-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RDS encrypted Snapshot restore uses snapshot's kms key #6063
Comments
Hi @nomeelnoj 👋 Sorry you ran into trouble here. Your timing is actually pretty good though as #6012 was recently merged to fix this exact issue and it was just released in version 1.39.0 of the AWS provider this afternoon. 👍 |
Looks like this was integrated for aws_db_cluster, but not aws_db_instance. Is the functionality for db_instance expected soon as well? |
Ah, good catch, @nomeelnoj 😅 you are correct. Sorry about that - reopening. The API does not support As for the current situation, I'm not sure we would accept having the |
Could it be configured to automatically create a copy of the snapshot, assign the new KMS key, then restore from that copy, then delete that copy? Or is that too much going on behind the scenes? |
Hi again 👋 Sorry for the delayed response.
In general, yes, we strongly prefer that Terraform resources only manage one piece of infrastructure (even temporarily). Operators have expectations that no other infrastructure is being created outside of what is declared in their Terraform configuration. If any part of the temporary processing failed, Terraform would have no method for tracking or handling the temporary infrastructure left behind. The good news here is that it looks like a community member has contributed what we would expect the solution to look like here in a new Since that issue and pull request follow our recommended path forward here, I'm going to opt to close this issue so we can consolidate discussions and efforts in those. Thanks again for submitting this. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
This issue was originally opened by @nomeelnoj as hashicorp/terraform#18984. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
Terraform Configuration Files
Expected Behavior
When running the TF above, the new database should be encrypted with the KMS key provided, not the key from the snapshot.
Actual Behavior
The new RDS instance is created using the snapshot's KMS key for encryption
Steps to Reproduce
Additional Context
To update an RDS encryption key, you can create a copy of the snapshot and change the key for the copy. Couldn't you update TF to first copy the snapshot and apply the new key to the snapshot and then restore from the snapshot if both
kms_key_id
andsnapshot_identifier
are provided?The text was updated successfully, but these errors were encountered: