Promote Redis Auth to GA #4314
Promote Redis Auth to GA #4314
Conversation
Fork Update
Co-authored-by: upodroid <[email protected]>
|
Hello! I am a robot who works on Magic Modules PRs. I have detected that you are a community contributor, so your PR will be assigned to someone with a commit-bit on this repo for initial review. Thanks for your contribution! A human will be with you soon. @ScottSuarez, please review this PR or find an appropriate assignee. |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 3 files changed, 166 insertions(+), 1 deletion(-)) |
|
/gcbrun |
|
I have triggered VCR tests based on this PR's diffs. See the results here: "https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=164686" |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 3 files changed, 166 insertions(+), 1 deletion(-)) |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccDataSourceStorageBucketObjectContent_Basic|TestAccActiveDirectoryDomainTrust_activeDirectoryDomainTrustBasicExample|TestAccContainerCluster_withConfidentialNodes|TestAccContainerCluster_withPrivateClusterConfigMissingCidrBlock|TestAccContainerCluster_withIPv4Error|TestAccDataprocJob_Spark|TestAccRedisInstance_redisInstanceAuthEnabled You can view the result here: "https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=164689" |
There was a problem hiding this comment.
How do you feel about exposing the auth string through a datasource instead of through this resource? Users have been hesitant about including secrets of this type in state the past, and that could be a happy compromise.
Also affects hashicorp/terraform-provider-google#7601 (assuming we keep auth string in-resource, fixes it)
| @@ -94,7 +91,7 @@ func TestAccRedisInstance_redisInstanceAuthEnabled(t *testing.T) { | |||
| ResourceName: "google_redis_instance.cache", | |||
| ImportState: true, | |||
| ImportStateVerify: true, | |||
| ImportStateVerifyIgnore: []string{"region"}, | |||
| ImportStateVerifyIgnore: []string{"region", "auth_string"}, | |||
There was a problem hiding this comment.
Why do we ignore auth_string? Does the value change each GET? That's another case for using a datasource imo (since the volatile value won't impact the resource, and afaik the primary usecase of the auth string will be exporting it as an output)
If we don't expect the string to expire we could also use a resource to get the value and store it in state, keeping a stable value around.
There was a problem hiding this comment.
I didn't see that other issue.
I excluded the field from import because the import step was failing.
That value is fixed on each call.
There was a problem hiding this comment.
Why was the import step failing? Do you have an error message? That's often an indicator of an actual issue.
There was a problem hiding this comment.
I'll repro it now. Also I don't like the idea of having to use a separate ds to pull the auth string.
Also it is sent unencrypted. I know there is a new preview feature which enables TLS connections to redis.
https://cloud.google.com/memorystore/docs/redis/auth-overview#security_and_privacy
There was a problem hiding this comment.
Also 7601 will be fixed by this PR.
Good security for Redis is achieved by using TLS + network isolation. https://redis.io/topics/security
There was a problem hiding this comment.
I figured it out. The decoder logic was broken. Pushed a fix now.
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 3 files changed, 166 insertions(+), 1 deletion(-)) |
Fixes: hashicorp/terraform-provider-google#8005
Fixes: hashicorp/terraform-provider-google#7601
If this PR is for Terraform, I acknowledge that I have:
make testandmake lintto ensure it passes unit and linter tests.Release Note Template for Downstream PRs (will be copied)