From 97b1cb7c000f75b57542aaf72b1465b5fca3764a Mon Sep 17 00:00:00 2001
From: YoungJinJung <zerone@lguplus.co.kr>
Date: Mon, 2 Feb 2026 19:39:26 +0900
Subject: [PATCH] feat: Add support for direct KMS key ID in volume encryption

---
 pkg/aws/ec2.go        | 16 +++++++++++++---
 pkg/schemas/config.go |  5 ++++-
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/pkg/aws/ec2.go b/pkg/aws/ec2.go
index b4612c7..ba60d80 100644
--- a/pkg/aws/ec2.go
+++ b/pkg/aws/ec2.go
@@ -622,10 +622,20 @@ func (e EC2Client) MakeLaunchTemplateBlockDeviceMappings(blocks []schemas.BlockD
 		var LaunchTemplateEbsBlockDevice *ec2.LaunchTemplateEbsBlockDeviceRequest
 
 		if enabledEBSEncrypted {
-			keyId, err := e.getKmsKeyIdByAlias(block.KmsAlias)
-			if err != nil {
-				Logger.Fatal(fmt.Sprintf("Error: %s", err.Error()))
+			var keyId string
+			var err error
+
+			// Priority: KmsKeyId > KmsAlias
+			if len(block.KmsKeyId) > 0 {
+				keyId = block.KmsKeyId
+				Logger.Infof("Using provided KMS Key ID: %s", keyId)
+			} else {
+				keyId, err = e.getKmsKeyIdByAlias(block.KmsAlias)
+				if err != nil {
+					Logger.Fatal(fmt.Sprintf("Error: %s", err.Error()))
+				}
 			}
+
 			LaunchTemplateEbsBlockDevice = &ec2.LaunchTemplateEbsBlockDeviceRequest{
 				VolumeSize:          aws.Int64(block.VolumeSize),
 				VolumeType:          aws.String(block.VolumeType),
diff --git a/pkg/schemas/config.go b/pkg/schemas/config.go
index 5d0ed45..31bbec7 100644
--- a/pkg/schemas/config.go
+++ b/pkg/schemas/config.go
@@ -249,9 +249,12 @@ type BlockDevice struct {
 	// Enable Encrypted
 	Encrypted bool `yaml:"encrypted"`
 
-	// KMS key
+	// KMS key alias
 	KmsAlias string `yaml:"kmsAlias"`
 
+	// KMS key ID (ARN or key ID)
+	KmsKeyId string `yaml:"kmsKeyId"`
+
 	// Whether to delete the volume on instance termination
 	DeleteOnTermination bool `yaml:"delete_on_termination"`
 }