Merge pull request #19986 from hashicorp/b-aws_eks_cluster-version-up…

…date-encryption_config r/aws_eks_cluster: Don't associate an `encryption_config` if there's already one
hashicorp · Jul 7, 2021 · e858d1f · e858d1f
2 parents 567527e + 38971b4
commit e858d1f
Show file tree

Hide file tree

Showing 3 changed files with 98 additions and 17 deletions.
diff --git a/.changelog/19986.txt b/.changelog/19986.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_eks_cluster: Don't associate an `encryption_config` if there's already one
+```
diff --git a/aws/resource_aws_eks_cluster.go b/aws/resource_aws_eks_cluster.go
@@ -97,7 +97,6 @@ func resourceAwsEksCluster() *schema.Resource {
 						},
 						"resources": {
 							Type:     schema.TypeSet,
-							MinItems: 1,
 							Required: true,
 							Elem: &schema.Schema{
 								Type:         schema.TypeString,
@@ -409,24 +408,28 @@ func resourceAwsEksClusterUpdate(d *schema.ResourceData, meta interface{}) error
 	}
 
 	if d.HasChange("encryption_config") {
-		input := &eks.AssociateEncryptionConfigInput{
-			ClusterName:      aws.String(d.Id()),
-			EncryptionConfig: expandEksEncryptionConfig(d.Get("encryption_config").([]interface{})),
-		}
+		o, n := d.GetChange("encryption_config")
 
-		log.Printf("[DEBUG] Associating EKS Cluster (%s) encryption config: %s", d.Id(), input)
-		output, err := conn.AssociateEncryptionConfig(input)
+		if len(o.([]interface{})) == 0 && len(n.([]interface{})) == 1 {
+			input := &eks.AssociateEncryptionConfigInput{
+				ClusterName:      aws.String(d.Id()),
+				EncryptionConfig: expandEksEncryptionConfig(d.Get("encryption_config").([]interface{})),
+			}
 
-		if err != nil {
-			return fmt.Errorf("error associating EKS Cluster (%s) encryption config: %w", d.Id(), err)
-		}
+			log.Printf("[DEBUG] Associating EKS Cluster (%s) encryption config: %s", d.Id(), input)
+			output, err := conn.AssociateEncryptionConfig(input)
 
-		updateID := aws.StringValue(output.Update.Id)
+			if err != nil {
+				return fmt.Errorf("error associating EKS Cluster (%s) encryption config: %w", d.Id(), err)
+			}
 
-		_, err = waiter.ClusterUpdateSuccessful(conn, d.Id(), updateID, d.Timeout(schema.TimeoutUpdate))
+			updateID := aws.StringValue(output.Update.Id)
 
-		if err != nil {
-			return fmt.Errorf("error waiting for EKS Cluster (%s) encryption config association (%s): %w", d.Id(), updateID, err)
+			_, err = waiter.ClusterUpdateSuccessful(conn, d.Id(), updateID, d.Timeout(schema.TimeoutUpdate))
+
+			if err != nil {
+				return fmt.Errorf("error waiting for EKS Cluster (%s) encryption config association (%s): %w", d.Id(), updateID, err)
+			}
 		}
 	}
 

diff --git a/aws/resource_aws_eks_cluster_test.go b/aws/resource_aws_eks_cluster_test.go
@@ -174,7 +174,7 @@ func TestAccAWSEksCluster_EncryptionConfig_Create(t *testing.T) {
 }
 
 func TestAccAWSEksCluster_EncryptionConfig_Update(t *testing.T) {
-	var cluster eks.Cluster
+	var cluster1, cluster2 eks.Cluster
 	rName := acctest.RandomWithPrefix("tf-acc-test")
 	resourceName := "aws_eks_cluster.test"
 	kmsKeyResourceName := "aws_kms_key.test"
@@ -188,14 +188,15 @@ func TestAccAWSEksCluster_EncryptionConfig_Update(t *testing.T) {
 			{
 				Config: testAccAWSEksClusterConfig_Required(rName),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSEksClusterExists(resourceName, &cluster),
+					testAccCheckAWSEksClusterExists(resourceName, &cluster1),
 					resource.TestCheckResourceAttr(resourceName, "encryption_config.#", "0"),
 				),
 			},
 			{
 				Config: testAccAWSEksClusterConfig_EncryptionConfig(rName),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSEksClusterExists(resourceName, &cluster),
+					testAccCheckAWSEksClusterExists(resourceName, &cluster2),
+					testAccCheckAWSEksClusterNotRecreated(&cluster1, &cluster2),
 					resource.TestCheckResourceAttr(resourceName, "encryption_config.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "encryption_config.0.provider.#", "1"),
 					resource.TestCheckResourceAttrPair(resourceName, "encryption_config.0.provider.0.key_arn", kmsKeyResourceName, "arn"),
@@ -211,6 +212,51 @@ func TestAccAWSEksCluster_EncryptionConfig_Update(t *testing.T) {
 	})
 }
 
+// https://github.com/hashicorp/terraform-provider-aws/issues/19968.
+func TestAccAWSEksCluster_EncryptionConfig_VersionUpdate(t *testing.T) {
+	var cluster1, cluster2 eks.Cluster
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_eks_cluster.test"
+	kmsKeyResourceName := "aws_kms_key.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckAWSEks(t) },
+		ErrorCheck:   testAccErrorCheck(t, eks.EndpointsID),
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSEksClusterDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSEksClusterConfig_EncryptionConfig_Version(rName, "1.19"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSEksClusterExists(resourceName, &cluster1),
+					resource.TestCheckResourceAttr(resourceName, "encryption_config.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "encryption_config.0.provider.#", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "encryption_config.0.provider.0.key_arn", kmsKeyResourceName, "arn"),
+					resource.TestCheckResourceAttr(resourceName, "encryption_config.0.resources.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "version", "1.19"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccAWSEksClusterConfig_EncryptionConfig_Version(rName, "1.20"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSEksClusterExists(resourceName, &cluster2),
+					testAccCheckAWSEksClusterNotRecreated(&cluster1, &cluster2),
+					resource.TestCheckResourceAttr(resourceName, "encryption_config.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "encryption_config.0.provider.#", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "encryption_config.0.provider.0.key_arn", kmsKeyResourceName, "arn"),
+					resource.TestCheckResourceAttr(resourceName, "encryption_config.0.resources.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "version", "1.20"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSEksCluster_Version(t *testing.T) {
 	var cluster1, cluster2 eks.Cluster
 	rName := acctest.RandomWithPrefix("tf-acc-test")
@@ -816,6 +862,35 @@ resource "aws_eks_cluster" "test" {
 `, rName))
 }
 
+func testAccAWSEksClusterConfig_EncryptionConfig_Version(rName, version string) string {
+	return composeConfig(testAccAWSEksClusterConfig_Base(rName), fmt.Sprintf(`
+resource "aws_kms_key" "test" {
+  description             = %[1]q
+  deletion_window_in_days = 7
+}
+
+resource "aws_eks_cluster" "test" {
+  name     = %[1]q
+  role_arn = aws_iam_role.test.arn
+  version  = %[2]q
+
+  encryption_config {
+    resources = ["secrets"]
+
+    provider {
+      key_arn = aws_kms_key.test.arn
+    }
+  }
+
+  vpc_config {
+    subnet_ids = aws_subnet.test[*].id
+  }
+
+  depends_on = [aws_iam_role_policy_attachment.test-AmazonEKSClusterPolicy]
+}
+`, rName, version))
+}
+
 func testAccAWSEksClusterConfig_VpcConfig_SecurityGroupIds(rName string) string {
 	return composeConfig(testAccAWSEksClusterConfig_Base(rName), fmt.Sprintf(`
 resource "aws_security_group" "test" {