-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EBS default encryption #8771
EBS default encryption #8771
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @ewbankkit! Overall nice work. Please reach out if you have any questions or do not have time for the items. 😄
Delete: resourceAwsEbsDefaultKmsKeyDelete, | ||
|
||
Schema: map[string]*schema.Schema{ | ||
"key_id": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the API requires the ARN instead of just the ID, it seems like we should prefer to naming this more clearly (even though its slightly off from the API itself 👍 )
"key_id": { | |
"key_arn": { |
return fmt.Errorf("error creating EBS default KMS key: %s", err) | ||
} | ||
|
||
d.SetId(resource.UniqueId()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we set this to the key ARN/ID instead of a random identifier so its usable in downstream resources? 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently we are allowing the ARN to change and doing a resource update - If we go with using the ARN as the ID then we need to add ForceNew: true
to the key_arn
attribute and remove resourceAwsEbsDefaultKmsKeyUpdate()
. IMHO this is actually a better way of modeling the resource.
) | ||
|
||
func resourceAwsEbsDefaultKmsKey() *schema.Resource { | ||
return &schema.Resource{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should add import support from the get-go, e.g. via the key ARN as the ID 🚀
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
In the testing:
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
And the documentation:
## Import
EBS Default KMS Key can be imported with the KMS Key ARN, e.g.
```console
$ terraform import aws_ebs_default_kms_key.example arn:aws:kms:us-east-1:123456789012:key/abcd-1234
```
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since resourceAwsEbsDefaultKmsKeyRead()
doesn't actually use the resource's ID for the AWS API call (there's a single default EBS CMK per region per account) do we want to check that the KMS key ARN passed to terraform import
is really the current default EBS CMK?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the Terraform code corresponding to the imported resource has the same key_arn
value as the ARN passed to terraform import
then I think that having ForceNew
on the key_arn
attribute will cause the resource to be recreated.
ec2conn := testAccProvider.Meta().(*AWSClient).ec2conn | ||
kmsconn := testAccProvider.Meta().(*AWSClient).kmsconn | ||
|
||
alias, err := findKmsAliasByName(kmsconn, "alias/aws/ebs", nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
return nil | ||
} | ||
|
||
func testAccCheckEbsDefaultKmsKey(name string) resource.TestCheckFunc { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it worth having this function do the inverse of the destroy check?
Create: resourceAwsEbsEncryptionByDefaultCreate, | ||
Read: resourceAwsEbsEncryptionByDefaultRead, | ||
Update: resourceAwsEbsEncryptionByDefaultUpdate, | ||
Delete: resourceAwsEbsEncryptionByDefaultDelete, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we are going to do nothing in the Delete
function, this can use schema.Noop
instead of a custom function.
Delete: resourceAwsEbsEncryptionByDefaultDelete, | |
Delete: schema.Noop, |
The documentation in that case should also explicitly state that it is only removing Terraform's management of the setting.
Instead of an empty Delete
function though, I think a better user experience would be do disable encryption when this resource is removed. 👍
func TestAccAWSEBSEncryptionByDefault_basic(t *testing.T) { | ||
resourceName := "aws_ebs_encryption_by_default.test" | ||
|
||
resource.ParallelTest(t, resource.TestCase{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the Delete
function is to remain empty, can you please add an explicit CheckDestroy: nil,
to this TestCase
?
Ideally though, this resource seems like it should enable encryption by default when its added and disable encryption when its removed. The CheckDestroy
in that case would verify that encryption is disabled. 😄
|
||
~> **NOTE:** Creating an `aws_ebs_default_kms_key` resource does not enable default EBS encryption. Use the [`aws_ebs_encryption_by_default`](ebs_encryption_by_default.html) to enable default EBS encryption. | ||
|
||
~> **NOTE:** Destroying this resource will reset the default CMK to the account's AWS-managed default CMK for EBS. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💯
Code review changes. Co-Authored-By: Brian Flad <bflad417@gmail.com>
Code review changes. Co-Authored-By: Brian Flad <bflad417@gmail.com>
Review comments addressed. $ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEBSEncryptionByDefault_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSEBSEncryptionByDefault_ -timeout 120m
=== RUN TestAccAWSEBSEncryptionByDefault_basic
=== PAUSE TestAccAWSEBSEncryptionByDefault_basic
=== CONT TestAccAWSEBSEncryptionByDefault_basic
--- PASS: TestAccAWSEBSEncryptionByDefault_basic (25.52s)
PASS
ok github.com/terraform-providers/terraform-provider-aws/aws 25.542s
$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEBSDefaultKmsKey_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSEBSDefaultKmsKey_ -timeout 120m
=== RUN TestAccAWSEBSDefaultKmsKey_basic
=== PAUSE TestAccAWSEBSDefaultKmsKey_basic
=== CONT TestAccAWSEBSDefaultKmsKey_basic
--- PASS: TestAccAWSEBSDefaultKmsKey_basic (46.26s)
PASS
ok github.com/terraform-providers/terraform-provider-aws/aws 46.284s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thanks so much, @ewbankkit 🚀
--- PASS: TestAccAWSEBSEncryptionByDefault_basic (15.29s)
--- PASS: TestAccAWSEBSDefaultKmsKey_basic (40.03s)
This has been released in version 2.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Fixes #8760.
Release note for CHANGELOG:
Output from acceptance testing: