diff --git a/README.md b/README.md index 177b08244..373eb0096 100644 --- a/README.md +++ b/README.md @@ -642,6 +642,14 @@ The following table lists the _latest_ DSF Kit releases, their release date and
2. Added optional DNS CNAME support for AWS POC examples (dsf_deployment, sonar_basic_deployment, sonar_hadr_deployment). When configured, creates friendly DNS names for public-facing instances via Route53 cross-account. Set the 'dns_zone_domain' and optionally 'dns_route53_role_arn' and 'dns_route53_zone_id' variables to enable it. Disabled by default. + + TBD + + 1.7.36 + + AWS EBS volumes are now encrypted by default. To opt out, set 'encrypted = false' in the relevant '*_ebs_details' / 'ebs' variable. + + diff --git a/examples/aws/installation/dsf_single_account_deployment/variables.tf b/examples/aws/installation/dsf_single_account_deployment/variables.tf index 43d40bee2..22415695d 100644 --- a/examples/aws/installation/dsf_single_account_deployment/variables.tf +++ b/examples/aws/installation/dsf_single_account_deployment/variables.tf @@ -302,12 +302,14 @@ variable "hub_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) description = "DSF Hub compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" default = { disk_size = 250 provisioned_iops = 0 throughput = 125 + encrypted = true } } @@ -316,12 +318,14 @@ variable "agentless_gw_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) description = "DSF Agentless Gateway compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" default = { disk_size = 150 provisioned_iops = 0 throughput = 125 + encrypted = true } } @@ -492,11 +496,13 @@ variable "mx_ebs_details" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) description = "MX compute instance volume attributes" default = { volume_size = 160 volume_type = "gp2" + encrypted = true } } @@ -504,11 +510,13 @@ variable "agent_gw_ebs_details" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) description = "Agent Gateway compute instance volume attributes" default = { volume_size = 160 volume_type = "gp2" + encrypted = true } } @@ -584,11 +592,13 @@ variable "dra_admin_ebs_details" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) description = "DRA Admin compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.11-data-risk-analytics-installation-guide/page/69846.htm" default = { volume_size = 260 volume_type = "gp3" + encrypted = true } } @@ -596,11 +606,13 @@ variable "dra_analytics_ebs_details" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) description = "DRA Analytics compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.11-data-risk-analytics-installation-guide/page/69846.htm" default = { volume_size = 1010 volume_type = "gp3" + encrypted = true } } diff --git a/examples/aws/installation/sonar_multi_account_deployment/variables.tf b/examples/aws/installation/sonar_multi_account_deployment/variables.tf index a2491ce21..45ff2ba79 100644 --- a/examples/aws/installation/sonar_multi_account_deployment/variables.tf +++ b/examples/aws/installation/sonar_multi_account_deployment/variables.tf @@ -172,12 +172,14 @@ variable "hub_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) description = "DSF Hub compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" default = { disk_size = 500 provisioned_iops = 0 throughput = 125 + encrypted = true } } @@ -186,12 +188,14 @@ variable "agentless_gw_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) description = "Agentless Gateway compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" default = { disk_size = 150 provisioned_iops = 0 throughput = 125 + encrypted = true } } diff --git a/examples/aws/installation/sonar_single_account_deployment/variables.tf b/examples/aws/installation/sonar_single_account_deployment/variables.tf index 9826089b6..d60140ca1 100644 --- a/examples/aws/installation/sonar_single_account_deployment/variables.tf +++ b/examples/aws/installation/sonar_single_account_deployment/variables.tf @@ -119,12 +119,14 @@ variable "hub_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) description = "DSF Hub compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" default = { disk_size = 500 provisioned_iops = 0 throughput = 125 + encrypted = true } } @@ -133,12 +135,14 @@ variable "agentless_gw_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) description = "Agentless Gateway compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" default = { disk_size = 150 provisioned_iops = 0 throughput = 125 + encrypted = true } } diff --git a/examples/aws/poc/dsf_deployment/cm.tf b/examples/aws/poc/dsf_deployment/cm.tf index f0cf73d93..54a2b5ba2 100644 --- a/examples/aws/poc/dsf_deployment/cm.tf +++ b/examples/aws/poc/dsf_deployment/cm.tf @@ -5,8 +5,8 @@ locals { } module "ciphertrust_manager" { - source = "imperva/dsf-ciphertrust-manager/aws" - version = "1.7.35" # latest release tag + source = "imperva/dsf-ciphertrust-manager/aws" + version = "1.7.35" # latest release tag count = local.ciphertrust_manager_count ciphertrust_manager_version = var.ciphertrust_manager_version ami = var.ciphertrust_manager_ami_id == null ? null : { diff --git a/examples/aws/poc/dsf_deployment/variables.tf b/examples/aws/poc/dsf_deployment/variables.tf index 27eb96ffa..a20f0dc33 100644 --- a/examples/aws/poc/dsf_deployment/variables.tf +++ b/examples/aws/poc/dsf_deployment/variables.tf @@ -199,11 +199,13 @@ variable "mx_ebs_details" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) description = "MX compute instance volume attributes" default = { volume_size = 160 volume_type = "gp2" + encrypted = true } } @@ -211,11 +213,13 @@ variable "agent_gw_ebs_details" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) description = "Agent Gateway compute instance volume attributes" default = { volume_size = 160 volume_type = "gp2" + encrypted = true } } @@ -300,11 +304,13 @@ variable "hub_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) default = { disk_size = 250 provisioned_iops = 0 throughput = 125 + encrypted = true } description = "DSF Hub compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" } @@ -314,11 +320,13 @@ variable "agentless_gw_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) default = { disk_size = 150 provisioned_iops = 0 throughput = 125 + encrypted = true } description = "DSF Agentless Gateway compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" } @@ -358,11 +366,13 @@ variable "dra_admin_ebs_details" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) description = "DRA Admin compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.11-data-risk-analytics-installation-guide/page/69846.htm" default = { volume_size = 260 volume_type = "gp3" + encrypted = true } } @@ -370,11 +380,13 @@ variable "dra_analytics_ebs_details" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) description = "DRA Analytics compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.11-data-risk-analytics-installation-guide/page/69846.htm" default = { volume_size = 1010 volume_type = "gp3" + encrypted = true } } @@ -407,12 +419,14 @@ variable "ciphertrust_manager_ebs_details" { volume_size = number volume_type = string iops = number + encrypted = optional(bool, true) }) description = "CipherTrust Manager compute instance volume attributes" default = { volume_size = 300 volume_type = "gp3" iops = 3000 + encrypted = true } } @@ -421,12 +435,14 @@ variable "cte_ddc_agent_ebs_details" { volume_size = number volume_type = string iops = number + encrypted = optional(bool, true) }) description = "CTE and/or DDC agent compute instance volume attributes" default = { volume_size = 30 volume_type = "gp3" iops = 3000 + encrypted = true } } diff --git a/examples/aws/poc/sonar_basic_deployment/variables.tf b/examples/aws/poc/sonar_basic_deployment/variables.tf index 092101236..4399a4f44 100644 --- a/examples/aws/poc/sonar_basic_deployment/variables.tf +++ b/examples/aws/poc/sonar_basic_deployment/variables.tf @@ -109,12 +109,14 @@ variable "hub_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) description = "DSF Hub compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" default = { disk_size = 250 provisioned_iops = 0 throughput = 125 + encrypted = true } } @@ -123,12 +125,14 @@ variable "agentless_gw_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) description = "DSF Agentless Gateway compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" default = { disk_size = 150 provisioned_iops = 0 throughput = 125 + encrypted = true } } diff --git a/examples/aws/poc/sonar_hadr_deployment/variables.tf b/examples/aws/poc/sonar_hadr_deployment/variables.tf index ef85e59ac..2f6728f6e 100644 --- a/examples/aws/poc/sonar_hadr_deployment/variables.tf +++ b/examples/aws/poc/sonar_hadr_deployment/variables.tf @@ -147,12 +147,14 @@ variable "hub_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) description = "DSF Hub compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" default = { disk_size = 500 provisioned_iops = 0 throughput = 125 + encrypted = true } } @@ -161,12 +163,14 @@ variable "agentless_gw_ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) description = "DSF Agentless Gateway compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm" default = { disk_size = 150 provisioned_iops = 0 throughput = 125 + encrypted = true } } diff --git a/modules/aws/agent-gw/variables.tf b/modules/aws/agent-gw/variables.tf index a7d935cc1..8672baa7b 100644 --- a/modules/aws/agent-gw/variables.tf +++ b/modules/aws/agent-gw/variables.tf @@ -90,11 +90,13 @@ variable "ebs" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) - description = "Compute instance volume attributes for the Agentless Gateway" + description = "Compute instance volume attributes for the Agent Gateway. The root EBS volume is encrypted by default (using the account default EBS KMS key). Set 'encrypted' to false to opt out." default = { volume_size = 160 volume_type = "gp2" + encrypted = true } } diff --git a/modules/aws/agentless-gw/README.md b/modules/aws/agentless-gw/README.md index 76a23ee81..d5e8c94b1 100644 --- a/modules/aws/agentless-gw/README.md +++ b/modules/aws/agentless-gw/README.md @@ -32,7 +32,7 @@ The following input variables are **required**: * `subnet_id`: The ID of the subnet in which to launch the Agentless Gateway instance * `ssh_key_pair`: AWS key pair name and path for ssh connectivity * `password`: Initial password for all users -* `ebs`: AWS EBS details +* `ebs`: AWS EBS details. Includes an optional `encrypted` field (defaults to `true`); the root and external EBS volumes are encrypted by default using the account default EBS KMS key. Set to `false` to opt out * `binaries_location`: S3 DSF installation location * `hub_sonarw_public_key`: Public key of the sonarw user taken from the main DSF Hub output * `allowed_hub_cidrs`: List of ingress CIDR patterns allowing other hubs to access the DSF hub instance @@ -78,6 +78,7 @@ module "dsf_agentless_gw" { disk_size = 150 provisioned_iops = 0 throughput = 125 + encrypted = true # set to false to opt out of encrypting root + external EBS volumes } binaries_location = { s3_bucket = "my_S3_bucket" diff --git a/modules/aws/agentless-gw/variables.tf b/modules/aws/agentless-gw/variables.tf index 570dd85b8..50f6b1006 100644 --- a/modules/aws/agentless-gw/variables.tf +++ b/modules/aws/agentless-gw/variables.tf @@ -116,8 +116,9 @@ variable "ebs" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) - description = "Compute instance volume attributes" + description = "Compute instance volume attributes. Both the root and external EBS volumes are encrypted by default (using the account default EBS KMS key). Set 'encrypted' to false to opt out." } variable "ingress_communication_via_proxy" { diff --git a/modules/aws/ciphertrust-manager/README.md b/modules/aws/ciphertrust-manager/README.md index 2b2619ead..d6e7fe893 100644 --- a/modules/aws/ciphertrust-manager/README.md +++ b/modules/aws/ciphertrust-manager/README.md @@ -29,7 +29,7 @@ The following input variables are **required**: * `subnet_id`: The subnet ID to attach the CipherTrust instance to. * `key_pair`: Name of the AWS EC2 key pair used for SSH access. -* `ebs`: AWS EBS details. +* `ebs`: AWS EBS details. Includes an optional `encrypted` field (defaults to `true`); the root EBS volume is encrypted by default using the account default EBS KMS key. Set to `false` to opt out. Additionally, the following variables are often **required unless defaults suffice**: @@ -65,6 +65,7 @@ module "dsf_ciphertrust_manager" { volume_size = 300 volume_type = "gp3" iops = 3000 + encrypted = true # set to false to opt out of encrypting the root EBS volume } allowed_web_console_and_api_cidrs = ["10.0.0.0/24"] diff --git a/modules/aws/ciphertrust-manager/main.tf b/modules/aws/ciphertrust-manager/main.tf index b092a06ba..3a9fb744a 100644 --- a/modules/aws/ciphertrust-manager/main.tf +++ b/modules/aws/ciphertrust-manager/main.tf @@ -37,6 +37,7 @@ resource "aws_instance" "cipthertrust_manager_instance" { volume_size = var.ebs.volume_size volume_type = var.ebs.volume_type iops = var.ebs.iops + encrypted = var.ebs.encrypted delete_on_termination = true } network_interface { diff --git a/modules/aws/ciphertrust-manager/variables.tf b/modules/aws/ciphertrust-manager/variables.tf index b18a59568..203b175bb 100644 --- a/modules/aws/ciphertrust-manager/variables.tf +++ b/modules/aws/ciphertrust-manager/variables.tf @@ -148,8 +148,9 @@ variable "ebs" { volume_size = number volume_type = string iops = number + encrypted = optional(bool, true) }) - description = "Compute instance volume attributes for the CipherTrust Manager" + description = "Compute instance volume attributes for the CipherTrust Manager. The root EBS volume is encrypted by default (using the account default EBS KMS key). Set 'encrypted' to false to opt out." } variable "attach_persistent_public_ip" { diff --git a/modules/aws/cte-ddc-agent/main.tf b/modules/aws/cte-ddc-agent/main.tf index c35aa9918..ca4408c98 100644 --- a/modules/aws/cte-ddc-agent/main.tf +++ b/modules/aws/cte-ddc-agent/main.tf @@ -55,6 +55,7 @@ resource "aws_instance" "cte_ddc_agent" { volume_size = var.ebs.volume_size volume_type = var.ebs.volume_type iops = var.ebs.iops + encrypted = var.ebs.encrypted delete_on_termination = true } user_data = local.user_data diff --git a/modules/aws/cte-ddc-agent/variables.tf b/modules/aws/cte-ddc-agent/variables.tf index a76c6dab1..cd2644c7b 100644 --- a/modules/aws/cte-ddc-agent/variables.tf +++ b/modules/aws/cte-ddc-agent/variables.tf @@ -23,8 +23,9 @@ variable "ebs" { volume_size = number volume_type = string iops = number + encrypted = optional(bool, true) }) - description = "Compute instance volume attributes for the agent instance" + description = "Compute instance volume attributes for the agent instance. The root EBS volume is encrypted by default (using the account default EBS KMS key). Set 'encrypted' to false to opt out." } variable "subnet_id" { diff --git a/modules/aws/dam-base-instance/main.tf b/modules/aws/dam-base-instance/main.tf index 6ed7c8b86..d8e05c6bf 100644 --- a/modules/aws/dam-base-instance/main.tf +++ b/modules/aws/dam-base-instance/main.tf @@ -45,6 +45,7 @@ resource "aws_instance" "dsf_base_instance" { root_block_device { volume_size = var.ebs.volume_size volume_type = var.ebs.volume_type + encrypted = var.ebs.encrypted delete_on_termination = true } iam_instance_profile = local.instance_profile diff --git a/modules/aws/dam-base-instance/variables.tf b/modules/aws/dam-base-instance/variables.tf index 560a01d8f..1d7518051 100644 --- a/modules/aws/dam-base-instance/variables.tf +++ b/modules/aws/dam-base-instance/variables.tf @@ -51,8 +51,9 @@ variable "ebs" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) - description = "Compute instance volume attributes for the DAM base instance" + description = "Compute instance volume attributes for the DAM base instance. The root EBS volume is encrypted by default (using the account default EBS KMS key). Set 'encrypted' to false to opt out." } variable "instance_profile_name" { diff --git a/modules/aws/dra-admin/main.tf b/modules/aws/dra-admin/main.tf index 09e6a1e03..813ebc9aa 100644 --- a/modules/aws/dra-admin/main.tf +++ b/modules/aws/dra-admin/main.tf @@ -38,6 +38,7 @@ resource "aws_instance" "dsf_base_instance" { root_block_device { volume_size = var.ebs.volume_size volume_type = var.ebs.volume_type + encrypted = var.ebs.encrypted delete_on_termination = true } iam_instance_profile = local.instance_profile diff --git a/modules/aws/dra-admin/variables.tf b/modules/aws/dra-admin/variables.tf index cfae03e97..5833bd033 100644 --- a/modules/aws/dra-admin/variables.tf +++ b/modules/aws/dra-admin/variables.tf @@ -179,11 +179,13 @@ variable "ebs" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) - description = "Compute instance volume attributes for the DRA Admin" + description = "Compute instance volume attributes for the DRA Admin. The root EBS volume is encrypted by default (using the account default EBS KMS key). Set 'encrypted' to false to opt out." default = { volume_size = 260 volume_type = "gp3" + encrypted = true } } diff --git a/modules/aws/dra-analytics/main.tf b/modules/aws/dra-analytics/main.tf index 4ca215d99..a1e78c0d4 100644 --- a/modules/aws/dra-analytics/main.tf +++ b/modules/aws/dra-analytics/main.tf @@ -32,6 +32,7 @@ resource "aws_instance" "dsf_base_instance" { root_block_device { volume_size = var.ebs.volume_size volume_type = var.ebs.volume_type + encrypted = var.ebs.encrypted delete_on_termination = true } iam_instance_profile = local.instance_profile diff --git a/modules/aws/dra-analytics/variables.tf b/modules/aws/dra-analytics/variables.tf index 60b38e17f..66699c535 100644 --- a/modules/aws/dra-analytics/variables.tf +++ b/modules/aws/dra-analytics/variables.tf @@ -194,11 +194,13 @@ variable "ebs" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) - description = "Compute instance volume attributes for the DRA Analytics" + description = "Compute instance volume attributes for the DRA Analytics. The root EBS volume is encrypted by default (using the account default EBS KMS key). Set 'encrypted' to false to opt out." default = { volume_size = 1010 volume_type = "gp3" + encrypted = true } } diff --git a/modules/aws/hub/README.md b/modules/aws/hub/README.md index 2939efeda..323b64bd3 100644 --- a/modules/aws/hub/README.md +++ b/modules/aws/hub/README.md @@ -31,7 +31,7 @@ The following input variables are **required**: * `subnet_id`: The ID of the subnet in which to launch the DSF Hub instance * `ssh_key_pair`: AWS key pair name and path for ssh connectivity * `password`: Initial password for all users -* `ebs`: AWS EBS details +* `ebs`: AWS EBS details. Includes an optional `encrypted` field (defaults to `true`); the root and external EBS volumes are encrypted by default using the account default EBS KMS key. Set to `false` to opt out * `binaries_location`: S3 DSF installation location * `allowed_web_console_and_api_cidrs`: List of ingress CIDR patterns allowing web console access * `allowed_hub_cidrs`: List of ingress CIDR patterns allowing other hubs to access the DSF hub instance @@ -77,6 +77,7 @@ module "dsf_hub" { disk_size = 500 provisioned_iops = 0 throughput = 125 + encrypted = true # set to false to opt out of encrypting root + external EBS volumes } binaries_location = { s3_bucket = "my_S3_bucket" diff --git a/modules/aws/hub/variables.tf b/modules/aws/hub/variables.tf index 134ea844c..707481ee2 100644 --- a/modules/aws/hub/variables.tf +++ b/modules/aws/hub/variables.tf @@ -114,8 +114,9 @@ variable "ebs" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) - description = "Compute instance volume attributes" + description = "Compute instance volume attributes. Both the root and external EBS volumes are encrypted by default (using the account default EBS KMS key). Set 'encrypted' to false to opt out." } variable "ingress_communication_via_proxy" { diff --git a/modules/aws/mx/variables.tf b/modules/aws/mx/variables.tf index 45fa8ebe3..97dfea5d8 100644 --- a/modules/aws/mx/variables.tf +++ b/modules/aws/mx/variables.tf @@ -25,11 +25,13 @@ variable "ebs" { type = object({ volume_size = number volume_type = string + encrypted = optional(bool, true) }) - description = "Compute instance volume attributes for the MX" + description = "Compute instance volume attributes for the MX. The root EBS volume is encrypted by default (using the account default EBS KMS key). Set 'encrypted' to false to opt out." default = { volume_size = 160 volume_type = "gp2" + encrypted = true } } diff --git a/modules/aws/sonar-base-instance/main.tf b/modules/aws/sonar-base-instance/main.tf index 5d19382fe..d66be7101 100644 --- a/modules/aws/sonar-base-instance/main.tf +++ b/modules/aws/sonar-base-instance/main.tf @@ -43,6 +43,7 @@ resource "aws_instance" "dsf_base_instance" { user_data = local.install_script root_block_device { volume_size = local.root_volume_size + encrypted = var.ebs_details.encrypted } iam_instance_profile = local.instance_profile network_interface { @@ -72,6 +73,7 @@ resource "aws_ebs_volume" "ebs_external_data_vol" { type = local.ebs_state_disk_type iops = local.ebs_state_iops throughput = local.ebs_state_throughput + encrypted = var.ebs_details.encrypted availability_zone = data.aws_subnet.selected_subnet.availability_zone tags = merge(var.tags, { Name = join("-", [var.name, "data", "volume", "ebs"]) }) lifecycle { diff --git a/modules/aws/sonar-base-instance/variables.tf b/modules/aws/sonar-base-instance/variables.tf index b96da1ce2..80e9bf730 100644 --- a/modules/aws/sonar-base-instance/variables.tf +++ b/modules/aws/sonar-base-instance/variables.tf @@ -68,8 +68,9 @@ variable "ebs_details" { disk_size = number provisioned_iops = number throughput = number + encrypted = optional(bool, true) }) - description = "Compute instance external volume attributes" + description = "Compute instance external volume attributes. Both the root and external EBS volumes are encrypted by default (using the account default EBS KMS key). Set 'encrypted' to false to opt out." validation { condition = var.ebs_details.disk_size >= 150 error_message = "Disk size must be at least 150 GB"