resource/aws_rds_global_cluster: Prevent recreation when using encryp…

…ted source_db_cluster_identifier without storage_encrypted (#15916) Reference: #15177 Output from acceptance testing: ``` --- PASS: TestAccAWSRdsGlobalCluster_basic (25.00s) --- PASS: TestAccAWSRdsGlobalCluster_DatabaseName (35.93s) --- PASS: TestAccAWSRdsGlobalCluster_DeletionProtection (35.59s) --- PASS: TestAccAWSRdsGlobalCluster_disappears (19.24s) --- PASS: TestAccAWSRdsGlobalCluster_Engine_Aurora (25.19s) --- PASS: TestAccAWSRdsGlobalCluster_EngineVersion_Aurora (25.11s) --- PASS: TestAccAWSRdsGlobalCluster_EngineVersion_AuroraMySQL (25.27s) --- PASS: TestAccAWSRdsGlobalCluster_EngineVersion_AuroraPostgresql (23.12s) --- PASS: TestAccAWSRdsGlobalCluster_SourceDbClusterIdentifier (129.42s) --- PASS: TestAccAWSRdsGlobalCluster_SourceDbClusterIdentifier_StorageEncrypted (128.96s) --- PASS: TestAccAWSRdsGlobalCluster_StorageEncrypted (37.43s) ```
hashicorp · Oct 29, 2020 · e65f867 · e65f867
1 parent 99ab914
commit e65f867
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 1 deletion.
diff --git a/aws/resource_aws_rds_global_cluster.go b/aws/resource_aws_rds_global_cluster.go
@@ -99,6 +99,7 @@ func resourceAwsRDSGlobalCluster() *schema.Resource {
 			"storage_encrypted": {
 				Type:     schema.TypeBool,
 				Optional: true,
+				Computed: true,
 				ForceNew: true,
 			},
 		},

diff --git a/aws/resource_aws_rds_global_cluster_test.go b/aws/resource_aws_rds_global_cluster_test.go
@@ -324,6 +324,34 @@ func TestAccAWSRdsGlobalCluster_SourceDbClusterIdentifier(t *testing.T) {
 	})
 }
 
+func TestAccAWSRdsGlobalCluster_SourceDbClusterIdentifier_StorageEncrypted(t *testing.T) {
+	var globalCluster1 rds.GlobalCluster
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	clusterResourceName := "aws_rds_cluster.test"
+	resourceName := "aws_rds_global_cluster.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckAWSRdsGlobalCluster(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSRdsGlobalClusterDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSRdsGlobalClusterConfigSourceDbClusterIdentifierStorageEncrypted(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSRdsGlobalClusterExists(resourceName, &globalCluster1),
+					resource.TestCheckResourceAttrPair(resourceName, "source_db_cluster_identifier", clusterResourceName, "arn"),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"force_destroy", "source_db_cluster_identifier"},
+			},
+		},
+	})
+}
+
 func TestAccAWSRdsGlobalCluster_StorageEncrypted(t *testing.T) {
 	var globalCluster1, globalCluster2 rds.GlobalCluster
 	rName := acctest.RandomWithPrefix("tf-acc-test")
@@ -543,6 +571,32 @@ resource "aws_rds_global_cluster" "test" {
 `, rName)
 }
 
+func testAccAWSRdsGlobalClusterConfigSourceDbClusterIdentifierStorageEncrypted(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_rds_cluster" "test" {
+  cluster_identifier  = %[1]q
+  engine              = "aurora-postgresql"
+  engine_version      = "10.11" # Minimum supported version for Global Clusters
+  master_password     = "mustbeeightcharacters"
+  master_username     = "test"
+  skip_final_snapshot = true
+  storage_encrypted   = true
+
+  # global_cluster_identifier cannot be Computed
+
+  lifecycle {
+    ignore_changes = [global_cluster_identifier]
+  }
+}
+
+resource "aws_rds_global_cluster" "test" {
+  force_destroy                = true
+  global_cluster_identifier    = %[1]q
+  source_db_cluster_identifier = aws_rds_cluster.test.arn
+}
+`, rName)
+}
+
 func testAccAWSRdsGlobalClusterConfigStorageEncrypted(rName string, storageEncrypted bool) string {
 	return fmt.Sprintf(`
 resource "aws_rds_global_cluster" "test" {

diff --git a/website/docs/r/rds_global_cluster.html.markdown b/website/docs/r/rds_global_cluster.html.markdown
@@ -100,7 +100,7 @@ The following arguments are supported:
     * **NOTE:** When the engine is set to `aurora-mysql`, an engine version compatible with global database is required. The earliest available version is `5.7.mysql_aurora.2.06.0`.
 * `force_destroy` - (Optional) Enable to remove DB Cluster members from Global Cluster on destroy. Required with `source_db_cluster_identifier`.
 * `source_db_cluster_identifier` - (Optional) Amazon Resource Name (ARN) to use as the primary DB Cluster of the Global Cluster on creation. Terraform cannot perform drift detection of this value.
-* `storage_encrypted` - (Optional, Forces new resources) Specifies whether the DB cluster is encrypted. The default is `false`.
+* `storage_encrypted` - (Optional, Forces new resources) Specifies whether the DB cluster is encrypted. The default is `false` unless `source_db_cluster_identifier` is specified and encrypted. Terraform will only perform drift detection if a configuration value is provided.
 
 ## Attribute Reference