Merge pull request #79 from sgielen/feature/aws-ebs-encryption-by-def…

…ault Enable AWS EBS encryption by default for all AWS accounts.
schubergphilis · Feb 1, 2021 · 31c272e · 31c272e
2 parents da4253f + 1b51a80
commit 31c272e
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,10 @@ BUG FIXES
 
 * Fix error when trying to read SNS topic policy from data source ([#78](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/78))
 
+ENHANCEMENTS
+
+* Enable AWS EBS encryption by default ([#79](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/79))
+
 ## 0.5.1 (2021-01-15)
 
 BUG FIXES

diff --git a/audit.tf b/audit.tf
@@ -225,3 +225,8 @@ resource "aws_iam_account_password_policy" "audit" {
   require_symbols                = var.aws_account_password_policy.require_symbols
   require_uppercase_characters   = var.aws_account_password_policy.require_uppercase_characters
 }
+
+resource "aws_ebs_encryption_by_default" "audit" {
+  provider = aws.audit
+  enabled  = var.aws_ebs_encryption_by_default
+}
diff --git a/logging.tf b/logging.tf
@@ -86,3 +86,8 @@ resource "aws_iam_account_password_policy" "logging" {
   require_symbols                = var.aws_account_password_policy.require_symbols
   require_uppercase_characters   = var.aws_account_password_policy.require_uppercase_characters
 }
+
+resource "aws_ebs_encryption_by_default" "logging" {
+  provider = aws.logging
+  enabled  = var.aws_ebs_encryption_by_default
+}
diff --git a/main.tf b/main.tf
@@ -144,3 +144,7 @@ resource "aws_iam_account_password_policy" "master" {
   require_symbols                = var.aws_account_password_policy.require_symbols
   require_uppercase_characters   = var.aws_account_password_policy.require_uppercase_characters
 }
+
+resource "aws_ebs_encryption_by_default" "master" {
+  enabled = var.aws_ebs_encryption_by_default
+}
diff --git a/modules/avm/main.tf b/modules/avm/main.tf
@@ -178,3 +178,6 @@ resource "aws_iam_account_password_policy" "default" {
   require_uppercase_characters   = var.account_password_policy.require_uppercase_characters
 }
 
+resource "aws_ebs_encryption_by_default" "default" {
+  enabled = var.aws_ebs_encryption_by_default
+}
diff --git a/modules/avm/variables.tf b/modules/avm/variables.tf
@@ -37,6 +37,12 @@ variable "aws_config" {
   description = "AWS Config settings"
 }
 
+variable "aws_ebs_encryption_by_default" {
+  type        = bool
+  default     = true
+  description = "Set to true to enable AWS Elastic Block Store encryption by default"
+}
+
 variable "create_account_password_policy" {
   type        = bool
   default     = true

diff --git a/variables.tf b/variables.tf
@@ -58,6 +58,12 @@ variable "aws_deny_root_user_ous" {
   description = "List of AWS Organisation OUs to apply the \"DenyRootUser\" SCP to"
 }
 
+variable "aws_ebs_encryption_by_default" {
+  type        = bool
+  default     = true
+  description = "Set to true to enable AWS Elastic Block Store encryption by default"
+}
+
 variable "aws_guardduty" {
   type        = bool
   default     = true