-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to create an encrypted Aurora cluster from a non-encrypted snapshot #3503
Comments
I had the same behavior with: Terraform v0.11.5 Passing a non-encrypted snapshot to the resource aws_rds_cluster that has declared both |
Think it has todo with this: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling
so you first need to "Copy Snapshot" https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html
|
This is definitely a bug specific to RDS Aurora engine. @Tazer documentation is confusing. If you look for fine print, the copy-to-encrypted step is not needed for Aurora. You actually can't do that for Aurora snapshots. Instead, for Aurora you can restore non-encrypted snapshot to an encrypted cluster (this has been verified to work).
See: https://aws.amazon.com/premiumsupport/knowledge-center/encrypt-rds-snapshots/ |
I've verified via CloudTrail that it's terraform that sends Just want to be clear that this is NOT an RDS behavior that forcing the cluster to be unencrypted because the snapshot is unencrypted. I've verified that RDS can do what is being asked here just fine. |
The bug is still in 1.52.0 This causes problems when a team wants to migrate from an un-encrypted database to an encrypted one. Setting storage_encrypted = 'true', the kms_key_id attribute (which by the way should have been called kms_key_arn from the begin with) and snapshot_identifier creates an un-encrypted cluster. |
Just had this issue as well:
Trying to create an encrypted Aurora cluster from an unencrypted snapshot results in an unencrypted Aurora Cluster EDIT: Actually to fix this for me, I just needed to add |
It happens with CloudFormation as well. How did you verify RDS can do what it's being asked? For CloudFormation I use same set of parameters, storage encrypted: true both in cluster and in db, unencrypted snapshot, and it creates an unencrypted cluster in RDS. |
We are also facing issues with this. |
Any update on this one? Has this been fixed and I missed it in the change log? |
Hi @nakoa-mccullough-foundant 👋 We didn't have an explicit acceptance test for this functionality in our codebase yet, but adding one now, it does appear to work as expected. Please note that currently the |
@bflad - Wow, that was quick, thanks for jumping on this. |
…s_key_id and lack of storage_encrypted, add testing and documentation Reference: #3503 Output from acceptance testing: ``` --- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_KmsKeyId (395.41s) ```
As mentioned above, this functionality worked previously, but it required |
This has been released in version 3.14.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
This issue was originally opened by @vr001 as hashicorp/terraform#17418. It was migrated here as a result of the provider split. The original body of the issue is below.
Hi there,
AWS suggests to create an encrypted Aurora cluster from a non encrypted cluster by taking a snapshot of it and restoring with KMS key id and storage encrypted parameter. I can do that on the console.
Terraform Version
Terraform Configuration Files
Debug Output
Its really huge. Let me know, if there is any thing specific that I can provide.
Outputs:
Crash Output
No crash, it goes through fine.
Expected Behavior
It should have created an encrypted Aurora cluster.
Actual Behavior
It created a non-encrypted Aurora cluster.
https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-clusters.html output
'StorageEncrypted': False,
Steps to Reproduce
Please list the full steps required to reproduce the issue, for example:
terraform init
terraform apply
Additional Context
I am using a wrapper around Terraform and also in Gitlab CI, but i don't think thats an issue.
References
The text was updated successfully, but these errors were encountered: