aws_instance.foo", "ebs_block_device.2634515331.kms_key_id", regexp.MustCompile("^arn:aws[\\w-]*:kms:us-west-2:[0-9]{12}:key/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")),
 				),
 			},
 		},
@@ -380,6 +382,11 @@ data "aws_instance" "foo" {
 
 // Block Device
 const testAccInstanceDataSourceConfig_blockDevices = `
+resource "aws_kms_key" "foo" {
+	description = "Dummy key for terraform test"
+	deletion_window_in_days = 7
+}
+
 resource "aws_instance" "foo" {
   # us-west-2
   ami = "ami-55a7ea65"
@@ -405,6 +412,7 @@ resource "aws_instance" "foo" {
     device_name = "/dev/sdd"
     volume_size = 12
     encrypted = true
+    kms_key_id = "${aws_kms_key.foo.arn}"
   }
 
   ephemeral_block_device {

aws/resource_aws_instance.go

@@ -308,6 +308,12 @@ func resourceAwsInstance() *schema.Resource {
 							ForceNew: true,
 						},
 
+						"kms_key_id": {
+							Type:     schema.TypeString,
+							Optional: true,
+							ForceNew: true,
+						},
+
 						"iops": {
 							Type:             schema.TypeInt,
 							Optional:         true,
@@ -1279,6 +1285,9 @@ func readBlockDevicesFromInstance(instance *ec2.Instance, conn *ec2.EC2) (map[st
 			if vol.Encrypted != nil {
 				bd["encrypted"] = *vol.Encrypted
 			}
+			if vol.KmsKeyId != nil {
+				bd["kms_key_id"] = *vol.KmsKeyId
+			}
 			if vol.SnapshotId != nil {
 				bd["snapshot_id"] = *vol.SnapshotId
 			}
@@ -1439,6 +1448,10 @@ func readBlockDeviceMappingsFromConfig(
 				ebs.Encrypted = aws.Bool(v)
 			}
 
+			if v, ok := bd["kms_key_id"].(string); ok && v != "" {
+				ebs.KmsKeyId = aws.String(v)
+			}
+
 			if v, ok := bd["volume_size"].(int); ok && v != 0 {
 				ebs.VolumeSize = aws.Int64(int64(v))
 			}

aws/resource_aws_instance_test.go

@@ -339,8 +339,12 @@ func TestAccAWSInstance_blockDevices(t *testing.T) {
 						"aws_instance.foo", "ebs_block_device.2554893574.iops", "100"),
 					resource.TestCheckResourceAttr(
 						"aws_instance.foo", "ebs_block_device.2634515331.device_name", "/dev/sdd"),
+					resource.TestMatchResourceAttr(
+						"aws_instance.foo", "ebs_block_device.2634515331.volume_id", regexp.MustCompile("vol-[a-z0-9]+")),
 					resource.TestCheckResourceAttr(
 						"aws_instance.foo", "ebs_block_device.2634515331.encrypted", "true"),
+					resource.TestMatchResourceAttr(
+						"aws_instance.foo", "ebs_block_device.2634515331.kms_key_id", regexp.MustCompile("^arn:aws[\\w-]*:kms:us-west-2:[0-9]{12}:key/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")),
 					resource.TestCheckResourceAttr(
 						"aws_instance.foo", "ebs_block_device.2634515331.volume_size", "12"),
 					resource.TestCheckResourceAttr(
@@ -860,6 +864,8 @@ func TestAccAWSInstance_volumeTags(t *testing.T) {
 						"aws_instance.foo", "volume_tags.%", "1"),
 					resource.TestCheckResourceAttr(
 						"aws_instance.foo", "volume_tags.Name", "acceptance-test-volume-tag"),
+					resource.TestMatchResourceAttr(
+						"aws_instance.foo", "ebs_block_device.2634515331.kms_key_id", regexp.MustCompile("^arn:aws[\\w-]*:kms:us-west-2:[0-9]{12}:key/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")),
 				),
 			},
 			{
@@ -1825,6 +1831,11 @@ resource "aws_instance" "foo" {
 `
 
 const testAccInstanceConfigBlockDevices = `
+resource "aws_kms_key" "foo" {
+	description = "Dummy key for terraform test"
+	deletion_window_in_days = 7
+}
+
 resource "aws_instance" "foo" {
 	# us-west-2
 	ami = "ami-55a7ea65"
@@ -1854,6 +1865,7 @@ resource "aws_instance" "foo" {
 		device_name = "/dev/sdd"
 		volume_size = 12
 		encrypted = true
+		kms_key_id = "${aws_kms_key.foo.arn}"
 	}
 
 	ephemeral_block_device {
@@ -2231,6 +2243,16 @@ resource "aws_instance" "foo" {
 `
 
 const testAccCheckInstanceConfigWithVolumeTags = `
+resource "aws_kms_key" "foo" {
+	description = "Dummy key for terraform test"
+	deletion_window_in_days = 7
+}
+
+resource "aws_kms_alias" "foo" {
+	name          = "alias/acceptance-test-kms-alias"
+	target_key_id = "${aws_kms_key.foo.key_id}"
+}
+
 resource "aws_instance" "foo" {
 	ami = "ami-55a7ea65"
 
@@ -2255,6 +2277,7 @@ resource "aws_instance" "foo" {
 		device_name = "/dev/sdd"
 		volume_size = 12
 		encrypted = true
+		kms_key_id = "alias/acceptance-test-kms-alias"
 	}
 
 	ephemeral_block_device {

website/docs/d/instance.html.markdown

@@ -63,6 +63,7 @@ interpolation.
   * `delete_on_termination` - If the EBS volume will be deleted on termination.
   * `device_name` - The physical name of the device.
   * `encrypted` - If the EBS volume is encrypted.
+  * `kms_key_id` - If the EBS volume is encrypted with a CMK KMS
   * `iops` - `0` If the EBS volume is not a provisioned IOPS image, otherwise the supported IOPS count.
   * `snapshot_id` - The ID of the snapshot.
   * `volume_size` - The size of the volume, in GiB.

website/docs/r/instance.html.markdown

@@ -137,6 +137,7 @@ Each `ebs_block_device` supports the following:
 * `encrypted` - (Optional) Enables [EBS
   encryption](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)
   on the volume (Default: `false`). Cannot be used with `snapshot_id`.
+* `kms_key_id` - (Optional) Uses a CMK KMS key for encrypting the EBS block device. Either the      KMS key arn or the alias name can be used.
 
 Modifying any `ebs_block_device` currently requires resource replacement.