provider/aws: Add KMS Key ID to aws_rds_cluster_instance

``` ```
hashicorp · Jul 20, 2016 · a3aa87c · a3aa87c
1 parent 9227532
commit a3aa87c
Show file tree

Hide file tree

Showing 5 changed files with 120 additions and 23 deletions.
diff --git a/builtin/providers/aws/resource_aws_rds_cluster_instance.go b/builtin/providers/aws/resource_aws_rds_cluster_instance.go
@@ -83,6 +83,20 @@ func resourceAwsRDSClusterInstance() *schema.Resource {
 				Computed: true,
 			},
 
+			"kms_key_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ForceNew: true,
+			},
+
+			"storage_encrypted": &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+				ForceNew: true,
+			},
+
 			"tags": tagsSchema(),
 		},
 	}

diff --git a/builtin/providers/aws/resource_aws_rds_cluster_instance_test.go b/builtin/providers/aws/resource_aws_rds_cluster_instance_test.go
@@ -2,6 +2,7 @@ package aws
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 	"testing"
 	"time"
@@ -34,6 +35,27 @@ func TestAccAWSRDSClusterInstance_basic(t *testing.T) {
 	})
 }
 
+func TestAccAWSRDSClusterInstance_kmsKey(t *testing.T) {
+	var v rds.DBInstance
+	keyRegex := regexp.MustCompile("^arn:aws:kms:")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSClusterDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSClusterInstanceConfigKmsKey(acctest.RandInt()),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSClusterInstanceExists("aws_rds_cluster_instance.cluster_instances", &v),
+					resource.TestMatchResourceAttr(
+						"aws_rds_cluster_instance.cluster_instances", "kms_key_id", keyRegex),
+				),
+			},
+		},
+	})
+}
+
 // https://github.com/hashicorp/terraform/issues/5350
 func TestAccAWSRDSClusterInstance_disappears(t *testing.T) {
 	var v rds.DBInstance
@@ -199,3 +221,63 @@ resource "aws_db_parameter_group" "bar" {
 }
 `, n, n, n)
 }
+
+func testAccAWSClusterInstanceConfigKmsKey(n int) string {
+	return fmt.Sprintf(`
+
+resource "aws_kms_key" "foo" {
+    description = "Terraform acc test %d"
+    policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "kms:*",
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_rds_cluster" "default" {
+  cluster_identifier = "tf-aurora-cluster-test-%d"
+  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
+  database_name      = "mydb"
+  master_username    = "foo"
+  master_password    = "mustbeeightcharaters"
+  storage_encrypted = true
+  kms_key_id = "${aws_kms_key.foo.arn}"
+}
+
+resource "aws_rds_cluster_instance" "cluster_instances" {
+  identifier              = "tf-cluster-instance-%d"
+  cluster_identifier      = "${aws_rds_cluster.default.id}"
+  instance_class          = "db.r3.large"
+  db_parameter_group_name = "${aws_db_parameter_group.bar.name}"
+  storage_encrypted = true
+  kms_key_id = "${aws_kms_key.foo.arn}"
+}
+
+resource "aws_db_parameter_group" "bar" {
+  name   = "tfcluster-test-group-%d"
+  family = "aurora5.6"
+
+  parameter {
+    name         = "back_log"
+    value        = "32767"
+    apply_method = "pending-reboot"
+  }
+
+  tags {
+    foo = "bar"
+  }
+}
+`, n, n, n, n)
+}
diff --git a/builtin/providers/aws/resource_aws_rds_cluster_test.go b/builtin/providers/aws/resource_aws_rds_cluster_test.go
@@ -2,6 +2,7 @@ package aws
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform/helper/acctest"
@@ -65,26 +66,25 @@ func TestAccAWSRDSCluster_updateTags(t *testing.T) {
 }
 
 func TestAccAWSRDSCluster_kmsKey(t *testing.T) {
- 	var v rds.DBCluster
- 	keyRegex := regexp.MustCompile("^arn:aws:kms:")
-
- 	resource.Test(t, resource.TestCase{
- 		PreCheck:     func() { testAccPreCheck(t) },
- 		Providers:    testAccProviders,
- 		CheckDestroy: testAccCheckAWSClusterDestroy,
- 		Steps: []resource.TestStep{
- 			resource.TestStep{
- 				Config: testAccAWSClusterConfig_kmsKey(acctest.RandInt()),
- 				Check: resource.ComposeTestCheckFunc(
- 					testAccCheckAWSClusterExists("aws_rds_cluster.default", &v),
- 					resource.TestMatchResourceAttr(
- 						"aws_rds_cluster.default", "kms_key_id", keyRegex),
- 				),
- 			},
- 		},
- 	})
- }
+	var v rds.DBCluster
+	keyRegex := regexp.MustCompile("^arn:aws:kms:")
 
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSClusterDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSClusterConfig_kmsKey(acctest.RandInt()),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSClusterExists("aws_rds_cluster.default", &v),
+					resource.TestMatchResourceAttr(
+						"aws_rds_cluster.default", "kms_key_id", keyRegex),
+				),
+			},
+		},
+	})
+}
 
 func TestAccAWSRDSCluster_encrypted(t *testing.T) {
 	var v rds.DBCluster
@@ -243,7 +243,7 @@ resource "aws_rds_cluster" "default" {
 }
 
 func testAccAWSClusterConfig_kmsKey(n int) string {
- 	return fmt.Sprintf(`
+	return fmt.Sprintf(`
 
  resource "aws_kms_key" "foo" {
      description = "Terraform acc test %d"
@@ -276,8 +276,7 @@ func testAccAWSClusterConfig_kmsKey(n int) string {
    storage_encrypted = true
    kms_key_id = "${aws_kms_key.foo.arn}"
  }`, n, n)
- }
-
+}
 
 func testAccAWSClusterConfig_encrypted(n int) string {
 	return fmt.Sprintf(`

diff --git a/website/source/docs/providers/aws/r/rds_cluster.html.markdown b/website/source/docs/providers/aws/r/rds_cluster.html.markdown
@@ -79,7 +79,7 @@ Default: A 30-minute window selected at random from an 8-hour block of time per
      `false`. See [Amazon RDS Documentation for more information.](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html)
 * `db_subnet_group_name` - (Optional) A DB subnet group to associate with this DB instance. **NOTE:** This must match the `db_subnet_group_name` specified on every [`aws_rds_cluster_instance`](/docs/providers/aws/r/rds_cluster_instance.html) in the cluster.
 * `db_cluster_parameter_group_name` - (Optional) A cluster parameter group to associate with the cluster.
-* `kms_key_id` - (Optional) The ARN for the KMS encryption key.
+* `kms_key_id` - (Optional) The ARN for the KMS encryption key. When specifying `kms_key_id`, `storage_encrypted` needs to be set to true
 
 ## Attributes Reference
 

diff --git a/website/source/docs/providers/aws/r/rds_cluster_instance.html.markdown b/website/source/docs/providers/aws/r/rds_cluster_instance.html.markdown
@@ -65,6 +65,8 @@ details on controlling this property.
 * `db_parameter_group_name` - (Optional) The name of the DB parameter group to associate with this instance.
 * `apply_immediately` - (Optional) Specifies whether any database modifications
      are applied immediately, or during the next maintenance window. Default is`false`.
+* `storage_encrypted` - (Optional) Specifies whether the DB cluster instance is encrypted. The default is `false` if not specified.
+* `kms_key_id` - (Optional) The ARN for the KMS encryption key. When specifying `kms_key_id`, `storage_encrypted` needs to be set to true
 * `tags` - (Optional) A mapping of tags to assign to the instance.
 
 ## Attributes Reference