feat: This module now includes a boolean variable, `use_boot_volume_k…

…ey_as_default`, which determines the default encryption key used for volumes. If `use_boot_volume_key_as_default` is set to true, the boot volume key (`boot_volume_encryption_key`) will be used as the default. Otherwise, if `kms_encryption_enabled` is true, the specified `volume.encryption_key` will be used.<br>**UPGRADE NOTES:**- In previous versions, there was a possibility that your volume was encrypted with the boot volume key instead of the provided volume.encryption_key.<br>To avoid any unintentional destruction of volumes during upgrade, it is recommended to set `use_boot_volume_key_as_default` to true. Alternatively set it to false if you don't mind infrastructure being recreated. (#721)

README.md

@@ -215,6 +215,7 @@ No modules.
 | <a name="input_ssh_key_ids"></a> [ssh\_key\_ids](#input\_ssh\_key\_ids) | ssh key ids to use in creating vsi | `list(string)` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | A list of subnet IDs where VSI will be deployed | <pre>list(<br>    object({<br>      name = string<br>      id   = string<br>      zone = string<br>      cidr = optional(string)<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of tags to apply to resources created by this module. | `list(string)` | `[]` | no |
+| <a name="input_use_boot_volume_key_as_default"></a> [use\_boot\_volume\_key\_as\_default](#input\_use\_boot\_volume\_key\_as\_default) | Set to true to use the key specified in the `boot_volume_encryption_key` input as default for all volumes, overriding any key value that may be specified in the `encryption_key` option of the `block_storage_volumes` input variable. If set to `false`,  the value passed for the `encryption_key` option of the `block_storage_volumes` will be used instead. | `bool` | `false` | no |
 | <a name="input_use_static_boot_volume_name"></a> [use\_static\_boot\_volume\_name](#input\_use\_static\_boot\_volume\_name) | Sets the boot volume name for each VSI to a static name in the format `{hostname}_boot`, instead of a random name. Set this to `true` to have a consistent boot volume name even when VSIs are recreated. | `bool` | `false` | no |
 | <a name="input_user_data"></a> [user\_data](#input\_user\_data) | User data to initialize VSI deployment | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of VPC | `string` | n/a | yes |

modules/fscloud/README.md

@@ -46,6 +46,7 @@ No resources.
 | <a name="input_ssh_key_ids"></a> [ssh\_key\_ids](#input\_ssh\_key\_ids) | ssh key ids to use in creating vsi | `list(string)` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | A list of subnet IDs where VSI will be deployed | <pre>list(<br>    object({<br>      name = string<br>      id   = string<br>      zone = string<br>      cidr = string<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of tags to apply to resources created by this module. | `list(string)` | `[]` | no |
+| <a name="input_use_boot_volume_key_as_default"></a> [use\_boot\_volume\_key\_as\_default](#input\_use\_boot\_volume\_key\_as\_default) | Set to true to use the key specified in the `boot_volume_encryption_key` input as default for all volumes, overriding any key value that may be specified in the `encryption_key` option of the `block_storage_volumes` input variable. If set to `false`,  the value passed for the `encryption_key` option of the `block_storage_volumes` will be used instead. | `bool` | `false` | no |
 | <a name="input_use_static_boot_volume_name"></a> [use\_static\_boot\_volume\_name](#input\_use\_static\_boot\_volume\_name) | Sets the boot volume name for each VSI to a static name in the format `{hostname}_boot`, instead of a random name. Set this to `true` to have a consistent boot volume name even when VSIs are recreated. | `bool` | `false` | no |
 | <a name="input_user_data"></a> [user\_data](#input\_user\_data) | User data to initialize VSI deployment | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of VPC | `string` | n/a | yes |

modules/fscloud/main.tf

@@ -1,29 +1,30 @@
 module "fscloud_vsi" {
-  source                        = "../../"
-  resource_group_id             = var.resource_group_id
-  prefix                        = var.prefix
-  tags                          = var.tags
-  vpc_id                        = var.vpc_id
-  subnets                       = var.subnets
-  image_id                      = var.image_id
-  ssh_key_ids                   = var.ssh_key_ids
-  machine_type                  = var.machine_type
-  vsi_per_subnet                = var.vsi_per_subnet
-  user_data                     = var.user_data
-  existing_kms_instance_guid    = var.existing_kms_instance_guid
-  skip_iam_authorization_policy = var.skip_iam_authorization_policy
-  boot_volume_encryption_key    = var.boot_volume_encryption_key
-  kms_encryption_enabled        = true
-  manage_reserved_ips           = var.manage_reserved_ips
-  use_static_boot_volume_name   = var.use_static_boot_volume_name
-  enable_floating_ip            = var.enable_floating_ip
-  allow_ip_spoofing             = var.allow_ip_spoofing
-  create_security_group         = var.create_security_group
-  security_group                = var.security_group
-  security_group_ids            = var.security_group_ids
-  block_storage_volumes         = var.block_storage_volumes
-  load_balancers                = var.load_balancers
-  access_tags                   = var.access_tags
-  snapshot_consistency_group_id = var.snapshot_consistency_group_id
-  boot_volume_snapshot_id       = var.boot_volume_snapshot_id
+  source                         = "../../"
+  resource_group_id              = var.resource_group_id
+  prefix                         = var.prefix
+  tags                           = var.tags
+  vpc_id                         = var.vpc_id
+  subnets                        = var.subnets
+  image_id                       = var.image_id
+  ssh_key_ids                    = var.ssh_key_ids
+  machine_type                   = var.machine_type
+  vsi_per_subnet                 = var.vsi_per_subnet
+  user_data                      = var.user_data
+  existing_kms_instance_guid     = var.existing_kms_instance_guid
+  skip_iam_authorization_policy  = var.skip_iam_authorization_policy
+  boot_volume_encryption_key     = var.boot_volume_encryption_key
+  use_boot_volume_key_as_default = var.use_boot_volume_key_as_default
+  kms_encryption_enabled         = true
+  manage_reserved_ips            = var.manage_reserved_ips
+  use_static_boot_volume_name    = var.use_static_boot_volume_name
+  enable_floating_ip             = var.enable_floating_ip
+  allow_ip_spoofing              = var.allow_ip_spoofing
+  create_security_group          = var.create_security_group
+  security_group                 = var.security_group
+  security_group_ids             = var.security_group_ids
+  block_storage_volumes          = var.block_storage_volumes
+  load_balancers                 = var.load_balancers
+  access_tags                    = var.access_tags
+  snapshot_consistency_group_id  = var.snapshot_consistency_group_id
+  boot_volume_snapshot_id        = var.boot_volume_snapshot_id
 }

modules/fscloud/variables.tf

@@ -79,6 +79,12 @@ variable "boot_volume_encryption_key" {
   type        = string
 }
 
+variable "use_boot_volume_key_as_default" {
+  description = "Set to true to use the key specified in the `boot_volume_encryption_key` input as default for all volumes, overriding any key value that may be specified in the `encryption_key` option of the `block_storage_volumes` input variable. If set to `false`,  the value passed for the `encryption_key` option of the `block_storage_volumes` will be used instead."
+  type        = bool
+  default     = false
+}
+
 variable "manage_reserved_ips" {
   description = "Set to `true` if you want this terraform module to manage the reserved IP addresses that are assigned to VSI instances. If this option is enabled, when any VSI is recreated it should retain its original IP."
   type        = bool

storage.tf

@@ -20,7 +20,7 @@ locals {
           capacity       = (volume.snapshot_id == null) ? volume.capacity : null
           vsi_name       = "${var.subnets[subnet].name}-${count}"
           iops           = (volume.snapshot_id == null) ? volume.iops : null
-          encryption_key = (volume.snapshot_id == null) ? (var.kms_encryption_enabled ? var.boot_volume_encryption_key : volume.encryption_key) : null
+          encryption_key = (volume.snapshot_id == null) ? (var.use_boot_volume_key_as_default ? var.boot_volume_encryption_key : (var.kms_encryption_enabled ? volume.encryption_key : null)) : null
           resource_group = volume.resource_group_id != null ? volume.resource_group_id : var.resource_group_id
           # check for snapshot in this order: supplied directly in variable -> part of consistency group -> null (no snapshot)
           snapshot_id = try(coalesce(volume.snapshot_id, lookup(local.consistency_group_snapshot_to_volume_map, volume.name, null)), null)

variables.tf

@@ -92,6 +92,12 @@ variable "user_data" {
   type        = string
 }
 
+variable "use_boot_volume_key_as_default" {
+  description = "Set to true to use the key specified in the `boot_volume_encryption_key` input as default for all volumes, overriding any key value that may be specified in the `encryption_key` option of the `block_storage_volumes` input variable. If set to `false`,  the value passed for the `encryption_key` option of the `block_storage_volumes` will be used instead."
+  type        = bool
+  default     = false
+}
+
 variable "boot_volume_encryption_key" {
   description = "CRN of boot volume encryption key"
   default     = null