From 2112f763ee86b424e2a2067a1d0e4ba164284fe8 Mon Sep 17 00:00:00 2001
From: Elliot Graebert <egraebert@palantir.com>
Date: Fri, 1 Jan 2016 15:47:36 -0800
Subject: [PATCH 1/2] Added support for the encryption flag on
 ebs_block_devices in launch configurations

---
 .../aws/resource_aws_launch_configuration.go          | 11 +++++++++++
 .../aws/r/launch_configuration.html.markdown          |  1 +
 2 files changed, 12 insertions(+)

diff --git a/builtin/providers/aws/resource_aws_launch_configuration.go b/builtin/providers/aws/resource_aws_launch_configuration.go
index a257a10b44f1..f115169f00f3 100644
--- a/builtin/providers/aws/resource_aws_launch_configuration.go
+++ b/builtin/providers/aws/resource_aws_launch_configuration.go
@@ -185,6 +185,13 @@ func resourceAwsLaunchConfiguration() *schema.Resource {
 							Computed: true,
 							ForceNew: true,
 						},
+
+						"encrypted": &schema.Schema{
+							Type:     schema.TypeBool,
+							Optional: true,
+							Computed: true,
+							ForceNew: true,
+						},
 					},
 				},
 				Set: func(v interface{}) int {
@@ -326,6 +333,7 @@ func resourceAwsLaunchConfigurationCreate(d *schema.ResourceData, meta interface
 			bd := v.(map[string]interface{})
 			ebs := &autoscaling.Ebs{
 				DeleteOnTermination: aws.Bool(bd["delete_on_termination"].(bool)),
+				Encrypted:           aws.Bool(bd["encrypted"].(bool)),
 			}
 
 			if v, ok := bd["snapshot_id"].(string); ok && v != "" {
@@ -570,6 +578,9 @@ func readBlockDevicesFromLaunchConfiguration(d *schema.ResourceData, lc *autosca
 		if bdm.Ebs != nil && bdm.Ebs.Iops != nil {
 			bd["iops"] = *bdm.Ebs.Iops
 		}
+		if bdm.Ebs != nil && bdm.Ebs.Encrypted != nil {
+			bd["encrypted"] = *bdm.Ebs.Encrypted
+		}
 		if bdm.DeviceName != nil && *bdm.DeviceName == *rootDeviceName {
 			blockDevices["root"] = bd
 		} else {
diff --git a/website/source/docs/providers/aws/r/launch_configuration.html.markdown b/website/source/docs/providers/aws/r/launch_configuration.html.markdown
index dd7dd84fcb0d..9bb5501f4a8e 100644
--- a/website/source/docs/providers/aws/r/launch_configuration.html.markdown
+++ b/website/source/docs/providers/aws/r/launch_configuration.html.markdown
@@ -144,6 +144,7 @@ Each `ebs_block_device` supports the following:
   This must be set with a `volume_type` of `"io1"`.
 * `delete_on_termination` - (Optional) Whether the volume should be destroyed
   on instance termination (Default: `true`).
+* `encryption` - (Optional) Whether the volume should be encrypted or not. Do not use this option if you are using `snapshot_id` as the encryption flag will be determined by the snapshot. (Default: `false`).
 
 Modifying any `ebs_block_device` currently requires resource replacement.
 

From 65567cfbdc49f58e26d9c6e0a91fda5ee22a3ded Mon Sep 17 00:00:00 2001
From: Elliot Graebert <egraebert@palantir.com>
Date: Tue, 5 Jan 2016 23:36:39 -0800
Subject: [PATCH 2/2] Added an acceptance test

---
 .../resource_aws_launch_configuration_test.go | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/builtin/providers/aws/resource_aws_launch_configuration_test.go b/builtin/providers/aws/resource_aws_launch_configuration_test.go
index 1e914c86dffa..3cb5e50f4a3f 100644
--- a/builtin/providers/aws/resource_aws_launch_configuration_test.go
+++ b/builtin/providers/aws/resource_aws_launch_configuration_test.go
@@ -89,6 +89,52 @@ func TestAccAWSLaunchConfiguration_withSpotPrice(t *testing.T) {
 	})
 }
 
+func testAccCheckAWSLaunchConfigurationWithEncryption(conf *autoscaling.LaunchConfiguration) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Map out the block devices by name, which should be unique.
+		blockDevices := make(map[string]*autoscaling.BlockDeviceMapping)
+		for _, blockDevice := range conf.BlockDeviceMappings {
+			blockDevices[*blockDevice.DeviceName] = blockDevice
+		}
+
+		// Check if the root block device exists.
+		if _, ok := blockDevices["/dev/sda1"]; !ok {
+			return fmt.Errorf("block device doesn't exist: /dev/sda1")
+		} else if blockDevices["/dev/sda1"].Ebs.Encrypted != nil {
+			return fmt.Errorf("root device should not include value for Encrypted")
+		}
+
+		// Check if the secondary block device exists.
+		if _, ok := blockDevices["/dev/sdb"]; !ok {
+			return fmt.Errorf("block device doesn't exist: /dev/sdb")
+		} else if !*blockDevices["/dev/sdb"].Ebs.Encrypted {
+			return fmt.Errorf("block device isn't encrypted as expected: /dev/sdb")
+		}
+
+		return nil
+	}
+}
+
+func TestAccAWSLaunchConfiguration_withEncryption(t *testing.T) {
+	var conf autoscaling.LaunchConfiguration
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSLaunchConfigurationDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSLaunchConfigurationWithEncryption,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSLaunchConfigurationExists("aws_launch_configuration.baz", &conf),
+
+					testAccCheckAWSLaunchConfigurationWithEncryption(&conf),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckAWSLaunchConfigurationGeneratedNamePrefix(
 	resource, prefix string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -273,3 +319,21 @@ resource "aws_launch_configuration" "baz" {
    associate_public_ip_address = false
 }
 `
+
+const testAccAWSLaunchConfigurationWithEncryption = `
+resource "aws_launch_configuration" "baz" {
+   image_id = "ami-5189a661"
+   instance_type = "t2.micro"
+   associate_public_ip_address = false
+
+   	root_block_device {
+   		volume_type = "gp2"
+		volume_size = 11
+	}
+	ebs_block_device {
+		device_name = "/dev/sdb"
+		volume_size = 9
+		encrypted = true
+	}
+}
+`