If I launch an EC2, the root EBS will not be encrypted (not sure why, maybe because the EC2 is launched from an public AMI. but even I create my own encrypted AMI, I cannot launch an EC2 from it....)
Anyway, I know that I can encrypt an EBS from an exist EC2 in this way: launch an EC2 first, then snapshot it, then copy the snapshot to a new snapshot and set the new snapshot as encrypted, then create a volume from the new snapshot, then detach the EC2 from the existing un-encrypted volume, then attach the EC2 to the new encrypted volume and set device as /dev/sda1. Finally, the EC2’s EBS will become encrypted. As you see, the steps are complex.
In fact, I need to create an EC2, and the EC2 should have root EBS encrypted, using Terraform. The above steps seem complex and I do not know how to develop them using Terraform.
My question is: How to write Terraform code encrypt EBS, after launching an EC2? Any solution is OK, I just want to develop it using Terraform. if Terraform cannot to do that, what other automation tool I should use?
