Here’s the Terraform script to encrypt an unencrypted volume. It creates a snapshot, encrypts a snapshot, and encrypts the volume.

<pre lang="bash">#
# Set Variables
#
variable "volume" {
  description = "The Volume to encrypt: vol-12345678901234567"
}
variable "region" {
  description = "The Region: us-east-2"
}
variable "az" {
  description = "The AZ: us-east-2a"
}

#
# Set Credentials
#
provider "aws" {
	access_key = "put-your-access-key-here"
	secret_key = "put-your-secret-key-here"
	region = "${var.region}"
}

/*
#
# Create Unencrypted Volume
#
resource "aws_ebs_volume" "unencrypted_volume" {
  availability_zone = "${var.az}"
  size              = 10
  tags = {
    Name = "Unencrypted_Volume"
  }
}
*/

#
# Create Unencrypted Snapshot
#
resource "aws_ebs_snapshot" "unencrypted_snapshot" {
  #volume_id = "${aws_ebs_volume.unencrypted_volume.id}"
  volume_id = "${var.volume}"
  tags = {
    Name = "Unencrypted_Snapshot"
  }
}

#
# Create Encrypted Snapshot
#
resource "aws_ebs_snapshot_copy" "encrypted_snapshot" {
  source_snapshot_id = "${aws_ebs_snapshot.unencrypted_snapshot.id}"
  source_region      = "${var.region}"
  encrypted = true
  tags = {
    Name = "Encrypted_Snapshot"
  }
}

#
# Created Encrypted Volume
#
resource "aws_ebs_volume" "encrypted_volume" {
  availability_zone = "${var.az}"
  snapshot_id = "${aws_ebs_snapshot_copy.encrypted_snapshot.id}"
  tags = {
    Name = "Encrypted_Volume"
  }
}