Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for DynamoDB customer managed CMKs for server-side encryption #11081

Merged
merged 1 commit into from
Jan 29, 2020

Conversation

ewbankkit
Copy link
Contributor

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #8137.

Release note for CHANGELOG:

resource/aws_dynamodb_table: Support for customer managed CMKs for server-side encryption. Add `kms_key_arn` attribute. Updating `server_side_encryption` attribute no longer recreates the DynamoDB table.
data-source/aws_dynamodb_table: Add `kms_key_arn` attribute.

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccDataSourceAwsDynamoDbTable_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccDataSourceAwsDynamoDbTable_ -timeout 120m
=== RUN   TestAccDataSourceAwsDynamoDbTable_basic
=== PAUSE TestAccDataSourceAwsDynamoDbTable_basic
=== CONT  TestAccDataSourceAwsDynamoDbTable_basic
--- PASS: TestAccDataSourceAwsDynamoDbTable_basic (49.51s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	49.551s
$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSDynamoDbTable_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSDynamoDbTable_ -timeout 120m
=== RUN   TestAccAWSDynamoDbTable_basic
=== PAUSE TestAccAWSDynamoDbTable_basic
=== RUN   TestAccAWSDynamoDbTable_disappears
=== PAUSE TestAccAWSDynamoDbTable_disappears
=== RUN   TestAccAWSDynamoDbTable_disappears_PayPerRequestWithGSI
=== PAUSE TestAccAWSDynamoDbTable_disappears_PayPerRequestWithGSI
=== RUN   TestAccAWSDynamoDbTable_extended
=== PAUSE TestAccAWSDynamoDbTable_extended
=== RUN   TestAccAWSDynamoDbTable_enablePitr
=== PAUSE TestAccAWSDynamoDbTable_enablePitr
=== RUN   TestAccAWSDynamoDbTable_BillingMode_PayPerRequestToProvisioned
=== PAUSE TestAccAWSDynamoDbTable_BillingMode_PayPerRequestToProvisioned
=== RUN   TestAccAWSDynamoDbTable_BillingMode_ProvisionedToPayPerRequest
=== PAUSE TestAccAWSDynamoDbTable_BillingMode_ProvisionedToPayPerRequest
=== RUN   TestAccAWSDynamoDbTable_BillingMode_GSI_PayPerRequestToProvisioned
=== PAUSE TestAccAWSDynamoDbTable_BillingMode_GSI_PayPerRequestToProvisioned
=== RUN   TestAccAWSDynamoDbTable_BillingMode_GSI_ProvisionedToPayPerRequest
=== PAUSE TestAccAWSDynamoDbTable_BillingMode_GSI_ProvisionedToPayPerRequest
=== RUN   TestAccAWSDynamoDbTable_streamSpecification
=== PAUSE TestAccAWSDynamoDbTable_streamSpecification
=== RUN   TestAccAWSDynamoDbTable_streamSpecificationValidation
=== PAUSE TestAccAWSDynamoDbTable_streamSpecificationValidation
=== RUN   TestAccAWSDynamoDbTable_tags
=== PAUSE TestAccAWSDynamoDbTable_tags
=== RUN   TestAccAWSDynamoDbTable_gsiUpdateCapacity
=== PAUSE TestAccAWSDynamoDbTable_gsiUpdateCapacity
=== RUN   TestAccAWSDynamoDbTable_gsiUpdateOtherAttributes
=== PAUSE TestAccAWSDynamoDbTable_gsiUpdateOtherAttributes
=== RUN   TestAccAWSDynamoDbTable_gsiUpdateNonKeyAttributes
=== PAUSE TestAccAWSDynamoDbTable_gsiUpdateNonKeyAttributes
=== RUN   TestAccAWSDynamoDbTable_Ttl_Enabled
=== PAUSE TestAccAWSDynamoDbTable_Ttl_Enabled
=== RUN   TestAccAWSDynamoDbTable_Ttl_Disabled
=== PAUSE TestAccAWSDynamoDbTable_Ttl_Disabled
=== RUN   TestAccAWSDynamoDbTable_attributeUpdate
=== PAUSE TestAccAWSDynamoDbTable_attributeUpdate
=== RUN   TestAccAWSDynamoDbTable_attributeUpdateValidation
=== PAUSE TestAccAWSDynamoDbTable_attributeUpdateValidation
=== RUN   TestAccAWSDynamoDbTable_encryption
=== PAUSE TestAccAWSDynamoDbTable_encryption
=== CONT  TestAccAWSDynamoDbTable_basic
=== CONT  TestAccAWSDynamoDbTable_encryption
=== CONT  TestAccAWSDynamoDbTable_attributeUpdateValidation
=== CONT  TestAccAWSDynamoDbTable_attributeUpdate
=== CONT  TestAccAWSDynamoDbTable_Ttl_Disabled
=== CONT  TestAccAWSDynamoDbTable_Ttl_Enabled
=== CONT  TestAccAWSDynamoDbTable_gsiUpdateNonKeyAttributes
=== CONT  TestAccAWSDynamoDbTable_gsiUpdateOtherAttributes
=== CONT  TestAccAWSDynamoDbTable_gsiUpdateCapacity
=== CONT  TestAccAWSDynamoDbTable_tags
=== CONT  TestAccAWSDynamoDbTable_streamSpecificationValidation
=== CONT  TestAccAWSDynamoDbTable_streamSpecification
=== CONT  TestAccAWSDynamoDbTable_BillingMode_GSI_ProvisionedToPayPerRequest
=== CONT  TestAccAWSDynamoDbTable_BillingMode_GSI_PayPerRequestToProvisioned
=== CONT  TestAccAWSDynamoDbTable_BillingMode_ProvisionedToPayPerRequest
=== CONT  TestAccAWSDynamoDbTable_BillingMode_PayPerRequestToProvisioned
=== CONT  TestAccAWSDynamoDbTable_enablePitr
=== CONT  TestAccAWSDynamoDbTable_extended
=== CONT  TestAccAWSDynamoDbTable_disappears_PayPerRequestWithGSI
=== CONT  TestAccAWSDynamoDbTable_disappears
--- PASS: TestAccAWSDynamoDbTable_streamSpecificationValidation (10.27s)
--- PASS: TestAccAWSDynamoDbTable_attributeUpdateValidation (12.52s)
--- PASS: TestAccAWSDynamoDbTable_disappears (31.36s)
--- PASS: TestAccAWSDynamoDbTable_Ttl_Enabled (38.19s)
--- PASS: TestAccAWSDynamoDbTable_basic (39.48s)
--- PASS: TestAccAWSDynamoDbTable_Ttl_Disabled (59.29s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_PayPerRequestToProvisioned (60.45s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_GSI_PayPerRequestToProvisioned (74.05s)
--- PASS: TestAccAWSDynamoDbTable_streamSpecification (76.44s)
--- PASS: TestAccAWSDynamoDbTable_disappears_PayPerRequestWithGSI (82.10s)
--- PASS: TestAccAWSDynamoDbTable_tags (83.56s)
--- PASS: TestAccAWSDynamoDbTable_gsiUpdateCapacity (109.24s)
--- PASS: TestAccAWSDynamoDbTable_enablePitr (110.97s)
--- PASS: TestAccAWSDynamoDbTable_encryption (179.90s)
--- PASS: TestAccAWSDynamoDbTable_extended (190.07s)
--- PASS: TestAccAWSDynamoDbTable_gsiUpdateNonKeyAttributes (192.59s)
--- PASS: TestAccAWSDynamoDbTable_attributeUpdate (472.80s)
--- PASS: TestAccAWSDynamoDbTable_gsiUpdateOtherAttributes (507.40s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_GSI_ProvisionedToPayPerRequest (616.38s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_ProvisionedToPayPerRequest (740.41s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	740.482s

@ewbankkit ewbankkit requested a review from a team December 1, 2019 22:47
@ghost ghost added size/XL Managed by automation to categorize the size of a PR. needs-triage Waiting for first response or review from a maintainer. documentation Introduces or discusses updates to documentation. service/dynamodb Issues and PRs that pertain to the dynamodb service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Dec 1, 2019
@ghost ghost added size/L Managed by automation to categorize the size of a PR. and removed size/XL Managed by automation to categorize the size of a PR. labels Dec 12, 2019
@ewbankkit
Copy link
Contributor Author

Rebased to remove merge conflicts.
Re-ran acceptance tests:

$ make testacc TEST=./aws TESTARGS='-run=TestAccDataSourceAwsDynamoDbTable_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccDataSourceAwsDynamoDbTable_ -timeout 120m
=== RUN   TestAccDataSourceAwsDynamoDbTable_basic
=== PAUSE TestAccDataSourceAwsDynamoDbTable_basic
=== CONT  TestAccDataSourceAwsDynamoDbTable_basic
--- PASS: TestAccDataSourceAwsDynamoDbTable_basic (98.30s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	98.336s
$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSDynamoDbTable_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSDynamoDbTable_ -timeout 120m
=== RUN   TestAccAWSDynamoDbTable_basic
=== PAUSE TestAccAWSDynamoDbTable_basic
=== RUN   TestAccAWSDynamoDbTable_disappears
=== PAUSE TestAccAWSDynamoDbTable_disappears
=== RUN   TestAccAWSDynamoDbTable_disappears_PayPerRequestWithGSI
=== PAUSE TestAccAWSDynamoDbTable_disappears_PayPerRequestWithGSI
=== RUN   TestAccAWSDynamoDbTable_extended
=== PAUSE TestAccAWSDynamoDbTable_extended
=== RUN   TestAccAWSDynamoDbTable_enablePitr
=== PAUSE TestAccAWSDynamoDbTable_enablePitr
=== RUN   TestAccAWSDynamoDbTable_BillingMode_PayPerRequestToProvisioned
=== PAUSE TestAccAWSDynamoDbTable_BillingMode_PayPerRequestToProvisioned
=== RUN   TestAccAWSDynamoDbTable_BillingMode_ProvisionedToPayPerRequest
=== PAUSE TestAccAWSDynamoDbTable_BillingMode_ProvisionedToPayPerRequest
=== RUN   TestAccAWSDynamoDbTable_BillingMode_GSI_PayPerRequestToProvisioned
=== PAUSE TestAccAWSDynamoDbTable_BillingMode_GSI_PayPerRequestToProvisioned
=== RUN   TestAccAWSDynamoDbTable_BillingMode_GSI_ProvisionedToPayPerRequest
=== PAUSE TestAccAWSDynamoDbTable_BillingMode_GSI_ProvisionedToPayPerRequest
=== RUN   TestAccAWSDynamoDbTable_streamSpecification
=== PAUSE TestAccAWSDynamoDbTable_streamSpecification
=== RUN   TestAccAWSDynamoDbTable_streamSpecificationValidation
=== PAUSE TestAccAWSDynamoDbTable_streamSpecificationValidation
=== RUN   TestAccAWSDynamoDbTable_tags
=== PAUSE TestAccAWSDynamoDbTable_tags
=== RUN   TestAccAWSDynamoDbTable_gsiUpdateCapacity
=== PAUSE TestAccAWSDynamoDbTable_gsiUpdateCapacity
=== RUN   TestAccAWSDynamoDbTable_gsiUpdateOtherAttributes
=== PAUSE TestAccAWSDynamoDbTable_gsiUpdateOtherAttributes
=== RUN   TestAccAWSDynamoDbTable_gsiUpdateNonKeyAttributes
=== PAUSE TestAccAWSDynamoDbTable_gsiUpdateNonKeyAttributes
=== RUN   TestAccAWSDynamoDbTable_Ttl_Enabled
=== PAUSE TestAccAWSDynamoDbTable_Ttl_Enabled
=== RUN   TestAccAWSDynamoDbTable_Ttl_Disabled
=== PAUSE TestAccAWSDynamoDbTable_Ttl_Disabled
=== RUN   TestAccAWSDynamoDbTable_attributeUpdate
=== PAUSE TestAccAWSDynamoDbTable_attributeUpdate
=== RUN   TestAccAWSDynamoDbTable_attributeUpdateValidation
=== PAUSE TestAccAWSDynamoDbTable_attributeUpdateValidation
=== RUN   TestAccAWSDynamoDbTable_encryption
=== PAUSE TestAccAWSDynamoDbTable_encryption
=== CONT  TestAccAWSDynamoDbTable_basic
=== CONT  TestAccAWSDynamoDbTable_tags
=== CONT  TestAccAWSDynamoDbTable_encryption
=== CONT  TestAccAWSDynamoDbTable_attributeUpdateValidation
=== CONT  TestAccAWSDynamoDbTable_attributeUpdate
=== CONT  TestAccAWSDynamoDbTable_Ttl_Disabled
=== CONT  TestAccAWSDynamoDbTable_Ttl_Enabled
=== CONT  TestAccAWSDynamoDbTable_gsiUpdateNonKeyAttributes
=== CONT  TestAccAWSDynamoDbTable_gsiUpdateOtherAttributes
=== CONT  TestAccAWSDynamoDbTable_gsiUpdateCapacity
=== CONT  TestAccAWSDynamoDbTable_BillingMode_ProvisionedToPayPerRequest
=== CONT  TestAccAWSDynamoDbTable_streamSpecificationValidation
=== CONT  TestAccAWSDynamoDbTable_streamSpecification
=== CONT  TestAccAWSDynamoDbTable_BillingMode_GSI_ProvisionedToPayPerRequest
=== CONT  TestAccAWSDynamoDbTable_BillingMode_GSI_PayPerRequestToProvisioned
=== CONT  TestAccAWSDynamoDbTable_extended
=== CONT  TestAccAWSDynamoDbTable_BillingMode_PayPerRequestToProvisioned
=== CONT  TestAccAWSDynamoDbTable_enablePitr
=== CONT  TestAccAWSDynamoDbTable_disappears_PayPerRequestWithGSI
=== CONT  TestAccAWSDynamoDbTable_disappears
--- PASS: TestAccAWSDynamoDbTable_streamSpecificationValidation (10.65s)
--- PASS: TestAccAWSDynamoDbTable_attributeUpdateValidation (12.44s)
--- PASS: TestAccAWSDynamoDbTable_disappears (31.05s)
--- PASS: TestAccAWSDynamoDbTable_Ttl_Enabled (41.52s)
--- PASS: TestAccAWSDynamoDbTable_basic (43.46s)
--- PASS: TestAccAWSDynamoDbTable_Ttl_Disabled (64.91s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_PayPerRequestToProvisioned (66.11s)
--- PASS: TestAccAWSDynamoDbTable_streamSpecification (75.45s)
--- PASS: TestAccAWSDynamoDbTable_tags (82.78s)
--- PASS: TestAccAWSDynamoDbTable_disappears_PayPerRequestWithGSI (86.43s)
--- PASS: TestAccAWSDynamoDbTable_enablePitr (87.88s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_GSI_PayPerRequestToProvisioned (105.49s)
--- PASS: TestAccAWSDynamoDbTable_gsiUpdateCapacity (109.71s)
--- PASS: TestAccAWSDynamoDbTable_encryption (183.55s)
--- PASS: TestAccAWSDynamoDbTable_gsiUpdateNonKeyAttributes (317.50s)
--- PASS: TestAccAWSDynamoDbTable_extended (354.22s)
--- PASS: TestAccAWSDynamoDbTable_attributeUpdate (630.76s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_GSI_ProvisionedToPayPerRequest (657.29s)
--- PASS: TestAccAWSDynamoDbTable_gsiUpdateOtherAttributes (661.25s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_ProvisionedToPayPerRequest (828.34s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	828.435s

@franzwong
Copy link

@ewbankkit Any update on this? Thanks.

@bflad bflad added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Jan 29, 2020
@bflad bflad self-assigned this Jan 29, 2020
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks @ewbankkit 🚀

Output from acceptance testing:

--- PASS: TestAccAWSDynamoDbTable_attributeUpdate (588.89s)
--- PASS: TestAccAWSDynamoDbTable_attributeUpdateValidation (6.82s)
--- PASS: TestAccAWSDynamoDbTable_basic (23.68s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_GSI_PayPerRequestToProvisioned (50.86s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_GSI_ProvisionedToPayPerRequest (1201.68s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_PayPerRequestToProvisioned (33.78s)
--- PASS: TestAccAWSDynamoDbTable_BillingMode_ProvisionedToPayPerRequest (902.91s)
--- PASS: TestAccAWSDynamoDbTable_disappears (21.19s)
--- PASS: TestAccAWSDynamoDbTable_disappears_PayPerRequestWithGSI (149.36s)
--- PASS: TestAccAWSDynamoDbTable_enablePitr (89.95s)
--- PASS: TestAccAWSDynamoDbTable_encryption (116.10s)
--- PASS: TestAccAWSDynamoDbTable_extended (304.28s)
--- PASS: TestAccAWSDynamoDbTable_gsiUpdateCapacity (45.19s)
--- PASS: TestAccAWSDynamoDbTable_gsiUpdateNonKeyAttributes (261.13s)
--- PASS: TestAccAWSDynamoDbTable_gsiUpdateOtherAttributes (576.35s)
--- PASS: TestAccAWSDynamoDbTable_streamSpecification (40.92s)
--- PASS: TestAccAWSDynamoDbTable_streamSpecificationValidation (7.75s)
--- PASS: TestAccAWSDynamoDbTable_tags (29.38s)
--- PASS: TestAccAWSDynamoDbTable_Ttl_Disabled (25.63s)
--- PASS: TestAccAWSDynamoDbTable_Ttl_Enabled (19.69s)

--- PASS: TestAccDataSourceAwsDynamoDbTable_basic (73.99s)

If `enabled` is `false` then server-side encryption is set to AWS owned CMK (shown as `DEFAULT` in the AWS console).
If `enabled` is `true` then server-side encryption is set to AWS managed CMK (shown as `KMS` in the AWS console).
If `enabled` is `true` and no `kms_master_key_id` is specified then server-side encryption is set to AWS managed CMK (shown as `KMS` in the AWS console).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😎 Understandable how this snuck in since the API is inconsistent.

Suggested change
If `enabled` is `true` and no `kms_master_key_id` is specified then server-side encryption is set to AWS managed CMK (shown as `KMS` in the AWS console).
If `enabled` is `true` and no `kms_key_arn` is specified then server-side encryption is set to AWS managed CMK (shown as `KMS` in the AWS console).

@bflad bflad added this to the v2.47.0 milestone Jan 29, 2020
@bflad bflad merged commit 456f0fb into hashicorp:master Jan 29, 2020
bflad added a commit that referenced this pull request Jan 29, 2020
@ewbankkit ewbankkit deleted the issue-8137 branch January 30, 2020 12:35
@ghost
Copy link

ghost commented Jan 30, 2020

This has been released in version 2.47.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Mar 27, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 27, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. service/dynamodb Issues and PRs that pertain to the dynamodb service. size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support customer-managed keys for server_side_encryption in DynamoDB
3 participants