From e926b928336bbb7e489bf5ffba0ddc69ddf741e0 Mon Sep 17 00:00:00 2001 From: Brian Flad Date: Thu, 9 Jul 2020 20:47:48 -0400 Subject: [PATCH] resource/aws_msk_cluster: Update encryption_info.encryption_in_transit.client_broker default to match API default Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/10673 Output from acceptance testing: ``` --- PASS: TestAccAWSMskCluster_basic (1595.73s) --- PASS: TestAccAWSMskCluster_BrokerNodeGroupInfo_EbsVolumeSize (1760.04s) --- PASS: TestAccAWSMskCluster_EncryptionInfo_EncryptionAtRestKmsKeyArn (1603.40s) --- PASS: TestAccAWSMskCluster_EncryptionInfo_EncryptionInTransit_ClientBroker (1603.85s) --- PASS: TestAccAWSMskCluster_EncryptionInfo_EncryptionInTransit_InCluster (1598.02s) --- PASS: TestAccAWSMskCluster_EnhancedMonitoring (1603.10s) --- PASS: TestAccAWSMskCluster_LoggingInfo (1806.72s) --- PASS: TestAccAWSMskCluster_NumberOfBrokerNodes (2036.98s) --- PASS: TestAccAWSMskCluster_OpenMonitoring (1722.68s) --- PASS: TestAccAWSMskCluster_Tags (1605.63s) --- PASS: TestAccAWSMskClusterDataSource_Name (1608.30s) ``` --- aws/data_source_aws_msk_cluster_test.go | 5 +- aws/resource_aws_msk_cluster.go | 2 +- aws/resource_aws_msk_cluster_test.go | 66 ++----------------- website/docs/guides/version-3-upgrade.html.md | 25 +++++++ website/docs/r/msk_cluster.html.markdown | 7 +- 5 files changed, 34 insertions(+), 71 deletions(-) diff --git a/aws/data_source_aws_msk_cluster_test.go b/aws/data_source_aws_msk_cluster_test.go index 738a495ab5a..47030bf6a5c 100644 --- a/aws/data_source_aws_msk_cluster_test.go +++ b/aws/data_source_aws_msk_cluster_test.go @@ -2,6 +2,7 @@ package aws import ( "fmt" + "regexp" "testing" "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" @@ -22,8 +23,8 @@ func TestAccAWSMskClusterDataSource_Name(t *testing.T) { Config: testAccMskClusterDataSourceConfigName(rName), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttrPair(resourceName, "arn", dataSourceName, "arn"), - resource.TestCheckResourceAttrSet(dataSourceName, "bootstrap_brokers"), - resource.TestCheckResourceAttrSet(dataSourceName, "bootstrap_brokers_tls"), + resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""), + resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)), // Ordering not guaranteed resource.TestCheckResourceAttrPair(resourceName, "cluster_name", dataSourceName, "cluster_name"), resource.TestCheckResourceAttrPair(resourceName, "kafka_version", dataSourceName, "kafka_version"), resource.TestCheckResourceAttrPair(resourceName, "number_of_broker_nodes", dataSourceName, "number_of_broker_nodes"), diff --git a/aws/resource_aws_msk_cluster.go b/aws/resource_aws_msk_cluster.go index c4367a1b35b..7632d0bbaa3 100644 --- a/aws/resource_aws_msk_cluster.go +++ b/aws/resource_aws_msk_cluster.go @@ -166,7 +166,7 @@ func resourceAwsMskCluster() *schema.Resource { Type: schema.TypeString, Optional: true, ForceNew: true, - Default: kafka.ClientBrokerTlsPlaintext, + Default: kafka.ClientBrokerTls, ValidateFunc: validation.StringInSlice([]string{ kafka.ClientBrokerPlaintext, kafka.ClientBrokerTlsPlaintext, diff --git a/aws/resource_aws_msk_cluster_test.go b/aws/resource_aws_msk_cluster_test.go index 9ba563e2b35..d1e9b8a78b3 100644 --- a/aws/resource_aws_msk_cluster_test.go +++ b/aws/resource_aws_msk_cluster_test.go @@ -71,7 +71,7 @@ func TestAccAWSMskCluster_basic(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckMskClusterExists(resourceName, &cluster), testAccMatchResourceAttrRegionalARN(resourceName, "arn", "kafka", regexp.MustCompile(`cluster/.+`)), - resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)), + resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""), resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)), resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.#", "1"), resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.0.az_distribution", kafka.BrokerAZDistributionDefault), @@ -89,7 +89,7 @@ func TestAccAWSMskCluster_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "encryption_info.#", "1"), testAccMatchResourceAttrRegionalARN(resourceName, "encryption_info.0.encryption_at_rest_kms_key_arn", "kms", regexp.MustCompile(`key/.+`)), resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.#", "1"), - resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.0.client_broker", "TLS_PLAINTEXT"), + resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.0.client_broker", "TLS"), resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.0.in_cluster", "true"), resource.TestCheckResourceAttr(resourceName, "enhanced_monitoring", kafka.EnhancedMonitoringDefault), resource.TestCheckResourceAttr(resourceName, "kafka_version", "2.2.1"), @@ -377,7 +377,7 @@ func TestAccAWSMskCluster_NumberOfBrokerNodes(t *testing.T) { Config: testAccMskClusterConfigNumberOfBrokerNodes(rName, 3), Check: resource.ComposeTestCheckFunc( testAccCheckMskClusterExists(resourceName, &cluster1), - resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)), + resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""), resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)), resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.#", "1"), resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.0.client_subnets.#", "3"), @@ -401,7 +401,7 @@ func TestAccAWSMskCluster_NumberOfBrokerNodes(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckMskClusterExists(resourceName, &cluster2), testAccCheckMskClusterNotRecreated(&cluster1, &cluster2), - resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)), + resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""), resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)), resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.#", "1"), resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.0.client_subnets.#", "3"), @@ -727,12 +727,6 @@ resource "aws_msk_cluster" "test" { kafka_version = "2.2.1" number_of_broker_nodes = 3 - encryption_info { - encryption_in_transit { - client_broker = "TLS_PLAINTEXT" - } - } - broker_node_group_info { client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"] ebs_volume_size = 10 @@ -750,12 +744,6 @@ resource "aws_msk_cluster" "test" { kafka_version = "2.2.1" number_of_broker_nodes = 3 - encryption_info { - encryption_in_transit { - client_broker = "TLS_PLAINTEXT" - } - } - broker_node_group_info { client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"] ebs_volume_size = %[2]d @@ -822,12 +810,6 @@ resource "aws_msk_cluster" "test" { kafka_version = "2.2.1" number_of_broker_nodes = 3 - encryption_info { - encryption_in_transit { - client_broker = "TLS_PLAINTEXT" - } - } - broker_node_group_info { client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"] ebs_volume_size = 10 @@ -904,9 +886,6 @@ resource "aws_msk_cluster" "test" { encryption_info { encryption_at_rest_kms_key_arn = "${aws_kms_key.example_key.arn}" - encryption_in_transit { - client_broker = "TLS_PLAINTEXT" - } } } `, rName) @@ -952,7 +931,6 @@ resource "aws_msk_cluster" "test" { encryption_info { encryption_in_transit { - client_broker = "TLS_PLAINTEXT" in_cluster = %[2]t } } @@ -968,12 +946,6 @@ resource "aws_msk_cluster" "test" { kafka_version = "2.2.1" number_of_broker_nodes = 3 - encryption_info { - encryption_in_transit { - client_broker = "TLS_PLAINTEXT" - } - } - broker_node_group_info { client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"] ebs_volume_size = 10 @@ -992,12 +964,6 @@ resource "aws_msk_cluster" "test" { kafka_version = "2.2.1" number_of_broker_nodes = %[2]d - encryption_info { - encryption_in_transit { - client_broker = "TLS_PLAINTEXT" - } - } - broker_node_group_info { client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"] ebs_volume_size = 10 @@ -1016,12 +982,6 @@ resource "aws_msk_cluster" "test" { kafka_version = "2.2.1" number_of_broker_nodes = 3 - encryption_info { - encryption_in_transit { - client_broker = "TLS_PLAINTEXT" - } - } - broker_node_group_info { client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"] ebs_volume_size = 10 @@ -1114,12 +1074,6 @@ resource "aws_msk_cluster" "test" { kafka_version = "2.2.1" number_of_broker_nodes = 3 - encryption_info { - encryption_in_transit { - client_broker = "TLS_PLAINTEXT" - } - } - broker_node_group_info { client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"] ebs_volume_size = 10 @@ -1155,12 +1109,6 @@ resource "aws_msk_cluster" "test" { kafka_version = "2.2.1" number_of_broker_nodes = 3 - encryption_info { - encryption_in_transit { - client_broker = "TLS_PLAINTEXT" - } - } - broker_node_group_info { client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"] ebs_volume_size = 10 @@ -1182,12 +1130,6 @@ resource "aws_msk_cluster" "test" { kafka_version = "2.2.1" number_of_broker_nodes = 3 - encryption_info { - encryption_in_transit { - client_broker = "TLS_PLAINTEXT" - } - } - broker_node_group_info { client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"] ebs_volume_size = 10 diff --git a/website/docs/guides/version-3-upgrade.html.md b/website/docs/guides/version-3-upgrade.html.md index 6d3028f7b8b..cca2c2aedbf 100644 --- a/website/docs/guides/version-3-upgrade.html.md +++ b/website/docs/guides/version-3-upgrade.html.md @@ -25,6 +25,7 @@ Upgrade topics: - [Resource: aws_elastic_transcoder_preset](#resource-aws_elastic_transcoder_preset) - [Resource: aws_emr_cluster](#resource-aws_emr_cluster) - [Resource: aws_lb_listener_rule](#resource-aws_lb_listener_rule) +- [Resource: aws_msk_cluster](#resource-aws_msk_cluster) - [Resource: aws_s3_bucket](#resource-aws_s3_bucket) - [Resource: aws_sns_platform_application](#resource-aws_sns_platform_application) - [Resource: aws_spot_fleet_request](#resource-aws_spot_fleet_request) @@ -400,6 +401,30 @@ resource "aws_lb_listener_rule" "example" { } ``` +## Resource: aws_msk_cluster + +### encryption_info.encryption_in_transit.client_broker Default Updated to Match API + +A few weeks after general availability launch and initial release of the `aws_msk_cluster` resource, the MSK API default for client broker encryption switched from `TLS_PLAINTEXT` to `TLS`. The attribute default has now been updated to match the more secure API default, however existing Terraform configurations may show a difference if this setting is not configured. + +To continue using the old default when it was previously not configured, add or modify this configuration: + +```hcl +resource "aws_msk_cluster" "example" { + # ... other configuration ... + + encryption_info { + # ... potentially other configuration ... + + encryption_in_transit { + # ... potentially other configuration ... + + client_broker = "TLS_PLAINTEXT" + } + } +} +``` + ## Resource: aws_s3_bucket ### Removal of Automatic aws_s3_bucket_policy Import diff --git a/website/docs/r/msk_cluster.html.markdown b/website/docs/r/msk_cluster.html.markdown index 84e9f3840c3..9b0468ce7db 100644 --- a/website/docs/r/msk_cluster.html.markdown +++ b/website/docs/r/msk_cluster.html.markdown @@ -155,11 +155,6 @@ output "zookeeper_connect_string" { value = aws_msk_cluster.example.zookeeper_connect_string } -output "bootstrap_brokers" { - description = "Plaintext connection host:port pairs" - value = aws_msk_cluster.example.bootstrap_brokers -} - output "bootstrap_brokers_tls" { description = "TLS connection host:port pairs" value = aws_msk_cluster.example.bootstrap_brokers_tls @@ -210,7 +205,7 @@ The following arguments are supported: #### encryption_info encryption_in_transit Argument Reference -* `client_broker` - (Optional) Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT`. Default value is `TLS_PLAINTEXT` when `encryption_in_transit` block defined, but `TLS` when `encryption_in_transit` block omitted. +* `client_broker` - (Optional) Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT`. Default value is `TLS`. * `in_cluster` - (Optional) Whether data communication among broker nodes is encrypted. Default value: `true`. #### open_monitoring Argument Reference