Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

provider/aws: Add support for KMS #3928

Merged
merged 14 commits into from
Mar 10, 2016
Merged

Conversation

radeksimko
Copy link
Member

This is a polished version of #3209

@psytale would you mind giving a look at this? Just wanted to know whether you're happy with the modifications I made and whether all make sense to you.

Test plan

$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=Kms' 2>~/tf.log

Eventual consistency

There's just one concern I have - KMS has apparently similar problem as IAM policies - that is eventual consistency. Creation/deletion doesn't seem to be a problem, but disabling/enabling and key rotation are fields that may take time to propagate.

The way we usually deal with such problem is that we call Describe/Get operations repeatedly until we have a confirmation that status has been changed. The problem with such approach is that KMS is literally inconsistent which means that a single confirmation often doesn't mean propagation:

KEY_ID=$(aws kms create-key --description "aws-eventually-consistent-kms-3" | jq -r .KeyMetadata.KeyId)
echo "Disabling $KEY_ID"
aws kms disable-key --key-id $KEY_ID
echo "$KEY_ID should be now disabled"
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
Disabling 128169fc-a5ac-481f-99f5-730c6980d924
128169fc-a5ac-481f-99f5-730c6980d924 should be now disabled
false
true
false
false
true
true

^ that is why I set the MinTimeout fairly high - 60 secs, but it's naive solution anyway. I'm thinking of creating a special version or modifying the WaitForState helper so that it's counting occurrences of target state in a given time frame and maybe wait for defined percentage (majority) of target status.

Are we silently ignoring this edge case for IAM policies too?

Reported to AWS

I have submitted two feature requests to AWS while I was working on this:

  1. ListAliases to support listing by KeyId, so we don't have to waste so much effort on listing through all
  2. Make KMS read-after-write consistent (which I believe was just an upvote for an existing feature request)


# aws\_kms\_alias

Provides a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the start of this paragraph be "Provides an alias for a KMS customer master key"?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed & squashed into the original commit with docs, so I'm not cluttering the git log even more.

@philwitty
Copy link
Contributor

Looks great to me. Really appreciate the help

@boxrick
Copy link

boxrick commented Dec 7, 2015

So is KMS supported within Terraform now ? Or some elements?

@radeksimko
Copy link
Member Author

I wanted to merge this yesterday, so I reran the acceptance tests before doing so.

There are still issues with the eventual consistency - TestAccAWSKmsKey_isEnabled is intermittently failing due to that.

I'm not sure what the best solution is - read my first post above. Even though we wait 1 minute until checking the status, it does not guarantee consistency. Better solution may include waiting for x number of subsequent success statuses.

I will probably try to implement the mentioned solution.

cc @Felivel

@boxrick
Copy link

boxrick commented Dec 7, 2015

Interesting, I am currently playing around with your dev build. Would be particularly handy if IAM Administrators could be specified. Makes it a little difficult to use this without it.

@catsby
Copy link
Contributor

catsby commented Jan 12, 2016

Hey @radeksimko sorry for the delay – how do you feel about this PR right now?

@catsby catsby added the waiting-response An issue/pull request is waiting for a response from the community label Jan 12, 2016
@radeksimko
Copy link
Member Author

@catsby Feature-wise this is ready, but it would make me feel more confident if we first get thru #4447 and implement it here afterwards to prevent the intermittent test failures.

The other linked issue would help making the initial creation a lot faster, but that's not really something I'd consider to be a blocker for KMS generally.

@radeksimko radeksimko removed the waiting-response An issue/pull request is waiting for a response from the community label Jan 12, 2016
@radeksimko
Copy link
Member Author

Just vendor-ed KMS to make godep happy and make the tests green again.

@boxrick
Copy link

boxrick commented Feb 18, 2016

Do we have any updates with this getting merged back in? Waiting for this functionality!

@radeksimko radeksimko force-pushed the aws-kms branch 3 times, most recently from 033b18d to 34c6775 Compare February 26, 2016 20:11
@radeksimko
Copy link
Member Author

This is now ready for final review as I managed to implement the enhanced retry logic from #4447 that made enabling/disabling keys a lot more stable which made me much more confident that this resource will actually work well.

$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=AWSKms'
TF_ACC=1 go test ./builtin/providers/aws -v -run=AWSKms -timeout 120m
=== RUN   TestAccAWSKmsAlias_basic
--- PASS: TestAccAWSKmsAlias_basic (368.99s)
=== RUN   TestAccAWSKmsAlias_multiple
--- PASS: TestAccAWSKmsAlias_multiple (83.41s)
=== RUN   TestAccAWSKmsKey_basic
--- PASS: TestAccAWSKmsKey_basic (230.95s)
=== RUN   TestAccAWSKmsKey_isEnabled
--- PASS: TestAccAWSKmsKey_isEnabled (657.69s)
PASS
ok      github.com/hashicorp/terraform/builtin/providers/aws    1341.056s

@bigkraig
Copy link
Contributor

bigkraig commented Mar 4, 2016

@psytale @catsby hey guys does this cut the mustard now? It looks like everything has been wrapped up. I just sent in pull request #5453 to implement KMS server side encryption on S3 objects and would really like to be able to get everything into the next release.

@phinze
Copy link
Contributor

phinze commented Mar 10, 2016

This LGTM!

phinze added a commit that referenced this pull request Mar 10, 2016
provider/aws: Add support for KMS
@phinze phinze merged commit d129447 into hashicorp:master Mar 10, 2016
@radeksimko radeksimko deleted the aws-kms branch March 10, 2016 07:02
omeid pushed a commit to omeid/terraform that referenced this pull request Mar 30, 2018
…cleanup

docs/resource/kinesis_firehose: fix example formatting in kinesis_firehose splunk destination documentation
@ghost
Copy link

ghost commented Apr 27, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 27, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants