Support Nitro Enclaves in aws_instance and aws_launch_template (#16361)

Output from acceptance testing in AWS Commercial (failure known and unrelated): ``` --- FAIL: TestAccAWSInstance_instanceProfileChange (131.45s) --- PASS: TestAccAWSInstance_addSecondaryInterface (168.25s) --- PASS: TestAccAWSInstance_addSecurityGroupNetworkInterface (145.34s) --- PASS: TestAccAWSInstance_associatePublic_defaultPrivate (93.37s) --- PASS: TestAccAWSInstance_associatePublic_defaultPublic (193.44s) --- PASS: TestAccAWSInstance_associatePublic_explicitPrivate (90.86s) --- PASS: TestAccAWSInstance_associatePublic_explicitPublic (89.46s) --- PASS: TestAccAWSInstance_associatePublic_overridePrivate (91.19s) --- PASS: TestAccAWSInstance_associatePublic_overridePublic (81.27s) --- PASS: TestAccAWSInstance_associatePublicIPAndPrivateIP (80.40s) --- PASS: TestAccAWSInstance_atLeastOneOtherEbsVolume (192.83s) --- PASS: TestAccAWSInstance_basic (89.76s) --- PASS: TestAccAWSInstance_blockDevices (78.09s) --- PASS: TestAccAWSInstance_changeInstanceType (149.50s) --- PASS: TestAccAWSInstance_CreditSpecification_Empty_NonBurstable (322.48s) --- PASS: TestAccAWSInstance_creditSpecification_isNotAppliedToNonBurstable (95.59s) --- PASS: TestAccAWSInstance_creditSpecification_standardCpuCredits (119.17s) --- PASS: TestAccAWSInstance_creditSpecification_standardCpuCredits_t2Tot3Taint (404.66s) --- PASS: TestAccAWSInstance_creditSpecification_unknownCpuCredits_t2 (91.53s) --- PASS: TestAccAWSInstance_creditSpecification_unknownCpuCredits_t3 (313.08s) --- PASS: TestAccAWSInstance_creditSpecification_unlimitedCpuCredits (118.40s) --- PASS: TestAccAWSInstance_creditSpecification_unlimitedCpuCredits_t2Tot3Taint (395.94s) --- PASS: TestAccAWSInstance_creditSpecification_unspecifiedDefaultsToStandard (78.13s) --- PASS: TestAccAWSInstance_CreditSpecification_UnspecifiedToEmpty_NonBurstable (108.23s) --- PASS: TestAccAWSInstance_creditSpecification_updateCpuCredits (134.94s) --- PASS: TestAccAWSInstance_creditSpecificationT3_standardCpuCredits (131.22s) --- PASS: TestAccAWSInstance_creditSpecificationT3_unlimitedCpuCredits (117.74s) --- PASS: TestAccAWSInstance_creditSpecificationT3_unspecifiedDefaultsToUnlimited (309.62s) --- PASS: TestAccAWSInstance_creditSpecificationT3_updateCpuCredits (146.03s) --- PASS: TestAccAWSInstance_dedicatedInstance (106.61s) --- PASS: TestAccAWSInstance_disableApiTermination (118.10s) --- PASS: TestAccAWSInstance_disappears (92.80s) --- PASS: TestAccAWSInstance_EbsBlockDevice_InvalidIopsForVolumeType (17.27s) --- PASS: TestAccAWSInstance_EbsBlockDevice_KmsKeyArn (142.27s) --- PASS: TestAccAWSInstance_EbsRootDevice_basic (132.83s) --- PASS: TestAccAWSInstance_EbsRootDevice_ModifyAll (164.65s) --- PASS: TestAccAWSInstance_EbsRootDevice_ModifyDeleteOnTermination (97.23s) --- PASS: TestAccAWSInstance_EbsRootDevice_ModifyIOPS_Io1 (121.82s) --- PASS: TestAccAWSInstance_EbsRootDevice_ModifyIOPS_Io2 (147.63s) --- PASS: TestAccAWSInstance_EbsRootDevice_ModifySize (236.63s) --- PASS: TestAccAWSInstance_EbsRootDevice_ModifyType (123.66s) --- PASS: TestAccAWSInstance_EbsRootDevice_MultipleBlockDevices_ModifyDeleteOnTermination (199.08s) --- PASS: TestAccAWSInstance_EbsRootDevice_MultipleBlockDevices_ModifySize (123.52s) --- PASS: TestAccAWSInstance_EbsRootDevice_MultipleDynamicEBSBlockDevices (207.68s) --- PASS: TestAccAWSInstance_Empty_PrivateIP (78.02s) --- PASS: TestAccAWSInstance_enclaveOptions (430.58s) --- PASS: TestAccAWSInstance_forceNewAndTagsDrift (270.39s) --- PASS: TestAccAWSInstance_getPasswordData_falseToTrue (208.61s) --- PASS: TestAccAWSInstance_getPasswordData_trueToFalse (269.53s) --- PASS: TestAccAWSInstance_GP2IopsDevice (80.89s) --- PASS: TestAccAWSInstance_GP2WithIopsValue (11.19s) --- PASS: TestAccAWSInstance_hibernation (204.56s) --- PASS: TestAccAWSInstance_inDefaultVpcBySgId (100.86s) --- PASS: TestAccAWSInstance_inDefaultVpcBySgName (99.23s) --- PASS: TestAccAWSInstance_ipv6_supportAddressCount (99.03s) --- PASS: TestAccAWSInstance_ipv6_supportAddressCountWithIpv4 (189.48s) --- PASS: TestAccAWSInstance_ipv6AddressCountAndSingleAddressCausesError (16.71s) --- PASS: TestAccAWSInstance_keyPairCheck (86.95s) --- PASS: TestAccAWSInstance_metadataOptions (154.98s) --- PASS: TestAccAWSInstance_NetworkInstanceRemovingAllSecurityGroups (112.12s) --- PASS: TestAccAWSInstance_NetworkInstanceSecurityGroups (103.81s) --- PASS: TestAccAWSInstance_NetworkInstanceVPCSecurityGroupIDs (136.45s) --- PASS: TestAccAWSInstance_NewNetworkInterface_EmptyPrivateIPAndSecondaryPrivateIPs (341.20s) --- PASS: TestAccAWSInstance_NewNetworkInterface_EmptyPrivateIPAndSecondaryPrivateIPsUpdate (161.33s) --- PASS: TestAccAWSInstance_NewNetworkInterface_PrivateIPAndSecondaryPrivateIPs (134.73s) --- PASS: TestAccAWSInstance_NewNetworkInterface_PrivateIPAndSecondaryPrivateIPsUpdate (121.24s) --- PASS: TestAccAWSInstance_NewNetworkInterface_PublicIPAndSecondaryPrivateIPs (410.27s) --- PASS: TestAccAWSInstance_noAMIEphemeralDevices (59.54s) --- PASS: TestAccAWSInstance_placementGroup (304.38s) --- PASS: TestAccAWSInstance_primaryNetworkInterface (112.14s) --- PASS: TestAccAWSInstance_primaryNetworkInterfaceSourceDestCheck (112.05s) --- PASS: TestAccAWSInstance_privateIP (75.33s) --- PASS: TestAccAWSInstance_RootBlockDevice_KmsKeyArn (99.55s) --- PASS: TestAccAWSInstance_rootBlockDeviceMismatch (121.64s) --- PASS: TestAccAWSInstance_rootInstanceStore (149.85s) --- PASS: TestAccAWSInstance_sourceDestCheck (159.49s) --- PASS: TestAccAWSInstance_tags (104.40s) --- PASS: TestAccAWSInstance_UserData_EmptyStringToUnspecified (113.94s) --- PASS: TestAccAWSInstance_UserData_UnspecifiedToEmptyString (105.43s) --- PASS: TestAccAWSInstance_userDataBase64 (105.42s) --- PASS: TestAccAWSInstance_volumeTags (166.33s) --- PASS: TestAccAWSInstance_volumeTagsComputed (118.47s) --- PASS: TestAccAWSInstance_withIamInstanceProfile (99.55s) --- SKIP: TestAccAWSInstance_inEc2Classic (2.60s) --- SKIP: TestAccAWSInstance_outpost (1.99s) --- PASS: TestAccAWSInstanceDataSource_AzUserData (109.31s) --- PASS: TestAccAWSInstanceDataSource_basic (125.30s) --- PASS: TestAccAWSInstanceDataSource_blockDevices (97.25s) --- PASS: TestAccAWSInstanceDataSource_creditSpecification (84.91s) --- PASS: TestAccAWSInstanceDataSource_EbsBlockDevice_KmsKeyId (110.17s) --- PASS: TestAccAWSInstanceDataSource_enclaveOptions (68.12s) --- PASS: TestAccAWSInstanceDataSource_getPasswordData_falseToTrue (247.32s) --- PASS: TestAccAWSInstanceDataSource_getPasswordData_trueToFalse (255.13s) --- PASS: TestAccAWSInstanceDataSource_GetUserData (152.33s) --- PASS: TestAccAWSInstanceDataSource_GetUserData_NoUserData (182.10s) --- PASS: TestAccAWSInstanceDataSource_gp2IopsDevice (108.60s) --- PASS: TestAccAWSInstanceDataSource_keyPair (122.63s) --- PASS: TestAccAWSInstanceDataSource_metadataOptions (305.70s) --- PASS: TestAccAWSInstanceDataSource_PlacementGroup (335.92s) --- PASS: TestAccAWSInstanceDataSource_privateIP (106.49s) --- PASS: TestAccAWSInstanceDataSource_RootBlockDevice_KmsKeyId (141.35s) --- PASS: TestAccAWSInstanceDataSource_rootInstanceStore (107.10s) --- PASS: TestAccAWSInstanceDataSource_secondaryPrivateIPs (101.78s) --- PASS: TestAccAWSInstanceDataSource_SecurityGroups (114.84s) --- PASS: TestAccAWSInstanceDataSource_tags (113.19s) --- PASS: TestAccAWSInstanceDataSource_VPC (118.35s) --- PASS: TestAccAWSInstanceDataSource_VPCSecurityGroups (128.09s) --- PASS: TestAccAWSInstancesDataSource_basic (345.58s) --- PASS: TestAccAWSInstancesDataSource_instanceStateNames (91.95s) --- PASS: TestAccAWSInstancesDataSource_tags (334.64s) --- PASS: TestAccAWSLaunchTemplate_associateCarrierIPAddress (95.60s) --- PASS: TestAccAWSLaunchTemplate_associatePublicIPAddress (96.67s) --- PASS: TestAccAWSLaunchTemplate_basic (15.00s) --- PASS: TestAccAWSLaunchTemplate_BlockDeviceMappings_EBS (66.34s) --- PASS: TestAccAWSLaunchTemplate_BlockDeviceMappings_EBS_DeleteOnTermination (86.09s) --- PASS: TestAccAWSLaunchTemplate_BlockDeviceMappings_EBS_Gp3 (65.39s) --- PASS: TestAccAWSLaunchTemplate_capacityReservation_preference (30.21s) --- PASS: TestAccAWSLaunchTemplate_capacityReservation_target (31.33s) --- PASS: TestAccAWSLaunchTemplate_cpuOptions (30.11s) --- PASS: TestAccAWSLaunchTemplate_creditSpecification_nonBurstable (34.89s) --- PASS: TestAccAWSLaunchTemplate_creditSpecification_t2 (35.68s) --- PASS: TestAccAWSLaunchTemplate_creditSpecification_t3 (32.18s) --- PASS: TestAccAWSLaunchTemplate_data (21.55s) --- PASS: TestAccAWSLaunchTemplate_defaultVersion (60.20s) --- PASS: TestAccAWSLaunchTemplate_description (53.26s) --- PASS: TestAccAWSLaunchTemplate_disappears (19.56s) --- PASS: TestAccAWSLaunchTemplate_EbsOptimized (106.63s) --- PASS: TestAccAWSLaunchTemplate_ElasticInferenceAccelerator (40.95s) --- PASS: TestAccAWSLaunchTemplate_enclaveOptions (64.33s) --- PASS: TestAccAWSLaunchTemplate_hibernation (63.36s) --- PASS: TestAccAWSLaunchTemplate_IamInstanceProfile_EmptyConfigurationBlock (28.60s) --- PASS: TestAccAWSLaunchTemplate_instanceMarketOptions (84.40s) --- PASS: TestAccAWSLaunchTemplate_licenseSpecification (30.35s) --- PASS: TestAccAWSLaunchTemplate_metadataOptions (30.84s) --- PASS: TestAccAWSLaunchTemplate_networkInterface (69.40s) --- PASS: TestAccAWSLaunchTemplate_networkInterface_ipv6AddressCount (25.96s) --- PASS: TestAccAWSLaunchTemplate_networkInterface_ipv6Addresses (27.09s) --- PASS: TestAccAWSLaunchTemplate_networkInterfaceAddresses (68.27s) --- PASS: TestAccAWSLaunchTemplate_NetworkInterfaces_DeleteOnTermination (85.02s) --- PASS: TestAccAWSLaunchTemplate_placement_partitionNum (51.60s) --- PASS: TestAccAWSLaunchTemplate_tags (52.39s) --- PASS: TestAccAWSLaunchTemplate_update (78.88s) --- PASS: TestAccAWSLaunchTemplate_updateDefaultVersion (69.42s) --- PASS: TestAccAWSLaunchTemplateDataSource_associateCarrierIPAddress (63.16s) --- PASS: TestAccAWSLaunchTemplateDataSource_associatePublicIPAddress (63.57s) --- PASS: TestAccAWSLaunchTemplateDataSource_basic (27.41s) --- PASS: TestAccAWSLaunchTemplateDataSource_enclaveOptions (33.37s) --- PASS: TestAccAWSLaunchTemplateDataSource_filter_basic (28.83s) --- PASS: TestAccAWSLaunchTemplateDataSource_filter_tags (33.26s) --- PASS: TestAccAWSLaunchTemplateDataSource_id_basic (26.74s) --- PASS: TestAccAWSLaunchTemplateDataSource_metadataOptions (32.68s) --- PASS: TestAccAWSLaunchTemplateDataSource_networkInterfaces_deleteOnTermination (62.31s) --- PASS: TestAccAWSLaunchTemplateDataSource_NonExistent (8.99s) ```
hashicorp · Dec 15, 2020 · ca78d53 · ca78d53
1 parent 66e0572
commit ca78d53
Show file tree

Hide file tree

Showing 12 changed files with 342 additions and 0 deletions.
diff --git a/aws/data_source_aws_instance.go b/aws/data_source_aws_instance.go
@@ -316,6 +316,18 @@ func dataSourceAwsInstance() *schema.Resource {
 				Type:     schema.TypeBool,
 				Computed: true,
 			},
+			"enclave_options": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enabled": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -535,5 +547,9 @@ func instanceDescriptionAttributes(d *schema.ResourceData, instance *ec2.Instanc
 		return fmt.Errorf("error setting metadata_options: %s", err)
 	}
 
+	if err := d.Set("enclave_options", flattenEc2EnclaveOptions(instance.EnclaveOptions)); err != nil {
+		return fmt.Errorf("error setting enclave_options: %s", err)
+	}
+
 	return nil
 }
diff --git a/aws/data_source_aws_instance_test.go b/aws/data_source_aws_instance_test.go
@@ -489,6 +489,26 @@ func TestAccAWSInstanceDataSource_metadataOptions(t *testing.T) {
 	})
 }
 
+func TestAccAWSInstanceDataSource_enclaveOptions(t *testing.T) {
+	resourceName := "aws_instance.test"
+	datasourceName := "data.aws_instance.test"
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccInstanceDataSourceConfig_enclaveOptions(rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair(datasourceName, "enclave_options.#", resourceName, "enclave_options.#"),
+					resource.TestCheckResourceAttrPair(datasourceName, "enclave_options.0.enabled", resourceName, "enclave_options.0.enabled"),
+				),
+			},
+		},
+	})
+}
+
 // Lookup based on InstanceID
 var testAccInstanceDataSourceConfig = testAccLatestAmazonLinuxHvmEbsAmiConfig() + `
 resource "aws_instance" "test" {
@@ -920,3 +940,29 @@ data "aws_instance" "test" {
 }
 `, rName))
 }
+
+func testAccInstanceDataSourceConfig_enclaveOptions(rName string) string {
+	return composeConfig(
+		testAccLatestAmazonLinuxHvmEbsAmiConfig(),
+		testAccAwsInstanceVpcConfig(rName, false),
+		testAccAvailableEc2InstanceTypeForRegion("c5a.xlarge", "c5.xlarge"),
+		fmt.Sprintf(`
+resource "aws_instance" "test" {
+  ami           = data.aws_ami.amzn-ami-minimal-hvm-ebs.id
+  instance_type = data.aws_ec2_instance_type_offering.available.instance_type
+  subnet_id     = aws_subnet.test.id
+
+  tags = {
+    Name = %[1]q
+  }
+
+  enclave_options {
+    enabled = true
+  }
+}
+
+data "aws_instance" "test" {
+  instance_id = aws_instance.test.id
+}
+`, rName))
+}
diff --git a/aws/data_source_aws_launch_template.go b/aws/data_source_aws_launch_template.go
@@ -231,6 +231,18 @@ func dataSourceAwsLaunchTemplate() *schema.Resource {
 					},
 				},
 			},
+			"enclave_options": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enabled": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+					},
+				},
+			},
 			"monitoring": {
 				Type:     schema.TypeList,
 				Computed: true,
@@ -515,6 +527,10 @@ func dataSourceAwsLaunchTemplateRead(d *schema.ResourceData, meta interface{}) e
 		return fmt.Errorf("error setting metadata_options: %w", err)
 	}
 
+	if err := d.Set("enclave_options", getEnclaveOptions(ltData.EnclaveOptions)); err != nil {
+		return fmt.Errorf("error setting enclave_options: %w", err)
+	}
+
 	if err := d.Set("monitoring", getMonitoring(ltData.Monitoring)); err != nil {
 		return fmt.Errorf("error setting monitoring: %w", err)
 	}

diff --git a/aws/data_source_aws_launch_template_test.go b/aws/data_source_aws_launch_template_test.go
@@ -149,6 +149,27 @@ func TestAccAWSLaunchTemplateDataSource_metadataOptions(t *testing.T) {
 	})
 }
 
+func TestAccAWSLaunchTemplateDataSource_enclaveOptions(t *testing.T) {
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	dataSourceName := "data.aws_launch_template.test"
+	resourceName := "aws_launch_template.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSLaunchTemplateDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSLaunchTemplateDataSourceConfig_enclaveOptions(rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair(dataSourceName, "enclave_options.#", resourceName, "enclave_options.#"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "enclave_options.0.enabled", resourceName, "enclave_options.0.enabled"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSLaunchTemplateDataSource_associatePublicIPAddress(t *testing.T) {
 	rName := acctest.RandomWithPrefix("tf-acc-test")
 	dataSourceName := "data.aws_launch_template.test"
@@ -345,6 +366,22 @@ data "aws_launch_template" "test" {
 `, rName)
 }
 
+func testAccAWSLaunchTemplateDataSourceConfig_enclaveOptions(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_launch_template" "test" {
+  name = %[1]q
+
+  enclave_options {
+    enabled = true
+  }
+}
+
+data "aws_launch_template" "test" {
+  name = aws_launch_template.test.name
+}
+`, rName)
+}
+
 func testAccAWSLaunchTemplateDataSourceConfig_associatePublicIpAddress(rName, associatePublicIPAddress string) string {
 	return fmt.Sprintf(`
 resource "aws_launch_template" "test" {

diff --git a/aws/resource_aws_instance.go b/aws/resource_aws_instance.go
@@ -580,6 +580,23 @@ func resourceAwsInstance() *schema.Resource {
 					},
 				},
 			},
+
+			"enclave_options": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enabled": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Computed: true,
+							ForceNew: true,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -629,6 +646,7 @@ func resourceAwsInstanceCreate(d *schema.ResourceData, meta interface{}) error {
 		CpuOptions:                        instanceOpts.CpuOptions,
 		HibernationOptions:                instanceOpts.HibernationOptions,
 		MetadataOptions:                   instanceOpts.MetadataOptions,
+		EnclaveOptions:                    instanceOpts.EnclaveOptions,
 		TagSpecifications:                 tagSpecifications,
 	}
 
@@ -784,6 +802,10 @@ func resourceAwsInstanceRead(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("error setting metadata_options: %s", err)
 	}
 
+	if err := d.Set("enclave_options", flattenEc2EnclaveOptions(instance.EnclaveOptions)); err != nil {
+		return fmt.Errorf("error setting enclave_options: %s", err)
+	}
+
 	d.Set("ami", instance.ImageId)
 	d.Set("instance_type", instance.InstanceType)
 	d.Set("key_name", instance.KeyName)
@@ -2175,6 +2197,7 @@ type awsInstanceOpts struct {
 	CpuOptions                        *ec2.CpuOptionsRequest
 	HibernationOptions                *ec2.HibernationOptionsRequest
 	MetadataOptions                   *ec2.InstanceMetadataOptionsRequest
+	EnclaveOptions                    *ec2.EnclaveOptionsRequest
 }
 
 func buildAwsInstanceOpts(d *schema.ResourceData, meta interface{}) (*awsInstanceOpts, error) {
@@ -2187,6 +2210,7 @@ func buildAwsInstanceOpts(d *schema.ResourceData, meta interface{}) (*awsInstanc
 		ImageID:               aws.String(d.Get("ami").(string)),
 		InstanceType:          aws.String(instanceType),
 		MetadataOptions:       expandEc2InstanceMetadataOptions(d.Get("metadata_options").([]interface{})),
+		EnclaveOptions:        expandEc2EnclaveOptions(d.Get("enclave_options").([]interface{})),
 	}
 
 	// Set default cpu_credits as Unlimited for T3 instance type
@@ -2490,6 +2514,20 @@ func expandEc2InstanceMetadataOptions(l []interface{}) *ec2.InstanceMetadataOpti
 	return opts
 }
 
+func expandEc2EnclaveOptions(l []interface{}) *ec2.EnclaveOptionsRequest {
+	if len(l) == 0 || l[0] == nil {
+		return nil
+	}
+
+	m := l[0].(map[string]interface{})
+
+	opts := &ec2.EnclaveOptionsRequest{
+		Enabled: aws.Bool(m["enabled"].(bool)),
+	}
+
+	return opts
+}
+
 //Expands an array of secondary Private IPs into a ec2 Private IP Address Spec
 func expandSecondaryPrivateIPAddresses(ips []interface{}) []*ec2.PrivateIpAddressSpecification {
 	specs := make([]*ec2.PrivateIpAddressSpecification, 0, len(ips))
@@ -2517,6 +2555,18 @@ func flattenEc2InstanceMetadataOptions(opts *ec2.InstanceMetadataOptionsResponse
 	return []interface{}{m}
 }
 
+func flattenEc2EnclaveOptions(opts *ec2.EnclaveOptions) []interface{} {
+	if opts == nil {
+		return nil
+	}
+
+	m := map[string]interface{}{
+		"enabled": aws.BoolValue(opts.Enabled),
+	}
+
+	return []interface{}{m}
+}
+
 // resourceAwsInstanceFindByID returns the EC2 instance by ID
 // * If the instance is found, returns the instance and nil
 // * If no instance is found, returns nil and nil

diff --git a/aws/resource_aws_instance_test.go b/aws/resource_aws_instance_test.go
@@ -3109,6 +3109,41 @@ func TestAccAWSInstance_metadataOptions(t *testing.T) {
 	})
 }
 
+func TestAccAWSInstance_enclaveOptions(t *testing.T) {
+	var instance1, instance2 ec2.Instance
+	resourceName := "aws_instance.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckInstanceDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccInstanceConfigEnclaveOptions(true),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckInstanceExists(resourceName, &instance1),
+					resource.TestCheckResourceAttr(resourceName, "enclave_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "enclave_options.0.enabled", "true"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccInstanceConfigEnclaveOptions(false),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckInstanceExists(resourceName, &instance2),
+					testAccCheckInstanceRecreated(&instance1, &instance2),
+					resource.TestCheckResourceAttr(resourceName, "enclave_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "enclave_options.0.enabled", "false"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckInstanceNotRecreated(t *testing.T,
 	before, after *ec2.Instance) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -5125,6 +5160,29 @@ resource "aws_instance" "test" {
 `, rName))
 }
 
+func testAccInstanceConfigEnclaveOptions(enabled bool) string {
+	name := "tf-acc-instance-enclaves"
+	return composeConfig(
+		testAccLatestAmazonLinuxHvmEbsAmiConfig(),
+		testAccAwsInstanceVpcConfig(name, false),
+		testAccAvailableEc2InstanceTypeForRegion("c5a.xlarge", "c5.xlarge"),
+		fmt.Sprintf(`
+resource "aws_instance" "test" {
+  ami           = data.aws_ami.amzn-ami-minimal-hvm-ebs.id
+  instance_type = data.aws_ec2_instance_type_offering.available.instance_type
+  subnet_id     = aws_subnet.test.id
+
+  enclave_options {
+    enabled = %[2]t
+  }
+
+  tags = {
+    Name = %[1]q
+  }
+}
+`, name, enabled))
+}
+
 func testAccAwsEc2InstanceConfigDynamicEBSBlockDevices() string {
 	return composeConfig(testAccLatestAmazonLinuxPvEbsAmiConfig(), `
 resource "aws_instance" "test" {