EBS Volume Encryption

module "ebs_encryption_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias       = "alias/ebs-encryption"
  description = "Encryption key for EBS volumes"
}

resource "aws_ebs_volume" "encrypted" {
  availability_zone = "us-east-1a"
  size              = 100
  type              = "gp3"

  encrypted  = true
  kms_key_id = module.ebs_encryption_key.key_arn

  tags = {
    Name = "encrypted-volume"
  }
}

resource "aws_volume_attachment" "encrypted" {
  device_name = "/dev/sdf"
  volume_id   = aws_ebs_volume.encrypted.id
  instance_id = var.instance_id
}

# Enable EBS encryption by default for the account
resource "aws_ebs_encryption_by_default" "enabled" {
  enabled = true
}

resource "aws_ebs_default_kms_key" "default" {
  key_arn = module.ebs_encryption_key.key_arn
}

output "volume_id" {
  value = aws_ebs_volume.encrypted.id
}

output "encryption_key_arn" {
  value = module.ebs_encryption_key.key_arn
}