AWS Amazon EC2 Snapshot Import
This page shows how to write Terraform for Amazon EC2 Snapshot Import and write them securely.
aws_ebs_snapshot_import (Terraform)
The Snapshot Import in Amazon EC2 can be configured in Terraform with the resource name aws_ebs_snapshot_import
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
client_data
- (Optional) The client-specific data. Detailed below.description
- (Optional) The description string for the import snapshot task.disk_container
- (Required) Information about the disk container. Detailed below.encrypted
- (Optional) Specifies whether the destination snapshot of the imported image should be encrypted. The default KMS key for EBS is used unless you specify a non-default KMS key using KmsKeyId.kms_key_id
- (Optional) An identifier for the symmetric KMS key to use when creating the encrypted snapshot. This parameter is only required if you want to use a non-default KMS key; if this parameter is not specified, the default KMS key for EBS is used. If a KmsKeyId is specified, the Encrypted flag must also be set.role_name
- (Optional) The name of the IAM Role the VM Import/Export service will assume. This role needs certain permissions. See https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#vmimport-role. Default:vmimport
tags
- (Optional) A map of tags to assign to the snapshot.
client_data Configuration Block
comment
- (Optional) A user-defined comment about the disk upload.upload_start
- (Optional) The time that the disk upload starts.upload_end
- (Optional) The time that the disk upload ends.upload_size
- (Optional) The size of the uploaded disk image, in GiB.
disk_container Configuration Block
description
- (Optional) The description of the disk image being imported.format
- (Required) The format of the disk image being imported. One ofVHD
orVMDK
.url
- (Optional) The URL to the Amazon S3-based disk image being imported. It can either be a https URL (https://..) or an Amazon S3 URL (s3://..). One ofurl
oruser_bucket
must be set.user_bucket
- (Optional) The Amazon S3 bucket for the disk image. One ofurl
oruser_bucket
must be set. Detailed below.
user_bucket Configuration Block
s3_bucket
- The name of the Amazon S3 bucket where the disk image is located.s3_key
- The file name of the disk image.
Timeouts
aws_ebs_snapshot_import
provides the following
Timeouts configuration options:
create
- (Default60 minutes
) Used for importing the EBS snapshotdelete
- (Default10 minutes
) Used for deleting the EBS snapshot
In addition to all arguments above, the following attributes are exported:
arn
- Amazon Resource Name (ARN) of the EBS Snapshot.id
- The snapshot ID (e.g., snap-59fcb34e).owner_id
- The AWS account ID of the EBS snapshot owner.owner_alias
- Value from an Amazon-maintained list (amazon
,aws-marketplace
,microsoft
) of snapshot owners.volume_size
- The size of the drive in GiBs.data_encryption_key_id
- The data encryption key identifier for the snapshot.tags
- A map of tags for the snapshot.
Explanation in Terraform Registry
Imports a disk image from S3 as a Snapshot.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
CloudFormation Example
CloudFormation code does not have the related resource.