Add managed storage encryption

Author: Ic3w0lf

README.md

@@ -47,6 +47,7 @@ performance and health.
 | <a name="input_enable_container_insights"></a> [enable\_container\_insights](#input\_enable\_container\_insights) | Enable CloudWatch Container Insights for the cluster. | `bool` | `true` | no |
 | <a name="input_encrypt_ephemeral_storage"></a> [encrypt\_ephemeral\_storage](#input\_encrypt\_ephemeral\_storage) | Encrypt the ECS ephemeral storage for the cluster. | `bool` | `false` | no |
 | <a name="input_encrypt_execute_command_session"></a> [encrypt\_execute\_command\_session](#input\_encrypt\_execute\_command\_session) | Encrypt execute command session for the cluster. | `bool` | `false` | no |
+| <a name="input_encrypt_managed_storage"></a> [encrypt\_managed\_storage](#input\_encrypt\_managed\_storage) | Encrypt the ECS managed storage for the cluster. | `bool` | `false` | no |
 | <a name="input_logging_execute_command_session"></a> [logging\_execute\_command\_session](#input\_logging\_execute\_command\_session) | Log execute command session for the cluster. | `string` | `"DEFAULT"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the ECS cluster. | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to add to the ECS cluster. | `map(any)` | `{}` | no |
@@ -68,11 +69,11 @@ performance and health.
 
 ## Resources
 
-- resource.aws_cloudwatch_log_group.container_insights (main.tf#75)
-- resource.aws_cloudwatch_log_group.main (main.tf#68)
+- resource.aws_cloudwatch_log_group.container_insights (main.tf#80)
+- resource.aws_cloudwatch_log_group.main (main.tf#73)
 - resource.aws_ecs_cluster.main (main.tf#10)
-- data source.aws_caller_identity.current (main.tf#95)
-- data source.aws_iam_policy_document.kms_ephemeral (main.tf#96)
+- data source.aws_caller_identity.current (main.tf#100)
+- data source.aws_iam_policy_document.kms_ephemeral (main.tf#101)
 
 # Examples
 ### Basic Example

main.tf

@@ -19,9 +19,13 @@ resource "aws_ecs_cluster" "main" {
     }
   }
 
-
   dynamic "configuration" {
-    for_each = var.encrypt_execute_command_session || var.logging_execute_command_session != "DEFAULT" ? [true] : []
+    for_each = (
+      var.encrypt_execute_command_session ||
+      var.logging_execute_command_session != "DEFAULT" ||
+      var.encrypt_ephemeral_storage ||
+      var.encrypt_managed_storage
+    ) ? [true] : []
 
     content {
       dynamic "execute_command_configuration" {
@@ -43,10 +47,11 @@ resource "aws_ecs_cluster" "main" {
       }
 
       dynamic "managed_storage_configuration" {
-        for_each = var.encrypt_ephemeral_storage ? [true] : []
+        for_each = var.encrypt_ephemeral_storage || var.encrypt_managed_storage ? [true] : []
 
         content {
-          fargate_ephemeral_storage_kms_key_id = module.kms_ephemeral[0].key_id
+          kms_key_id                           = var.encrypt_managed_storage ? module.kms[0].key_id : null
+          fargate_ephemeral_storage_kms_key_id = var.encrypt_ephemeral_storage ? module.kms_ephemeral[0].key_id : null
         }
       }
     }
@@ -82,19 +87,19 @@ resource "aws_cloudwatch_log_group" "container_insights" {
 }
 
 module "kms_ephemeral" {
-  count = var.encrypt_ephemeral_storage ? 1 : 0
+  count = var.encrypt_ephemeral_storage || var.encrypt_managed_storage ? 1 : 0
 
   source  = "geekcell/kms/aws"
   version = ">= 1.0.0, < 2.0.0"
   policy  = data.aws_iam_policy_document.kms_ephemeral[0].json
 
-  alias = "ecs/cluster/${var.name}/ephemeral-storage"
+  alias = "ecs/cluster/${var.name}/managed-storage"
   tags  = var.tags
 }
 
 data "aws_caller_identity" "current" {}
 data "aws_iam_policy_document" "kms_ephemeral" {
-  count = var.encrypt_ephemeral_storage ? 1 : 0
+  count = var.encrypt_ephemeral_storage || var.encrypt_managed_storage ? 1 : 0
 
   statement {
     sid       = "Enable IAM User Permissions."

variables.tf

@@ -29,6 +29,12 @@ variable "encrypt_ephemeral_storage" {
   type        = bool
 }
 
+variable "encrypt_managed_storage" {
+  description = "Encrypt the ECS managed storage for the cluster."
+  default     = false
+  type        = bool
+}
+
 variable "logging_execute_command_session" {
   description = "Log execute command session for the cluster."
   default     = "DEFAULT"