Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EBS default encryption #8771

Merged
merged 8 commits into from
Jun 20, 2019
Merged

EBS default encryption #8771

merged 8 commits into from
Jun 20, 2019

Conversation

ewbankkit
Copy link
Contributor

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Fixes #8760.

Release note for CHANGELOG:

FEATURES:

* New Resource: `aws_ebs_encryption_by_default`
* New Resource: `aws_ebs_default_kms_key`

Output from acceptance testing:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEBSEncryptionByDefault_'==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSEBSEncryptionByDefault_ -timeout 120m
=== RUN   TestAccAWSEBSEncryptionByDefault_basic
=== PAUSE TestAccAWSEBSEncryptionByDefault_basic
=== CONT  TestAccAWSEBSEncryptionByDefault_basic
--- PASS: TestAccAWSEBSEncryptionByDefault_basic (24.04s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	24.079s
$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEBSDefaultKmsKey_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSEBSDefaultKmsKey_ -timeout 120m
=== RUN   TestAccAWSEBSDefaultKmsKey_basic
=== PAUSE TestAccAWSEBSDefaultKmsKey_basic
=== CONT  TestAccAWSEBSDefaultKmsKey_basic
--- PASS: TestAccAWSEBSDefaultKmsKey_basic (56.43s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	56.464s

@ghost ghost added size/XL Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. provider Pertains to the provider itself, rather than any interaction with AWS. service/ec2 Issues and PRs that pertain to the ec2 service. service/kms Issues and PRs that pertain to the kms service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels May 24, 2019
@bflad bflad added the new-resource Introduces a new resource. label Jun 6, 2019
@bflad bflad added this to the v2.15.0 milestone Jun 6, 2019
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this @ewbankkit! Overall nice work. Please reach out if you have any questions or do not have time for the items. 😄

Delete: resourceAwsEbsDefaultKmsKeyDelete,

Schema: map[string]*schema.Schema{
"key_id": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the API requires the ARN instead of just the ID, it seems like we should prefer to naming this more clearly (even though its slightly off from the API itself 👍 )

Suggested change
"key_id": {
"key_arn": {

return fmt.Errorf("error creating EBS default KMS key: %s", err)
}

d.SetId(resource.UniqueId())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we set this to the key ARN/ID instead of a random identifier so its usable in downstream resources? 😄

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently we are allowing the ARN to change and doing a resource update - If we go with using the ARN as the ID then we need to add ForceNew: true to the key_arn attribute and remove resourceAwsEbsDefaultKmsKeyUpdate(). IMHO this is actually a better way of modeling the resource.

)

func resourceAwsEbsDefaultKmsKey() *schema.Resource {
return &schema.Resource{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add import support from the get-go, e.g. via the key ARN as the ID 🚀

Importer: &schema.ResourceImporter{
	State: schema.ImportStatePassthrough,
},

In the testing:

{
	ResourceName:      resourceName,
	ImportState:       true,
	ImportStateVerify: true,
},

And the documentation:

## Import

EBS Default KMS Key can be imported with the KMS Key ARN, e.g.

```console
$ terraform import aws_ebs_default_kms_key.example arn:aws:kms:us-east-1:123456789012:key/abcd-1234
```

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since resourceAwsEbsDefaultKmsKeyRead() doesn't actually use the resource's ID for the AWS API call (there's a single default EBS CMK per region per account) do we want to check that the KMS key ARN passed to terraform import is really the current default EBS CMK?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the Terraform code corresponding to the imported resource has the same key_arn value as the ARN passed to terraform import then I think that having ForceNew on the key_arn attribute will cause the resource to be recreated.

ec2conn := testAccProvider.Meta().(*AWSClient).ec2conn
kmsconn := testAccProvider.Meta().(*AWSClient).kmsconn

alias, err := findKmsAliasByName(kmsconn, "alias/aws/ebs", nil)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

return nil
}

func testAccCheckEbsDefaultKmsKey(name string) resource.TestCheckFunc {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it worth having this function do the inverse of the destroy check?

Create: resourceAwsEbsEncryptionByDefaultCreate,
Read: resourceAwsEbsEncryptionByDefaultRead,
Update: resourceAwsEbsEncryptionByDefaultUpdate,
Delete: resourceAwsEbsEncryptionByDefaultDelete,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are going to do nothing in the Delete function, this can use schema.Noop instead of a custom function.

Suggested change
Delete: resourceAwsEbsEncryptionByDefaultDelete,
Delete: schema.Noop,

The documentation in that case should also explicitly state that it is only removing Terraform's management of the setting.

Instead of an empty Delete function though, I think a better user experience would be do disable encryption when this resource is removed. 👍

func TestAccAWSEBSEncryptionByDefault_basic(t *testing.T) {
resourceName := "aws_ebs_encryption_by_default.test"

resource.ParallelTest(t, resource.TestCase{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the Delete function is to remain empty, can you please add an explicit CheckDestroy: nil, to this TestCase?

Ideally though, this resource seems like it should enable encryption by default when its added and disable encryption when its removed. The CheckDestroy in that case would verify that encryption is disabled. 😄


~> **NOTE:** Creating an `aws_ebs_default_kms_key` resource does not enable default EBS encryption. Use the [`aws_ebs_encryption_by_default`](ebs_encryption_by_default.html) to enable default EBS encryption.

~> **NOTE:** Destroying this resource will reset the default CMK to the account's AWS-managed default CMK for EBS.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

aws/resource_aws_ebs_encryption_by_default.go Outdated Show resolved Hide resolved
website/docs/r/ebs_encryption_by_default.html.markdown Outdated Show resolved Hide resolved
@ewbankkit
Copy link
Contributor Author

Review comments addressed.
Re-ran acceptance tests:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEBSEncryptionByDefault_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSEBSEncryptionByDefault_ -timeout 120m
=== RUN   TestAccAWSEBSEncryptionByDefault_basic
=== PAUSE TestAccAWSEBSEncryptionByDefault_basic
=== CONT  TestAccAWSEBSEncryptionByDefault_basic
--- PASS: TestAccAWSEBSEncryptionByDefault_basic (25.52s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	25.542s
$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEBSDefaultKmsKey_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSEBSDefaultKmsKey_ -timeout 120m
=== RUN   TestAccAWSEBSDefaultKmsKey_basic
=== PAUSE TestAccAWSEBSDefaultKmsKey_basic
=== CONT  TestAccAWSEBSDefaultKmsKey_basic
--- PASS: TestAccAWSEBSDefaultKmsKey_basic (46.26s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	46.284s

@bflad bflad self-assigned this Jun 11, 2019
@bflad bflad modified the milestones: v2.15.0, v2.16.0 Jun 13, 2019
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks so much, @ewbankkit 🚀

--- PASS: TestAccAWSEBSEncryptionByDefault_basic (15.29s)
--- PASS: TestAccAWSEBSDefaultKmsKey_basic (40.03s)

@bflad bflad merged commit 3b751f1 into hashicorp:master Jun 20, 2019
bflad added a commit that referenced this pull request Jun 20, 2019
@ewbankkit ewbankkit deleted the issue-8760 branch June 20, 2019 11:32
@bflad
Copy link
Contributor

bflad commented Jun 20, 2019

This has been released in version 2.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link

ghost commented Nov 3, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Nov 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. new-resource Introduces a new resource. provider Pertains to the provider itself, rather than any interaction with AWS. service/ec2 Issues and PRs that pertain to the ec2 service. service/kms Issues and PRs that pertain to the kms service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add support for managing ebs default encryption
2 participants