Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

r/resource_aws_rds_cluster: Honor kms_key_id when restoring from snapshot #6012

Merged
merged 1 commit into from
Sep 27, 2018
Merged

r/resource_aws_rds_cluster: Honor kms_key_id when restoring from snapshot #6012

merged 1 commit into from
Sep 27, 2018

Conversation

flosell
Copy link
Contributor

@flosell flosell commented Sep 27, 2018

Currently, kms_key_id is ignored when restoring a cluster by setting snapshot_identifier. AWS then creates the new cluster using the encryption setting from the snapshot (if the snapshot was encrypted, the same key is used for the cluster, otherwise the cluster is unencrypted).

On subsequent plan, kms_key_id would be honored, forcing a plan that would re-create the cluster (to change the encryption settings)

This PR adds the kms_key_id to the RestoreDBClusterFromSnapshotInput so that the cluster is created with the key specified in terraform instead of defaulting to the snapshots encryption settings.

This is a slight change in behavior that in theory could impact existing users. However, the behavior that is changed isn't particularly useful right now so I wouldn't think too many people depend on it.
Let me know if you see a problem there. We could, for example, add a flag inherit_encryption_settings_from_snapshot that's true by default to keep the old behavior. This would probably make it more unintuitive for most users and harder to maintain for developers though.

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSRDSCluster_SnapshotIdentifier'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSRDSCluster_SnapshotIdentifier -timeout 120m
=== RUN   TestAccAWSRDSCluster_SnapshotIdentifier
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier (387.07s)
=== RUN   TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_ParallelQuery
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_ParallelQuery (399.09s)
=== RUN   TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_Provisioned
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_Provisioned (367.47s)
=== RUN   TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_Serverless
--- SKIP: TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_Serverless (0.00s)
	resource_aws_rds_cluster_test.go:733: serverless does not support snapshot restore on an empty volume
=== RUN   TestAccAWSRDSCluster_SnapshotIdentifier_Tags
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_Tags (449.96s)
=== RUN   TestAccAWSRDSCluster_SnapshotIdentifier_VpcSecurityGroupIds
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_VpcSecurityGroupIds (482.00s)
=== RUN   TestAccAWSRDSCluster_SnapshotIdentifier_VpcSecurityGroupIds_Tags
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_VpcSecurityGroupIds_Tags (422.29s)
=== RUN   TestAccAWSRDSCluster_SnapshotIdentifier_EncryptedRestore
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EncryptedRestore (375.59s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	2883.521s

@ghost ghost added size/M Managed by automation to categorize the size of a PR. service/rds Issues and PRs that pertain to the rds service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Sep 27, 2018
@bflad bflad added the bug Addresses a defect in current functionality. label Sep 27, 2018
bflad
bflad approved these changes Sep 27, 2018
View reviewed changes
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this fix, @flosell! 🚀

--- PASS: TestAccAWSRDSCluster_missingUserNameCausesError (2.95s)
--- PASS: TestAccAWSRDSCluster_generatedName (102.92s)
--- PASS: TestAccAWSRDSCluster_namePrefix (123.24s)
--- PASS: TestAccAWSRDSCluster_basic (127.52s)
--- PASS: TestAccAWSRDSCluster_encrypted (127.50s)
--- PASS: TestAccAWSRDSCluster_importBasic (127.89s)
--- PASS: TestAccAWSRDSCluster_EngineVersion (128.58s)
--- PASS: TestAccAWSRDSCluster_iamAuth (147.36s)
--- PASS: TestAccAWSRDSCluster_EngineMode_ParallelQuery (147.76s)
--- PASS: TestAccAWSRDSCluster_updateIamRoles (149.42s)
--- PASS: TestAccAWSRDSCluster_kmsKey (167.25s)
--- PASS: TestAccAWSRDSCluster_takeFinalSnapshot (168.09s)
--- PASS: TestAccAWSRDSCluster_backupsUpdate (170.42s)
--- PASS: TestAccAWSRDSCluster_updateTags (170.59s)
--- PASS: TestAccAWSRDSCluster_updateCloudwatchLogsExports (170.74s)
--- PASS: TestAccAWSRDSCluster_BacktrackWindow (170.90s)
--- PASS: TestAccAWSRDSCluster_ScalingConfiguration (234.13s)
--- PASS: TestAccAWSRDSCluster_Port (242.92s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_ParallelQuery (313.82s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_Tags (333.44s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EncryptedRestore (324.04s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier (373.67s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_VpcSecurityGroupIds_Tags (355.42s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_VpcSecurityGroupIds (405.57s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_Provisioned (424.54s)
--- PASS: TestAccAWSRDSCluster_EngineMode (853.34s)
--- PASS: TestAccAWSRDSCluster_s3Restore (1495.50s)
--- PASS: TestAccAWSRDSCluster_EncryptedCrossRegionReplication (1644.28s)

@bflad bflad added this to the v1.39.0 milestone Sep 27, 2018
@bflad bflad merged commit 0285ccc into hashicorp:master Sep 27, 2018
bflad added a commit that referenced this pull request Sep 27, 2018
@bflad
Update CHANGELOG for #6012
4e49ebb
@ghost
Copy link

ghost commented Oct 3, 2018

This has been released in version 1.39.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "aws" {
	version = "~> 1.39.0"
}
# ... other configuration ...

@bflad bflad mentioned this pull request Oct 3, 2018
Closed
@nomeelnoj
Copy link

Is this same behavior available for aws_db_instance?

@flosell
Copy link
Contributor Author

flosell commented Oct 18, 2018

@nomeelnoj I'm not sure if the API supports setting the encryption key when restoring from snapshot for aws_db_instance. This post indicates that you need to copy the snapshot to re-encrypt it if you want to restore with a different KMS key.

@ghost
Copy link

ghost commented Apr 2, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bflad bflad bflad approved these changes

Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/rds Issues and PRs that pertain to the rds service. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v1.39.0
Development

Successfully merging this pull request may close these issues.
3 participants
@flosell @nomeelnoj @bflad