Root EBS volume encryption

[jrouly]

Is your request related to a problem? Please describe.

Up until the release of v18.0.0 (i.e., this feature was present up until v17.24.0 and removed in #1680), it was possible to specify EBS root volume encryption by passing in root_kms_key_id.

I can't find it documented anywhere that this feature was intentionally dropped. As far as I can tell, the only way to achieve encrypted root EBS volumes is to explicitly configure block_device_mappings, e.g.:

block_device_mappings = {
  xvda = {
    device_name = "/dev/xvda"
    ebs = {
      encrypted   = true
      kms_key_id  = ...
    }
  }
}

Describe the solution you'd like.

A high level variable like root_kms_key_id to be passed into the node group modules (at least EKS-managed and self-managed) would be very nice, especially compared to the relatively low level block_device_mappings.

[bryantbiggs]

The functionality is available but as you have identified, its available through the block_device_mappings

[jrouly]

Aha, alright. It's a little disappointing that using a low level block like block_device_mappings is necessary - seems to reduce the scope of the value added by this module. But I understand the desire to shed scope.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.