Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Data Source: aws_kms_secrets and add DeprecationMessage to aws_kms_secret data source #5195

Merged
merged 6 commits into from
Jul 25, 2018

Conversation

bflad
Copy link
Contributor

@bflad bflad commented Jul 14, 2018

Fixes #5144

Changes proposed in this pull request:

  • New Data Source: aws_kms_secrets -- the code acts very similar to the existing data source but changes from dynamic attributes to a static TypeMap attribute
  • Add DeprecationMessage to existing aws_kms_secret data source and provide migration documentation in the new data source

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSKmsSecretsDataSource_basic'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSKmsSecretsDataSource_basic -timeout 120m
=== RUN   TestAccAWSKmsSecretsDataSource_basic
--- PASS: TestAccAWSKmsSecretsDataSource_basic (91.44s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	91.476s

@bflad bflad added new-data-source Introduces a new data source. service/kms Issues and PRs that pertain to the kms service. labels Jul 14, 2018
@bflad bflad requested review from apparentlymart and a team July 14, 2018 16:38
@ghost ghost added the size/L Managed by automation to categorize the size of a PR. label Jul 14, 2018
Copy link
Contributor

@apparentlymart apparentlymart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me! I left some minor feedback inline about docs and warning output.

Since I'm pretty rusty on AWS provider development these days I suggest also having someone else look at the details here, since my review focused more on the user-facing schema, docs, etc than on the details of the AWS calls.

@@ -13,7 +13,8 @@ import (

func dataSourceAwsKmsSecret() *schema.Resource {
return &schema.Resource{
Read: dataSourceAwsKmsSecretRead,
DeprecationMessage: "This data source will change or be removed in Terraform AWS provider version 2.0. Please see migration information available in: https://www.terraform.io/docs/providers/aws/d/kms_secrets.html",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if we have precedent for provider-specific "upgrade guides" on the website, but I feel like it'd be better to gather that information on a version-specific upgrade page like we do for Core, since that way that information is obviously attached to a particular version of the provider and we won't get into a confusing situation where in future this page might no longer contain the migration information this message refers to but older builds of the provider are still out there in the wild.

If there isn't already a precedent for this then I guess we'll need to come up with a convention. My first idea would be a doc URL like /docs/providers/aws/upgrade-guides/1-28.html, which mimics our core-oriented upgrade guide URL structure /upgrade-guides/0-12.html, but I'm not wedded to that.

description: |-
Provides secret data encrypted with the KMS service
---

# Data Source: aws_kms_secret

!> **WARNING:** The `aws_kms_secret` data source contains behavior that cannot be supported on Terraform 0.12+ and it will either introduce breaking changes or be removed completely in the next major version (2.0.0) of the AWS provider. You can migrate existing Terraform configurations to the `aws_kms_secrets` data source, which closely resembles this data source, following instructions available in the [`aws_kms_secrets` data source documentation](/docs/providers/aws/d/kms_secrets.html).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is subjective, but I feel like we should be more direct in what we are telling users to do here. Something like:

WARNING: This data source is deprecated and will be removed in a future version of the AWS provider. Use the replacement data source aws_kms_secrets instead for new configurations.

While indeed it's not necessarily true that it'll be removed entirely, I don't think the "may introduce changes or be removed" really adds anything to the main takeaway for this paragraph, which is "stop using this data source".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @apparentlymart here that he need a more direct way to say what is specifically happening when 0.12 drops

@RulerOf
Copy link
Contributor

RulerOf commented Jul 18, 2018

@bflad just want to confirm that, based on the documentation I read in your commits, this would definitely fix #5040

@apparentlymart
Copy link
Contributor

@RulerOf assuming I understood your use-case correctly, I believe this would get you what you were looking for in #5040, albeit with the attribute called plaintext rather than result:

aws_kms_secrets.example.plaintext["my-secret-name"]

Copy link
Member

@mbfrahry mbfrahry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. There is the note about moving some of the migration documentation out into it's own pages but that'll take more thought to get right


* `plaintext` - Map containing each `secret` `name` as the key with its decrypted plaintext value

## Migrating From aws_kms_secret Data Source Prior to Terraform AWS Provider Version 2.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is going to far for this doc and needs to be moved to it's own Provider Version 2.0 migration page as @apparentlymart was suggesting. I think for right now this is fine but definitely a thing to think about as more resources require changes as this one does with major version bumps.

bflad added 2 commits July 24, 2018 15:04
Add DeprecationMessage to existing aws_kms_secret data source
@bflad bflad force-pushed the td-aws_kms_secrets branch from e006236 to a56d48d Compare July 24, 2018 19:31
@ghost ghost added the size/L Managed by automation to categorize the size of a PR. label Jul 24, 2018
@bflad
Copy link
Contributor Author

bflad commented Jul 24, 2018

@apparentlymart / @mbfrahry I created an initial version 2 upgrade guide (bare bones with just this information for now but will eventually need the other 29+ existing deprecations) -- can you please take another look?

@ghost ghost added the size/L Managed by automation to categorize the size of a PR. label Jul 24, 2018
@ghost ghost added size/XL Managed by automation to categorize the size of a PR. and removed size/L Managed by automation to categorize the size of a PR. labels Jul 24, 2018
@bflad
Copy link
Contributor Author

bflad commented Jul 24, 2018

I've added most of the current attribute deprecations into the version 2 upgrade guide. 👍

Copy link
Contributor

@apparentlymart apparentlymart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor things inline. Feel free to ignore them or not; no need for another round of review from me, regardless.

Given the scope of the upgrade guide is similar to the changelog, it might work out logistically better to commit it separately like we do with changelog updates, but if you're able to turn around merging this quickly so that it doesn't end up becoming stale due to other changes then I guess it's a moot point.

description: |-
Provides secret data encrypted with the KMS service
---

# Data Source: aws_kms_secret

!> **WARNING:** This data source is deprecated and will be removed in the next major version (2.0.0) of the AWS provider. You can migrate existing Terraform configurations to the [`aws_kms_secrets` data source](/docs/providers/aws/d/kms_secrets.html) following instructions available in the [Terraform AWS Provider Version 2 Upgrade Guide](/docs/providers/aws/guides/version-2-upgrade.html).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor thing again, but since we're already in the context of the AWS provider I think it'd be fine to just say "the upgrade guide" here, to keep things concise. (Users are more likely to read this if it has fewer words in it.)

Given the length of that upgrade guide page, probably also best to link to the #data-sourceaws_kms_secret fragment so users don't get lost.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great suggestions! Shorted the verbiage of the warning header more and deep linked to the proper section here and in the resource DeprecationMessage 👍


<!-- /TOC -->

## data-source/aws_iam_role
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This "data-source/name" style is not something I've seen us use anywhere else. I'd probably instead just write out ## aws_iam_role data source to match how we usually talk about these things.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My brain was definitely in CHANGELOG mode here. 😅 Switched these to Data Source: X and Resource: X -- added bonus is that this made the anchor links prettier, e.g. #data-source-aws_kms_secret


### assume_role_policy Attribute Removal

Switch your attribute references to the `assume_role_policy` attribute instead.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be suggesting to replace the assume_role_policy name with itself. I assume one of these is supposed to say something else! 😀

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Phew! Thanks for catching that copypasta mistake. 🍝 Fixed!

* docs/guides/version-2-upgrade: Use friendlier headers
* data-source/aws_kms_secret: Link directly to migration section in deprecation notice
* docs/data-source/aws_kms_secret: Link directly to migration section in deprecation notice
* docs/guides/version-2-upgrade: Add guide introduction
* docs/guides/version-2-upgrade: Add Provider Version Configuration section
* docs/guides/version-2-upgrade: Fix assume_role_policy_document copy-paste typo
@ghost ghost added the size/XL Managed by automation to categorize the size of a PR. label Jul 25, 2018
…ection for availability_zones

Other minor changes:
* Clarify Terraform run output to Terraform plan/apply output
* Additional clarification that aws_redshift_cluster enable_logging became just enable under the logging argument
@bflad bflad added this to the v1.29.0 milestone Jul 25, 2018
@bflad bflad merged commit 4b43b33 into master Jul 25, 2018
@bflad bflad deleted the td-aws_kms_secrets branch July 25, 2018 01:31
bflad added a commit that referenced this pull request Jul 25, 2018
@bflad
Copy link
Contributor Author

bflad commented Jul 26, 2018

This has been released in version 1.29.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad added a commit that referenced this pull request Feb 23, 2019
… message

References:
* #5144
* #5195

The `aws_kms_secret` data source uses dynamic attribute functionality which is not supported in Terraform 0.12 and later. Available since Terraform AWS Provider version 1.29.0, operators should migrate to the `aws_kms_secrets` data source, which uses a `plaintext` map attribute. Additional information can be found in the Version 2 Upgrade Guide: https://www.terraform.io/docs/providers/aws/guides/version-2-upgrade.html#data-source-aws_kms_secret

Output from Terraform 0.11 attempted usage:

```
terraform apply
data.aws_kms_secret.testing: Refreshing state...

Error: Error refreshing state: 1 error(s) occurred:

* data.aws_kms_secret.testing: 1 error(s) occurred:

* data.aws_kms_secret.testing: data.aws_kms_secret.testing: This data source has been replaced with the `aws_kms_secrets` data source. Upgrade information is available at: https://www.terraform.io/docs/providers/aws/guides/version-2-upgrade.html#data-source-aws_kms_secret
```

Output from Terraform 0.12 attempted usage (we cannot return the proper error message if there are references, however capturing the output here in case some one is searching for this in the future):

```
$ terraform apply

Error: Unsupported block type

  on main.tf line 10, in data "aws_kms_secret" "testing":
  10:     context {

Blocks of type "context" are not expected here. Did you mean to define
argument "context"? If so, use the equals sign to assign it a value.

$ terraform 0.12upgrade -yes
$ terraform apply

Error: Unsupported attribute

  on main.tf line 17, in output "testing":
  17:   value = data.aws_kms_secret.testing.secret_name

This object has no argument, nested block, or exported attribute named
"secret_name".
```

Output from Terraform 0.11 acceptance testing:

```
--- PASS: TestAccAWSKmsSecretDataSource_removed (2.05s)
```

Output from Terraform 0.12 acceptance testing:

```
--- PASS: TestAccAWSKmsSecretDataSource_removed (2.18s)
```
@ghost
Copy link

ghost commented Apr 4, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 4, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
new-data-source Introduces a new data source. service/kms Issues and PRs that pertain to the kms service. size/XL Managed by automation to categorize the size of a PR.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws_kms_secret is using private SDK feature that will no longer work after Core 0.12
4 participants