Unable to create an encrypted Aurora cluster from a non-encrypted snapshot

[ghost]

This issue was originally opened by @vr001 as hashicorp/terraform#17418. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Hi there,

AWS suggests to create an encrypted Aurora cluster from a non encrypted cluster by taking a snapshot of it and restoring with KMS key id and storage encrypted parameter. I can do that on the console.

Terraform Version

v0.11.3

Terraform Configuration Files

resource "aws_rds_cluster" "default" {
  cluster_identifier           = "${module.naming.aws_db_instance}${var.dr_rebuild_awsregion_date}"
  vpc_security_group_ids       = [
                           "${module.networks.security_groups[format("%s.%s.%s", var.aws_region, var.vpc, "db")]}",
                           "${module.networks.security_groups[format("%s.%s.%s", var.aws_region, var.vpc, "onprem")]}"

  ]

  db_subnet_group_name         = "${module.networks.rds_subnet_groups[format("%s.%s", var.aws_region, var.vpc)]}"
  port                         = "3306"
  database_name                = "${var.db_name}"
  master_username              = "${var.db_username}"
  master_password              = "${var.db_password}"
  apply_immediately            = "${var.db_apply_immediately}"
  db_cluster_parameter_group_name   = "${aws_rds_cluster_parameter_group.default.name}"
  snapshot_identifier          = "${var.db_snapshot_identifier}"
  replication_source_identifier = "${null_resource.aurora_cluster_arn.triggers.replication_source_arn_of_primary_region}"
  storage_encrypted            = "${var.db_storage_encrypted}"
  kms_key_id                   = "${var.db_kms_key_id}"
  
}

#terraform.tfvars file

# Aurora encryption
db_storage_encrypted        = true 
db_kms_key_id               = "arn:aws:kms:us-east-1:111111111:key/111111-1111-1111-1111-111111111"   

Debug Output

Its really huge. Let me know, if there is any thing specific that I can provide.
Outputs:

Cluster endpoint (region): = [
    adb.us-east-1.encryption-benchmark7.vigneshrdev7.nonprod-tmaws.io
]
RDS instance in Tier 2 (region):  = adb-t2-0.us-east-1.encryption-benchmark7.vigneshrdev7.nonprod-tmaws.io,  adb-t2-1.us-east-1.encryption-benchmark7.vigneshrdev7.nonprod-tmaws.io
2018-02-22T23:30:38.541Z [DEBUG] plugin: plugin process exited: path=/bin/terraform-provider-null_v1.0.0_x4
Job succeeded

Crash Output

No crash, it goes through fine.

Expected Behavior

It should have created an encrypted Aurora cluster.

Actual Behavior

It created a non-encrypted Aurora cluster.

https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-clusters.html output
'StorageEncrypted': False,

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

1. terraform init
2. terraform apply

Additional Context

I am using a wrapper around Terraform and also in Gitlab CI, but i don't think thats an issue.

References

[lzecca78]

I had the same behavior with:

Terraform v0.11.5
provider.aws v1.13.0

Passing a non-encrypted snapshot to the resource aws_rds_cluster that has declared both storage_encrypted and kms_key_id, i still obtain an Aurora cluster with no storage encryption.

[Tazer]

Think it has todo with this: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling

You can't restore an unencrypted backup or snapshot to an encrypted DB instance.

so you first need to "Copy Snapshot" https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html

You can also encrypt a copy of an unencrypted snapshot. This way, you can quickly add encryption to a previously unencrypted DB instance . That is, you can create a snapshot of your DB instance when you are ready to encrypt it, and then create a copy of that snapshot and specify a KMS encryption key to encrypt that snapshot copy. You can then restore an encrypted DB instance from the encrypted snapshot.

[vasili-zolotov]

This is definitely a bug specific to RDS Aurora engine.

@Tazer documentation is confusing. If you look for fine print, the copy-to-encrypted step is not needed for Aurora. You actually can't do that for Aurora snapshots. Instead, for Aurora you can restore non-encrypted snapshot to an encrypted cluster (this has been verified to work).

The following steps are applicable to Amazon RDS for MySQL, Oracle, SQL Server, PostgreSQL, or MariaDB. If you use Amazon Aurora, you can restore an unencrypted Aurora DB cluster snapshot to an encrypted Aurora DB cluster if you specify an AWS Key Management Service (AWS KMS) encryption key when you restore from the unencrypted DB cluster snapshot.

See: https://aws.amazon.com/premiumsupport/knowledge-center/encrypt-rds-snapshots/

[vasili-zolotov]

I've verified via CloudTrail that it's terraform that sends "storageEncrypted": false as part of the RDS API request when restoring the snapshot to a new cluster. This proves that the root cause is some incorrect logic in construction the RDS API request on terraform provider side.

Just want to be clear that this is NOT an RDS behavior that forcing the cluster to be unencrypted because the snapshot is unencrypted. I've verified that RDS can do what is being asked here just fine.

[glennbech]

The bug is still in 1.52.0

This causes problems when a team wants to migrate from an un-encrypted database to an encrypted one.

Setting storage_encrypted = 'true', the kms_key_id attribute (which by the way should have been called kms_key_arn from the begin with) and snapshot_identifier creates an un-encrypted cluster.

[tinyzimmer]

Just had this issue as well:

Terraform v0.11.11
+ provider.aws v1.54.0

Trying to create an encrypted Aurora cluster from an unencrypted snapshot results in an unencrypted Aurora Cluster

EDIT: Actually to fix this for me, I just needed to add kms_key_id to the before just storage_encrypted (thinking it would compute it). I saw from looking at the provider code for this, that nothing encryption-wise will happen on a restore operation without this parameter.

[giobt]

I've verified via CloudTrail that it's terraform that sends "storageEncrypted": false as part of the RDS API request when restoring the snapshot to a new cluster. This proves that the root cause is some incorrect logic in construction the RDS API request on terraform provider side.

Just want to be clear that this is NOT an RDS behavior that forcing the cluster to be unencrypted because the snapshot is unencrypted. I've verified that RDS can do what is being asked here just fine.

It happens with CloudFormation as well. How did you verify RDS can do what it's being asked? For CloudFormation I use same set of parameters, storage encrypted: true both in cluster and in db, unencrypted snapshot, and it creates an unencrypted cluster in RDS.

[FernandoMiguel]

We are also facing issues with this.
our TF code is expected to create an encrypted cluster/instance, and is restoring from a non encrypted snapshot.
AWS Web console does show the option to encrypt the destination (as do the docs) but terraform always creates a non-encrypted cluster, and on the second run, it tries to destroy the cluster

[nakoa-mccullough-foundant]

Any update on this one? Has this been fixed and I missed it in the change log?

[bflad]

Hi @nakoa-mccullough-foundant 👋 We didn't have an explicit acceptance test for this functionality in our codebase yet, but adding one now, it does appear to work as expected. Please note that currently the storage_encrypted = true argument must also be given in the resource configuration, or the resource will show it needs replacement after creation. I will also submit the change to remove that requirement as part of adding this testing.

[nakoa-mccullough-foundant]

@bflad - Wow, that was quick, thanks for jumping on this.

[bflad]

As mentioned above, this functionality worked previously, but it required storage_encrypted = true to also be configured to prevent plans showing recreation. Version 3.14.0 of the Terraform AWS Provider, releasing later tonight or tomorrow, the resource will accept that enabled configuration or it omitted. 👍

[ghost]

This has been released in version 3.14.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!