resource/aws_elasticsearch_domain: Add support for encrypt_at_rest #2632
Conversation
For now just adds encrypt at rest when creating an ES domain, doesn't yet handle reading encrypt at rest options so will likely cause Terraform to rebuild the domain on the next operation. The AWS console handily creates a service KMS key for ES when you are creating an encrypted ES domain via the console. This resource doesn't currently do that but that functionality could be added.
|
As mentioned, I think a second operation will show it wanting to rebuild the ES domain because it hasn't read the encrypt at rest options back from the API right now but the test is passing: and I can see the domain is encrypted before it's deleted by the test: I'll sort the read part tomorrow and see if I can add a test for it too. As briefly mentioned in #2548 (comment) should I be checking the attributes of the ES domain are what I expect? This is what I've done elsewhere but this resource doesn't seem to do that and I'm unsure why. |
| Computed: true, | ||
| Elem: &schema.Resource{ | ||
| Schema: map[string]*schema.Schema{ | ||
| "enabled": { |
There was a problem hiding this comment.
What purpose does this bool serve here? I think the behavior should be:
- If
kms_key_idis given, create the ES with thekms_key_id - If
kms_key_idis not given, create the ES without thekms_key_id - When things change, delete and create the es domain
IMHO makes the implementation way simpler
There was a problem hiding this comment.
I was mirroring the API which takes those as options. I did consider setting it automatically when kms_key_id is set but it would prevent you from having Terraform encrypt it with the service KMS key that you get by default when using the console to create an encrypted domain.
The aws_db_instance resource has them as separate parameters to the resource (rather than an options block) and defaults to using the service KMS key if kms_key_id isn't specified but that's largely because the API looks that way.
There was a problem hiding this comment.
Yea true. Does AWS API create a default key if only enable is passed? If so, then having enable makes sense. If not, I am not sure whether kms key creation is within the scope of this resource.
For example, when adding triggers to lambda functions via aws console, aws does a lot of stuff in the background like creating IAM roles and adding policies and stuff. However in Terraform we don't do it and all the resources required to trigger a lambda function must be created.
There was a problem hiding this comment.
Yeah looks like it does, added a test that runs without specifying the key id and that works nicely without needing to do anything extra which is neat.
radeksimko
added
the
enhancement
| options := v.([]interface{}) | ||
|
|
||
| if len(options) > 1 { | ||
| return fmt.Errorf("Only a single encrypt_at_rest block is expected") |
There was a problem hiding this comment.
I think we should also validate the instance types here since, like you mentioned, not all instance types support encryption at rest. I saw a similar approach in t2.unlimited PR. I thought it was 🆒 :)
There was a problem hiding this comment.
I don't think that will run at plan time though so it's just returning a different error to what you'll get from the AWS API on apply time. You already get the following error on apply (and immediately):
Error: Error applying plan:
1 error(s) occurred:
* aws_elasticsearch_domain.elasticsearch: 1 error(s) occurred:
* aws_elasticsearch_domain.elasticsearch: InvalidTypeException: Encryption at rest is not supported with t2.small.elasticsearch instances
status code: 409, request id: 085a21b5-df33-11e7-babb-3f32bfcf1d9b
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
From memory the validatefuncs in the schema can't validate different parameters to a resource (so you can't put a validatefunc on the encrypted parameter that checks what the instance_type is set to) so we can't put it there unfortunately to give us a plan time failure.
There was a problem hiding this comment.
(Also, hardcoding what instance types support encryption in the provider means that the list has to be re-synchronized if it changes, and people need to wait for a new release of the provider, or you have to give them an override command-line flag... Too much complexity for little benefit, IMO!)
There was a problem hiding this comment.
I agree with @Puneeth-n here that we should move validation to the schema here.
@tomelliff you're also right that ValidateFunc can't help in this context, but we can use MaxItems: 1 which should do the job. 😉
There was a problem hiding this comment.
That's nice, means I can remove some logic there. Is it worth doing the same to some of the other blocks that are using that other style? Or (if you do want it changing) would you prefer that in a separate PR?
tomelliff
changed the title
|
Updated docs. Building the provider locally it seems to work as is although I'm wary that there's nothing to read the encryption config from the API right now and trying to work out if we actually need to cover this considering changing this forces a recreation. Right now when you build an encrypted or unencrypted ES domain the state has the encrypt_at_rest config already so it's enough to know if you change this that it needs to recreate the domain. The only thing I can think of is someone could Terraform an unencrypted ES domain, someone could then delete the existing domain and recreate it as encrypted outside of Terraform and then update Terraform to want an encrypted domain and Terraform would rebuild the ES domain needlessly. This seems like an odd thing to do but maybe it's worth reading the config from the API just to cover it anyway? Are there any other things that could cause the lack of reading the encrypted config to do bad things? |
If you don't specify a KMS key then AWS will use the account's service KMS key (which is created for you automatically if you don't already have it).
tomelliff
force-pushed
the
es-encrypt-at-rest
branch
from
703daea to
5d1b545
Compare
|
Okay, think this is done now. Added code to read the KMS key from the AWS API. I noticed that the API takes a KMS key id in short form but reading the ES domain config on the API always returns the full ARN of the KMS key so I suppress the diff in that case. |
|
Tests passing locally: |
|
+1 Thanks a bunch. |
|
Hey guys, when do you think it's going to be merged? |
|
Can this be merged now? Would love to make use of this to rebuild my ElasticSearch with encryption |
|
+1 for merge - would use it asap in our terraform |
ditto |
|
+1 |
1 similar comment
|
+1 |
|
Can't wait to use it |
Me either. No, literally - we manually created the cluster until this is ready. Please please please let's get this in! |
|
merge plz |
|
+1 merge please |
|
Just seen the merge conflicts but I'll hang off on fixing them until there's been a review on this if that's okay? Also, for those not aware but wanting to add their 👍 to this pull request, Github allows you to add a reaction to any specific post by clicking the +(smiley face) in the top right of the post which shows everyone that you want this feature (or disagree with a 👎 or equivalent) without spamming everyone subscribed to the pull request with emails. |
radeksimko
added
the
service/elasticsearch
|
+1 Can the feature be merged soon? |
There was a problem hiding this comment.
Hi @tomelliff
sorry for the delay in reviewing this. It's looking pretty good! I just left you 2 comments.
Also do you mind resolving the conflicts in docs?
I'd like to merge this early next week and ship by the end of that week, so I'm willing to take it to the finish line myself if you don't have any time left, just let me know 😉
aws/structure.go
Outdated
| @@ -1045,6 +1045,32 @@ func expandESEBSOptions(m map[string]interface{}) *elasticsearch.EBSOptions { | |||
| return &options | |||
| } | |||
|
|
|||
| func flattenESEncryptAtRestOptions(o *elasticsearch.EncryptionAtRestOptions) []map[string]interface{} { | |||
| m := map[string]interface{}{} | |||
There was a problem hiding this comment.
Can you also add a nil check here, just to avoid potential crashes? 😉
We can just return empty []map[string]interface{}{} in such case.
There was a problem hiding this comment.
Not sure I follow that, what would cause the crash? If o is nil doesn't it already return an empty []map[string]interface{}{} due to the nil checks on o.Enabled and o.KmsKeyId?
There was a problem hiding this comment.
If o is nil doesn't it already return an empty []map[string]interface{}{} due to the nil checks on o.Enabled and o.KmsKeyId?
No, it will crash on line 1052 in such case because that condition is trying to access a field of a struct which isn't struct, but nil. In other words that condition is one step ahead.
There was a problem hiding this comment.
Right, sorry, completely missed that for some reason. Fixed now, thanks for the review.
There was a problem hiding this comment.
No worries 😸 That's why we do reviews.
| @@ -13,6 +13,7 @@ import ( | |||
| "github.com/hashicorp/errwrap" | |||
| "github.com/hashicorp/terraform/helper/resource" | |||
| "github.com/hashicorp/terraform/helper/schema" | |||
| "strings" | |||
There was a problem hiding this comment.
Nitpick: Do you mind moving this import above? We tend to follow the convention of grouping stdlib imports and keeping them at the top per https://github.com/golang/go/wiki/CodeReviewComments#imports
There was a problem hiding this comment.
Aha, didn't spot that gofmt and/or Goland's import optimiser doesn't do this for you. Seems odd that goimports seems to add newlines between stdlib stuff when adding it and then gofmt won't rectify that either which is annoying considering gofmt is so good otherwise.
radeksimko
added
the
waiting-response
Fixed merge conflict Conflicts: aws/resource_aws_elasticsearch_domain.go
|
Are you planning on squashing this PR or would you prefer me to rebase things to clean up the commit history and the merge? |
radeksimko
changed the title
I'm going to do that as part of merging this PR, so no worries. |
radeksimko
removed
the
waiting-response
|
Thanks for the reviews and the merge :) |
|
This has been released in terraform-provider-aws version 1.8.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
danke! |
|
@tomelliff above pasted AWS cloud formation is not working. Highlighted field KMS encryption is also not in AWS documentation .
Do we have other option to solve this cloud formation issue ? |
|
What Cloudformation issue? This added support for it to Terraform, not Cloudformation. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Adds encrypt at rest on ES domains.
Will close #2591