From 5d6355d3d9140854c13caf7d8d20a163ed542ded Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 24 May 2019 11:40:17 -0400 Subject: [PATCH 1/7] Add aws_ebs_encryption_by_default resource. --- aws/provider.go | 1 + aws/resource_aws_ebs_encryption_by_default.go | 80 +++++++++++++++++++ ...urce_aws_ebs_encryption_by_default_test.go | 70 ++++++++++++++++ website/aws.erb | 4 + .../r/ebs_encryption_by_default.html.markdown | 25 ++++++ 5 files changed, 180 insertions(+) create mode 100644 aws/resource_aws_ebs_encryption_by_default.go create mode 100644 aws/resource_aws_ebs_encryption_by_default_test.go create mode 100644 website/docs/r/ebs_encryption_by_default.html.markdown diff --git a/aws/provider.go b/aws/provider.go index 410b8844d15..4885b0f4a42 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -426,6 +426,7 @@ func Provider() terraform.ResourceProvider { "aws_dynamodb_table": resourceAwsDynamoDbTable(), "aws_dynamodb_table_item": resourceAwsDynamoDbTableItem(), "aws_dynamodb_global_table": resourceAwsDynamoDbGlobalTable(), + "aws_ebs_encryption_by_default": resourceAwsEbsEncryptionByDefault(), "aws_ebs_snapshot": resourceAwsEbsSnapshot(), "aws_ebs_snapshot_copy": resourceAwsEbsSnapshotCopy(), "aws_ebs_volume": resourceAwsEbsVolume(), diff --git a/aws/resource_aws_ebs_encryption_by_default.go b/aws/resource_aws_ebs_encryption_by_default.go new file mode 100644 index 00000000000..02a9cabf83b --- /dev/null +++ b/aws/resource_aws_ebs_encryption_by_default.go @@ -0,0 +1,80 @@ +package aws + +import ( + "fmt" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/ec2" + + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/helper/schema" +) + +func resourceAwsEbsEncryptionByDefault() *schema.Resource { + return &schema.Resource{ + Create: resourceAwsEbsEncryptionByDefaultCreate, + Read: resourceAwsEbsEncryptionByDefaultRead, + Update: resourceAwsEbsEncryptionByDefaultUpdate, + Delete: resourceAwsEbsEncryptionByDefaultDelete, + + Schema: map[string]*schema.Schema{ + "enabled": { + Type: schema.TypeBool, + Required: true, + }, + }, + } +} + +func resourceAwsEbsEncryptionByDefaultCreate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).ec2conn + + enabled := d.Get("enabled").(bool) + if err := setEbsEncryptionByDefault(conn, enabled); err != nil { + return fmt.Errorf("error creating EBS encryption by default (%t): %s", enabled, err) + } + + d.SetId(resource.UniqueId()) + + return resourceAwsEbsEncryptionByDefaultRead(d, meta) +} + +func resourceAwsEbsEncryptionByDefaultRead(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).ec2conn + + resp, err := conn.GetEbsEncryptionByDefault(&ec2.GetEbsEncryptionByDefaultInput{}) + if err != nil { + return fmt.Errorf("error reading EBS encryption by default: %s", err) + } + + d.Set("enabled", aws.BoolValue(resp.EbsEncryptionByDefault)) + + return nil +} + +func resourceAwsEbsEncryptionByDefaultUpdate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).ec2conn + + enabled := d.Get("enabled").(bool) + if err := setEbsEncryptionByDefault(conn, enabled); err != nil { + return fmt.Errorf("error updating EBS encryption by default (%t): %s", enabled, err) + } + + return resourceAwsEbsEncryptionByDefaultRead(d, meta) +} + +func resourceAwsEbsEncryptionByDefaultDelete(d *schema.ResourceData, meta interface{}) error { + return nil +} + +func setEbsEncryptionByDefault(conn *ec2.EC2, enabled bool) error { + var err error + + if enabled { + _, err = conn.EnableEbsEncryptionByDefault(&ec2.EnableEbsEncryptionByDefaultInput{}) + } else { + _, err = conn.DisableEbsEncryptionByDefault(&ec2.DisableEbsEncryptionByDefaultInput{}) + } + + return err +} diff --git a/aws/resource_aws_ebs_encryption_by_default_test.go b/aws/resource_aws_ebs_encryption_by_default_test.go new file mode 100644 index 00000000000..606b4e68e72 --- /dev/null +++ b/aws/resource_aws_ebs_encryption_by_default_test.go @@ -0,0 +1,70 @@ +package aws + +import ( + "fmt" + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/ec2" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestAccAWSEBSEncryptionByDefault_basic(t *testing.T) { + resourceName := "aws_ebs_encryption_by_default.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccAwsEbsEncryptionByDefaultConfig(false), + Check: resource.ComposeTestCheckFunc( + testAccCheckEbsEncryptionByDefault(resourceName, false), + resource.TestCheckResourceAttr(resourceName, "enabled", "false"), + ), + }, + { + Config: testAccAwsEbsEncryptionByDefaultConfig(true), + Check: resource.ComposeTestCheckFunc( + testAccCheckEbsEncryptionByDefault(resourceName, true), + resource.TestCheckResourceAttr(resourceName, "enabled", "true"), + ), + }, + }, + }) +} + +func testAccCheckEbsEncryptionByDefault(n string, enabled bool) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No ID is set") + } + + conn := testAccProvider.Meta().(*AWSClient).ec2conn + + response, err := conn.GetEbsEncryptionByDefault(&ec2.GetEbsEncryptionByDefaultInput{}) + if err != nil { + return err + } + + if aws.BoolValue(response.EbsEncryptionByDefault) != enabled { + return fmt.Errorf("EBS encryption by default is not in expected state (%t)", enabled) + } + + return nil + } +} + +func testAccAwsEbsEncryptionByDefaultConfig(enabled bool) string { + return fmt.Sprintf(` +resource "aws_ebs_encryption_by_default" "test" { + enabled = %[1]t +} +`, enabled) +} diff --git a/website/aws.erb b/website/aws.erb index fa74a7c5916..2db7138c7fd 100644 --- a/website/aws.erb +++ b/website/aws.erb @@ -1135,6 +1135,10 @@ aws_ami_launch_permission +
  • + aws_ebs_encryption_by_default +
    • +
  • aws_ebs_snapshot
    • diff --git a/website/docs/r/ebs_encryption_by_default.html.markdown b/website/docs/r/ebs_encryption_by_default.html.markdown new file mode 100644 index 00000000000..06ffbae8157 --- /dev/null +++ b/website/docs/r/ebs_encryption_by_default.html.markdown @@ -0,0 +1,25 @@ +--- +layout: "aws" +page_title: "AWS: aws_ebs_encryption_by_default" +sidebar_current: "docs-aws-ebs-encryption-by-default" +description: |- + Manages whether default EBS encryption is enabled for your AWS account in the current AWS region. +--- + +# Resource: aws_ebs_encryption_by_default + +Provides a resource to manage whether default EBS encryption is enabled for your AWS account in the current AWS region. + +## Example Usage + +```hcl +resource "aws_ebs_encryption_by_default" "example" { + enabled = true +} +``` + +## Argument Reference + +The following arguments are supported: + +* `enabled` - (Required) Whether or not default EBS encryption is enabled. Valid values are `true` or `false`. From 00f6a103f41170bc5474a3ca34b135d5f75a02c6 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 24 May 2019 15:33:03 -0400 Subject: [PATCH 2/7] Add aws_ebs_default_kms_key resource. --- aws/provider.go | 1 + aws/resource_aws_ebs_default_kms_key.go | 80 ++++++++++++++ aws/resource_aws_ebs_default_kms_key_test.go | 103 ++++++++++++++++++ website/aws.erb | 4 + .../r/aws_ebs_default_kms_key.html.markdown | 32 ++++++ 5 files changed, 220 insertions(+) create mode 100644 aws/resource_aws_ebs_default_kms_key.go create mode 100644 aws/resource_aws_ebs_default_kms_key_test.go create mode 100644 website/docs/r/aws_ebs_default_kms_key.html.markdown diff --git a/aws/provider.go b/aws/provider.go index 4885b0f4a42..ae65dda9aa4 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -426,6 +426,7 @@ func Provider() terraform.ResourceProvider { "aws_dynamodb_table": resourceAwsDynamoDbTable(), "aws_dynamodb_table_item": resourceAwsDynamoDbTableItem(), "aws_dynamodb_global_table": resourceAwsDynamoDbGlobalTable(), + "aws_ebs_default_kms_key": resourceAwsEbsDefaultKmsKey(), "aws_ebs_encryption_by_default": resourceAwsEbsEncryptionByDefault(), "aws_ebs_snapshot": resourceAwsEbsSnapshot(), "aws_ebs_snapshot_copy": resourceAwsEbsSnapshotCopy(), diff --git a/aws/resource_aws_ebs_default_kms_key.go b/aws/resource_aws_ebs_default_kms_key.go new file mode 100644 index 00000000000..9cec9881b7e --- /dev/null +++ b/aws/resource_aws_ebs_default_kms_key.go @@ -0,0 +1,80 @@ +package aws + +import ( + "fmt" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/ec2" + + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/helper/schema" +) + +func resourceAwsEbsDefaultKmsKey() *schema.Resource { + return &schema.Resource{ + Create: resourceAwsEbsDefaultKmsKeyCreate, + Read: resourceAwsEbsDefaultKmsKeyRead, + Update: resourceAwsEbsDefaultKmsKeyUpdate, + Delete: resourceAwsEbsDefaultKmsKeyDelete, + + Schema: map[string]*schema.Schema{ + "key_id": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validateArn, + }, + }, + } +} + +func resourceAwsEbsDefaultKmsKeyCreate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).ec2conn + + _, err := conn.ModifyEbsDefaultKmsKeyId(&ec2.ModifyEbsDefaultKmsKeyIdInput{ + KmsKeyId: aws.String(d.Get("key_id").(string)), + }) + if err != nil { + return fmt.Errorf("error creating EBS default KMS key: %s", err) + } + + d.SetId(resource.UniqueId()) + + return resourceAwsEbsDefaultKmsKeyRead(d, meta) +} + +func resourceAwsEbsDefaultKmsKeyRead(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).ec2conn + + resp, err := conn.GetEbsDefaultKmsKeyId(&ec2.GetEbsDefaultKmsKeyIdInput{}) + if err != nil { + return fmt.Errorf("error reading EBS default KMS key: %s", err) + } + + d.Set("key_id", aws.StringValue(resp.KmsKeyId)) + + return nil +} + +func resourceAwsEbsDefaultKmsKeyUpdate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).ec2conn + + _, err := conn.ModifyEbsDefaultKmsKeyId(&ec2.ModifyEbsDefaultKmsKeyIdInput{ + KmsKeyId: aws.String(d.Get("key_id").(string)), + }) + if err != nil { + return fmt.Errorf("error updating EBS default KMS key: %s", err) + } + + return resourceAwsEbsDefaultKmsKeyRead(d, meta) +} + +func resourceAwsEbsDefaultKmsKeyDelete(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).ec2conn + + _, err := conn.ResetEbsDefaultKmsKeyId(&ec2.ResetEbsDefaultKmsKeyIdInput{}) + if err != nil { + return fmt.Errorf("error deleting EBS default KMS key: %s", err) + } + + return nil +} diff --git a/aws/resource_aws_ebs_default_kms_key_test.go b/aws/resource_aws_ebs_default_kms_key_test.go new file mode 100644 index 00000000000..158024b12e1 --- /dev/null +++ b/aws/resource_aws_ebs_default_kms_key_test.go @@ -0,0 +1,103 @@ +package aws + +import ( + "fmt" + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/arn" + "github.com/aws/aws-sdk-go/service/ec2" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" +) + +func TestAccAWSEBSDefaultKmsKey_basic(t *testing.T) { + resourceName := "aws_ebs_default_kms_key.test" + resourceNameKey1 := "aws_kms_key.test1" + resourceNameKey2 := "aws_kms_key.test2" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAwsEbsDefaultKmsKeyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAwsEbsDefaultKmsKeyConfig_basic, + Check: resource.ComposeTestCheckFunc( + testAccCheckEbsDefaultKmsKey(resourceName), + resource.TestCheckResourceAttrPair(resourceName, "key_id", resourceNameKey1, "arn"), + ), + }, + { + Config: testAccAwsEbsDefaultKmsKeyConfig_updated, + Check: resource.ComposeTestCheckFunc( + testAccCheckEbsDefaultKmsKey(resourceName), + resource.TestCheckResourceAttrPair(resourceName, "key_id", resourceNameKey2, "arn"), + ), + }, + }, + }) +} + +func testAccCheckAwsEbsDefaultKmsKeyDestroy(s *terraform.State) error { + ec2conn := testAccProvider.Meta().(*AWSClient).ec2conn + kmsconn := testAccProvider.Meta().(*AWSClient).kmsconn + + alias, err := findKmsAliasByName(kmsconn, "alias/aws/ebs", nil) + if err != nil { + return err + } + + aliasARN, err := arn.Parse(aws.StringValue(alias.AliasArn)) + if err != nil { + return err + } + + arn := arn.ARN{ + Partition: aliasARN.Partition, + Service: aliasARN.Service, + Region: aliasARN.Region, + AccountID: aliasARN.AccountID, + Resource: fmt.Sprintf("key/%s", aws.StringValue(alias.TargetKeyId)), + } + + resp, err := ec2conn.GetEbsDefaultKmsKeyId(&ec2.GetEbsDefaultKmsKeyIdInput{}) + if err != nil { + return err + } + + if aws.StringValue(resp.KmsKeyId) != arn.String() { + return fmt.Errorf("Default CMK (%s) is not the account's AWS-managed default CMK (%s)", aws.StringValue(resp.KmsKeyId), arn.String()) + } + + return nil +} + +func testAccCheckEbsDefaultKmsKey(name string) resource.TestCheckFunc { + return func(s *terraform.State) error { + _, ok := s.RootModule().Resources[name] + if !ok { + return fmt.Errorf("Not found: %s", name) + } + + return nil + } +} + +const testAccAwsEbsDefaultKmsKeyConfigBase = ` +resource "aws_kms_key" "test1" {} + +resource "aws_kms_key" "test2" {} +` + +const testAccAwsEbsDefaultKmsKeyConfig_basic = testAccAwsEbsDefaultKmsKeyConfigBase + ` +resource "aws_ebs_default_kms_key" "test" { + key_id = "${aws_kms_key.test1.arn}" +} +` + +const testAccAwsEbsDefaultKmsKeyConfig_updated = testAccAwsEbsDefaultKmsKeyConfigBase + ` +resource "aws_ebs_default_kms_key" "test" { + key_id = "${aws_kms_key.test2.arn}" +} +` diff --git a/website/aws.erb b/website/aws.erb index 2db7138c7fd..4dd6e5ef635 100644 --- a/website/aws.erb +++ b/website/aws.erb @@ -1135,6 +1135,10 @@ aws_ami_launch_permission +
  • + aws_ebs_default_kms_key +
    • +
  • aws_ebs_encryption_by_default
    • diff --git a/website/docs/r/aws_ebs_default_kms_key.html.markdown b/website/docs/r/aws_ebs_default_kms_key.html.markdown new file mode 100644 index 00000000000..befabca00a7 --- /dev/null +++ b/website/docs/r/aws_ebs_default_kms_key.html.markdown @@ -0,0 +1,32 @@ +--- +layout: "aws" +page_title: "AWS: aws_ebs_default_kms_key" +sidebar_current: "docs-aws-ebs-default-kms-key" +description: |- + Manages the default customer master key (CMK) that your AWS account uses to encrypt EBS volumes. +--- + +# Resource: aws_ebs_default_kms_key + +Provides a resource to manage the default customer master key (CMK) that your AWS account uses to encrypt EBS volumes. + +Your AWS account has an AWS-managed default CMK that is used for encrypting an EBS volume when no CMK is specified in the API call that creates the volume. +By using the `aws_ebs_default_kms_key` resource, you can specify a customer-managed CMK to use in place of the AWS-managed default CMK. + +~> **NOTE:** Creating an `aws_ebs_default_kms_key` resource does not enable default EBS encryption. Use the [`aws_ebs_encryption_by_default`](ebs_encryption_by_default.html) to enable default EBS encryption. + +~> **NOTE:** Destroying this resource will reset the default CMK to the account's AWS-managed default CMK for EBS. + +## Example Usage + +```hcl +resource "aws_ebs_default_kms_key" "example" { + key_id = "${aws_kms_key.example.arn}" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `key_id` - (Required) The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. From 6b028d19869bdbbaef3a21b5ddc14d796123a90d Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 24 May 2019 17:07:42 -0400 Subject: [PATCH 3/7] Correct documentation link. --- ...lt_kms_key.html.markdown => ebs_default_kms_key.html.markdown} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename website/docs/r/{aws_ebs_default_kms_key.html.markdown => ebs_default_kms_key.html.markdown} (100%) diff --git a/website/docs/r/aws_ebs_default_kms_key.html.markdown b/website/docs/r/ebs_default_kms_key.html.markdown similarity index 100% rename from website/docs/r/aws_ebs_default_kms_key.html.markdown rename to website/docs/r/ebs_default_kms_key.html.markdown From 0d6ce4ce403b2c54c4f13abad49074826f446fab Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Sun, 9 Jun 2019 17:53:24 -0400 Subject: [PATCH 4/7] r/aws_ebs_default_kms_key: Review changes. --- aws/resource_aws_ebs_default_kms_key.go | 29 ++---- aws/resource_aws_ebs_default_kms_key_test.go | 92 +++++++++++-------- .../docs/r/ebs_default_kms_key.html.markdown | 12 ++- 3 files changed, 75 insertions(+), 58 deletions(-) diff --git a/aws/resource_aws_ebs_default_kms_key.go b/aws/resource_aws_ebs_default_kms_key.go index 9cec9881b7e..10cc15ccd01 100644 --- a/aws/resource_aws_ebs_default_kms_key.go +++ b/aws/resource_aws_ebs_default_kms_key.go @@ -6,7 +6,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/ec2" - "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/helper/schema" ) @@ -14,13 +13,16 @@ func resourceAwsEbsDefaultKmsKey() *schema.Resource { return &schema.Resource{ Create: resourceAwsEbsDefaultKmsKeyCreate, Read: resourceAwsEbsDefaultKmsKeyRead, - Update: resourceAwsEbsDefaultKmsKeyUpdate, Delete: resourceAwsEbsDefaultKmsKeyDelete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, Schema: map[string]*schema.Schema{ - "key_id": { + "key_arn": { Type: schema.TypeString, Required: true, + ForceNew: true, ValidateFunc: validateArn, }, }, @@ -30,14 +32,14 @@ func resourceAwsEbsDefaultKmsKey() *schema.Resource { func resourceAwsEbsDefaultKmsKeyCreate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).ec2conn - _, err := conn.ModifyEbsDefaultKmsKeyId(&ec2.ModifyEbsDefaultKmsKeyIdInput{ - KmsKeyId: aws.String(d.Get("key_id").(string)), + resp, err := conn.ModifyEbsDefaultKmsKeyId(&ec2.ModifyEbsDefaultKmsKeyIdInput{ + KmsKeyId: aws.String(d.Get("key_arn").(string)), }) if err != nil { return fmt.Errorf("error creating EBS default KMS key: %s", err) } - d.SetId(resource.UniqueId()) + d.SetId(aws.StringValue(resp.KmsKeyId)) return resourceAwsEbsDefaultKmsKeyRead(d, meta) } @@ -50,24 +52,11 @@ func resourceAwsEbsDefaultKmsKeyRead(d *schema.ResourceData, meta interface{}) e return fmt.Errorf("error reading EBS default KMS key: %s", err) } - d.Set("key_id", aws.StringValue(resp.KmsKeyId)) + d.Set("key_arn", resp.KmsKeyId) return nil } -func resourceAwsEbsDefaultKmsKeyUpdate(d *schema.ResourceData, meta interface{}) error { - conn := meta.(*AWSClient).ec2conn - - _, err := conn.ModifyEbsDefaultKmsKeyId(&ec2.ModifyEbsDefaultKmsKeyIdInput{ - KmsKeyId: aws.String(d.Get("key_id").(string)), - }) - if err != nil { - return fmt.Errorf("error updating EBS default KMS key: %s", err) - } - - return resourceAwsEbsDefaultKmsKeyRead(d, meta) -} - func resourceAwsEbsDefaultKmsKeyDelete(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).ec2conn diff --git a/aws/resource_aws_ebs_default_kms_key_test.go b/aws/resource_aws_ebs_default_kms_key_test.go index 158024b12e1..8eb3cf65ec0 100644 --- a/aws/resource_aws_ebs_default_kms_key_test.go +++ b/aws/resource_aws_ebs_default_kms_key_test.go @@ -13,8 +13,7 @@ import ( func TestAccAWSEBSDefaultKmsKey_basic(t *testing.T) { resourceName := "aws_ebs_default_kms_key.test" - resourceNameKey1 := "aws_kms_key.test1" - resourceNameKey2 := "aws_kms_key.test2" + resourceNameKey := "aws_kms_key.test" resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -25,47 +24,32 @@ func TestAccAWSEBSDefaultKmsKey_basic(t *testing.T) { Config: testAccAwsEbsDefaultKmsKeyConfig_basic, Check: resource.ComposeTestCheckFunc( testAccCheckEbsDefaultKmsKey(resourceName), - resource.TestCheckResourceAttrPair(resourceName, "key_id", resourceNameKey1, "arn"), + resource.TestCheckResourceAttrPair(resourceName, "key_arn", resourceNameKey, "arn"), ), }, { - Config: testAccAwsEbsDefaultKmsKeyConfig_updated, - Check: resource.ComposeTestCheckFunc( - testAccCheckEbsDefaultKmsKey(resourceName), - resource.TestCheckResourceAttrPair(resourceName, "key_id", resourceNameKey2, "arn"), - ), + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, }, }, }) } func testAccCheckAwsEbsDefaultKmsKeyDestroy(s *terraform.State) error { - ec2conn := testAccProvider.Meta().(*AWSClient).ec2conn - kmsconn := testAccProvider.Meta().(*AWSClient).kmsconn - - alias, err := findKmsAliasByName(kmsconn, "alias/aws/ebs", nil) + arn, err := testAccAwsEbsDefaultKmsKeyAwsManagedDefaultKey() if err != nil { return err } - aliasARN, err := arn.Parse(aws.StringValue(alias.AliasArn)) - if err != nil { - return err - } - - arn := arn.ARN{ - Partition: aliasARN.Partition, - Service: aliasARN.Service, - Region: aliasARN.Region, - AccountID: aliasARN.AccountID, - Resource: fmt.Sprintf("key/%s", aws.StringValue(alias.TargetKeyId)), - } + conn := testAccProvider.Meta().(*AWSClient).ec2conn - resp, err := ec2conn.GetEbsDefaultKmsKeyId(&ec2.GetEbsDefaultKmsKeyIdInput{}) + resp, err := conn.GetEbsDefaultKmsKeyId(&ec2.GetEbsDefaultKmsKeyIdInput{}) if err != nil { return err } + // Verify that the default key is now the account's AWS-managed default CMK. if aws.StringValue(resp.KmsKeyId) != arn.String() { return fmt.Errorf("Default CMK (%s) is not the account's AWS-managed default CMK (%s)", aws.StringValue(resp.KmsKeyId), arn.String()) } @@ -75,29 +59,65 @@ func testAccCheckAwsEbsDefaultKmsKeyDestroy(s *terraform.State) error { func testAccCheckEbsDefaultKmsKey(name string) resource.TestCheckFunc { return func(s *terraform.State) error { - _, ok := s.RootModule().Resources[name] + rs, ok := s.RootModule().Resources[name] if !ok { return fmt.Errorf("Not found: %s", name) } + if rs.Primary.ID == "" { + return fmt.Errorf("No ID is set") + } + + arn, err := testAccAwsEbsDefaultKmsKeyAwsManagedDefaultKey() + if err != nil { + return err + } + + conn := testAccProvider.Meta().(*AWSClient).ec2conn + + resp, err := conn.GetEbsDefaultKmsKeyId(&ec2.GetEbsDefaultKmsKeyIdInput{}) + if err != nil { + return err + } + + // Verify that the default key is not the account's AWS-managed default CMK. + if aws.StringValue(resp.KmsKeyId) == arn.String() { + return fmt.Errorf("Default CMK (%s) is the account's AWS-managed default CMK (%s)", aws.StringValue(resp.KmsKeyId), arn.String()) + } + return nil } } -const testAccAwsEbsDefaultKmsKeyConfigBase = ` -resource "aws_kms_key" "test1" {} +// testAccAwsEbsDefaultKmsKeyAwsManagedDefaultKey returns' the account's AWS-managed default CMK. +func testAccAwsEbsDefaultKmsKeyAwsManagedDefaultKey() (*arn.ARN, error) { + conn := testAccProvider.Meta().(*AWSClient).kmsconn -resource "aws_kms_key" "test2" {} -` + alias, err := findKmsAliasByName(conn, "alias/aws/ebs", nil) + if err != nil { + return nil, err + } -const testAccAwsEbsDefaultKmsKeyConfig_basic = testAccAwsEbsDefaultKmsKeyConfigBase + ` -resource "aws_ebs_default_kms_key" "test" { - key_id = "${aws_kms_key.test1.arn}" + aliasARN, err := arn.Parse(aws.StringValue(alias.AliasArn)) + if err != nil { + return nil, err + } + + arn := arn.ARN{ + Partition: aliasARN.Partition, + Service: aliasARN.Service, + Region: aliasARN.Region, + AccountID: aliasARN.AccountID, + Resource: fmt.Sprintf("key/%s", aws.StringValue(alias.TargetKeyId)), + } + + return &arn, nil } -` -const testAccAwsEbsDefaultKmsKeyConfig_updated = testAccAwsEbsDefaultKmsKeyConfigBase + ` +const testAccAwsEbsDefaultKmsKeyConfig_basic = ` +resource "aws_kms_key" "test" {} + resource "aws_ebs_default_kms_key" "test" { - key_id = "${aws_kms_key.test2.arn}" + key_arn = "${aws_kms_key.test.arn}" } ` diff --git a/website/docs/r/ebs_default_kms_key.html.markdown b/website/docs/r/ebs_default_kms_key.html.markdown index befabca00a7..a02ef5c70aa 100644 --- a/website/docs/r/ebs_default_kms_key.html.markdown +++ b/website/docs/r/ebs_default_kms_key.html.markdown @@ -21,7 +21,7 @@ By using the `aws_ebs_default_kms_key` resource, you can specify a customer-mana ```hcl resource "aws_ebs_default_kms_key" "example" { - key_id = "${aws_kms_key.example.arn}" + key_arn = "${aws_kms_key.example.arn}" } ``` @@ -29,4 +29,12 @@ resource "aws_ebs_default_kms_key" "example" { The following arguments are supported: -* `key_id` - (Required) The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. +* `key_arn` - (Required, ForceNew) The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. + +## Import + +The EBS default KMS CMK can be imported with the KMS key ARN, e.g. + +```console +$ terraform import aws_ebs_default_kms_key.example arn:aws:kms:us-east-1:123456789012:key/abcd-1234 +``` From 54ddb3f4d87cd04b7e7c04e7eb20de1f0b909294 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Sun, 9 Jun 2019 17:57:05 -0400 Subject: [PATCH 5/7] Update website/docs/r/ebs_encryption_by_default.html.markdown Code review changes. Co-Authored-By: Brian Flad --- website/docs/r/ebs_encryption_by_default.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/ebs_encryption_by_default.html.markdown b/website/docs/r/ebs_encryption_by_default.html.markdown index 06ffbae8157..3de073dc3fd 100644 --- a/website/docs/r/ebs_encryption_by_default.html.markdown +++ b/website/docs/r/ebs_encryption_by_default.html.markdown @@ -8,7 +8,7 @@ description: |- # Resource: aws_ebs_encryption_by_default -Provides a resource to manage whether default EBS encryption is enabled for your AWS account in the current AWS region. +Provides a resource to manage whether default EBS encryption is enabled for your AWS account in the current AWS region. To manage the default KMS key for the region, see the [`aws_ebs_default_kms_key` resource](/docs/providers/aws/r/ebs_default_kms_key.html). ## Example Usage From 05b96339b9f5eb713d5c8b347f69226266316931 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Sun, 9 Jun 2019 17:57:24 -0400 Subject: [PATCH 6/7] Update aws/resource_aws_ebs_encryption_by_default.go Code review changes. Co-Authored-By: Brian Flad --- aws/resource_aws_ebs_encryption_by_default.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aws/resource_aws_ebs_encryption_by_default.go b/aws/resource_aws_ebs_encryption_by_default.go index 02a9cabf83b..08f90c5dacf 100644 --- a/aws/resource_aws_ebs_encryption_by_default.go +++ b/aws/resource_aws_ebs_encryption_by_default.go @@ -20,7 +20,8 @@ func resourceAwsEbsEncryptionByDefault() *schema.Resource { Schema: map[string]*schema.Schema{ "enabled": { Type: schema.TypeBool, - Required: true, + Optional: true, + Default: true, }, }, } From 84f451d88216243ee9bb7d9047b35ab1f97288c2 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Sun, 9 Jun 2019 18:13:45 -0400 Subject: [PATCH 7/7] r/aws_ebs_encryption_by_default: Review changes. --- aws/resource_aws_ebs_encryption_by_default.go | 7 +++++++ ...urce_aws_ebs_encryption_by_default_test.go | 20 +++++++++++++++++-- .../r/ebs_encryption_by_default.html.markdown | 4 +++- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/aws/resource_aws_ebs_encryption_by_default.go b/aws/resource_aws_ebs_encryption_by_default.go index 08f90c5dacf..a34b10ccd9d 100644 --- a/aws/resource_aws_ebs_encryption_by_default.go +++ b/aws/resource_aws_ebs_encryption_by_default.go @@ -65,6 +65,13 @@ func resourceAwsEbsEncryptionByDefaultUpdate(d *schema.ResourceData, meta interf } func resourceAwsEbsEncryptionByDefaultDelete(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).ec2conn + + // Removing the resource disables default encryption. + if err := setEbsEncryptionByDefault(conn, false); err != nil { + return fmt.Errorf("error disabling EBS encryption by default: %s", err) + } + return nil } diff --git a/aws/resource_aws_ebs_encryption_by_default_test.go b/aws/resource_aws_ebs_encryption_by_default_test.go index 606b4e68e72..bc72b737dae 100644 --- a/aws/resource_aws_ebs_encryption_by_default_test.go +++ b/aws/resource_aws_ebs_encryption_by_default_test.go @@ -14,8 +14,9 @@ func TestAccAWSEBSEncryptionByDefault_basic(t *testing.T) { resourceName := "aws_ebs_encryption_by_default.test" resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAwsEncryptionByDefaultDestroy, Steps: []resource.TestStep{ { Config: testAccAwsEbsEncryptionByDefaultConfig(false), @@ -35,6 +36,21 @@ func TestAccAWSEBSEncryptionByDefault_basic(t *testing.T) { }) } +func testAccCheckAwsEncryptionByDefaultDestroy(s *terraform.State) error { + conn := testAccProvider.Meta().(*AWSClient).ec2conn + + response, err := conn.GetEbsEncryptionByDefault(&ec2.GetEbsEncryptionByDefaultInput{}) + if err != nil { + return err + } + + if aws.BoolValue(response.EbsEncryptionByDefault) != false { + return fmt.Errorf("EBS encryption by default not disabled on resource removal") + } + + return nil +} + func testAccCheckEbsEncryptionByDefault(n string, enabled bool) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] diff --git a/website/docs/r/ebs_encryption_by_default.html.markdown b/website/docs/r/ebs_encryption_by_default.html.markdown index 3de073dc3fd..73756f4ca28 100644 --- a/website/docs/r/ebs_encryption_by_default.html.markdown +++ b/website/docs/r/ebs_encryption_by_default.html.markdown @@ -10,6 +10,8 @@ description: |- Provides a resource to manage whether default EBS encryption is enabled for your AWS account in the current AWS region. To manage the default KMS key for the region, see the [`aws_ebs_default_kms_key` resource](/docs/providers/aws/r/ebs_default_kms_key.html). +~> **NOTE:** Removing this Terraform resource disables default EBS encryption. + ## Example Usage ```hcl @@ -22,4 +24,4 @@ resource "aws_ebs_encryption_by_default" "example" { The following arguments are supported: -* `enabled` - (Required) Whether or not default EBS encryption is enabled. Valid values are `true` or `false`. +* `enabled` - (Optional) Whether or not default EBS encryption is enabled. Valid values are `true` or `false`. Defaults to `true`.