From 8b904064caf4b990e2a61c7fb94c876f6aa33997 Mon Sep 17 00:00:00 2001 From: Brian Flad Date: Thu, 29 Oct 2020 14:02:36 -0400 Subject: [PATCH] resource/aws_rds_cluster: Prevent restored cluster recreation with kms_key_id and lack of storage_encrypted, add testing and documentation Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/3503 Output from acceptance testing: ``` --- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_KmsKeyId (395.41s) ``` --- aws/resource_aws_rds_cluster.go | 12 +---- aws/resource_aws_rds_cluster_test.go | 67 ++++++++++++++++++++++++ website/docs/r/rds_cluster.html.markdown | 2 +- 3 files changed, 69 insertions(+), 12 deletions(-) diff --git a/aws/resource_aws_rds_cluster.go b/aws/resource_aws_rds_cluster.go index 79845c07f2a..eebd1ecb547 100644 --- a/aws/resource_aws_rds_cluster.go +++ b/aws/resource_aws_rds_cluster.go @@ -212,18 +212,8 @@ func resourceAwsRDSCluster() *schema.Resource { "storage_encrypted": { Type: schema.TypeBool, Optional: true, + Computed: true, ForceNew: true, - DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool { - // Allow configuration to be unset when using engine_mode serverless, as its required to be true - // InvalidParameterCombination: Aurora Serverless DB clusters are always encrypted at rest. Encryption can't be disabled. - if d.Get("engine_mode").(string) != "serverless" { - return false - } - if new != "false" { - return false - } - return true - }, }, "s3_import": { diff --git a/aws/resource_aws_rds_cluster_test.go b/aws/resource_aws_rds_cluster_test.go index a5b435ede8c..82550db5cbe 100644 --- a/aws/resource_aws_rds_cluster_test.go +++ b/aws/resource_aws_rds_cluster_test.go @@ -1817,6 +1817,46 @@ func TestAccAWSRDSCluster_SnapshotIdentifier_EngineVersion_Equal(t *testing.T) { }) } +func TestAccAWSRDSCluster_SnapshotIdentifier_KmsKeyId(t *testing.T) { + var dbCluster, sourceDbCluster rds.DBCluster + var dbClusterSnapshot rds.DBClusterSnapshot + + rName := acctest.RandomWithPrefix("tf-acc-test") + kmsKeyResourceName := "aws_kms_key.test" + sourceDbResourceName := "aws_rds_cluster.source" + snapshotResourceName := "aws_db_cluster_snapshot.test" + resourceName := "aws_rds_cluster.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBInstanceDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSRDSClusterConfig_SnapshotIdentifier_KmsKeyId(rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSClusterExists(sourceDbResourceName, &sourceDbCluster), + testAccCheckDbClusterSnapshotExists(snapshotResourceName, &dbClusterSnapshot), + testAccCheckAWSClusterExists(resourceName, &dbCluster), + resource.TestCheckResourceAttrPair(resourceName, "kms_key_id", kmsKeyResourceName, "arn"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{ + "apply_immediately", + "cluster_identifier_prefix", + "master_password", + "skip_final_snapshot", + "snapshot_identifier", + }, + }, + }, + }) +} + func TestAccAWSRDSCluster_SnapshotIdentifier_MasterPassword(t *testing.T) { var dbCluster, sourceDbCluster rds.DBCluster var dbClusterSnapshot rds.DBClusterSnapshot @@ -3632,6 +3672,33 @@ resource "aws_rds_cluster" "test" { `, rName, engine, engineVersionSource, rName, rName, engine, engineVersion) } +func testAccAWSRDSClusterConfig_SnapshotIdentifier_KmsKeyId(rName string) string { + return fmt.Sprintf(` +resource "aws_kms_key" "test" { + deletion_window_in_days = 7 +} + +resource "aws_rds_cluster" "source" { + cluster_identifier = "%[1]s-source" + master_password = "barbarbarbar" + master_username = "foo" + skip_final_snapshot = true +} + +resource "aws_db_cluster_snapshot" "test" { + db_cluster_identifier = aws_rds_cluster.source.id + db_cluster_snapshot_identifier = %[1]q +} + +resource "aws_rds_cluster" "test" { + cluster_identifier = %[1]q + kms_key_id = aws_kms_key.test.arn + skip_final_snapshot = true + snapshot_identifier = aws_db_cluster_snapshot.test.id +} +`, rName) +} + func testAccAWSRDSClusterConfig_SnapshotIdentifier_MasterPassword(rName, masterPassword string) string { return fmt.Sprintf(` resource "aws_rds_cluster" "source" { diff --git a/website/docs/r/rds_cluster.html.markdown b/website/docs/r/rds_cluster.html.markdown index 0064ccf50f6..91da320cd74 100644 --- a/website/docs/r/rds_cluster.html.markdown +++ b/website/docs/r/rds_cluster.html.markdown @@ -129,7 +129,7 @@ The following arguments are supported: * `skip_final_snapshot` - (Optional) Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from `final_snapshot_identifier`. Default is `false`. * `snapshot_identifier` - (Optional) Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot. * `source_region` - (Optional) The source region for an encrypted replica DB cluster. -* `storage_encrypted` - (Optional) Specifies whether the DB cluster is encrypted. The default is `false` for `provisioned` `engine_mode` and `true` for `serverless` `engine_mode`. +* `storage_encrypted` - (Optional) Specifies whether the DB cluster is encrypted. The default is `false` for `provisioned` `engine_mode` and `true` for `serverless` `engine_mode`. When restoring an unencrypted `snapshot_identifier`, the `kms_key_id` argument must be provided to encrypt the restored cluster. Terraform will only perform drift detection if a configuration value is provided. * `tags` - (Optional) A map of tags to assign to the DB cluster. * `vpc_security_group_ids` - (Optional) List of VPC security groups to associate with the Cluster