locals { # For the default EBS key, we allow the entire account access root_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" } module "ebs_root_encrypt_decrypt" { source = "../../submodules/kms/ebs-key" name = "ebs_root_encrypt_decrypt" alias = "alias/ebs_root_encrypt_decrypt" description = "encrypt and decrypt root volume" # updated to match legacy tags = merge(var.standard_tags, var.tags) key_admin_arns = var.extra_ebs_key_admins key_user_arns = concat([ local.root_arn ], var.extra_ebs_key_users) key_attacher_arns = concat([ local.root_arn ], var.extra_ebs_key_attachers) standard_tags = var.standard_tags aws_account_id = var.aws_account_id aws_partition = var.aws_partition is_legacy = var.is_legacy } # Note: The following wasn't configured in tf11 resource "aws_ebs_default_kms_key" "ebs_root_encrypt_decrypt" { key_arn = module.ebs_root_encrypt_decrypt.key_arn } resource "aws_ebs_encryption_by_default" "encryptbydefault" { enabled = true }