From 0b583728aa7ab9f3ad113ed0dd82e51c95419ac5 Mon Sep 17 00:00:00 2001 From: Nikhil Singh Date: Fri, 23 Apr 2021 02:44:04 +0530 Subject: [PATCH] remove unnecessary variables and use roles instead of keys for AWS Encryption-AtRest (#441) * remove unnecessary variables and use roles instead of keys for AWS Encryption-AtRest * doc update for encryption at rest resource * update the link to example Co-authored-by: Nikhil Singh --- .../second_step/atlas-encryption.tf | 2 -- .../second_step/variables.tf | 8 -------- .../second_step/atlas-encryption.tf | 2 -- .../second_step/variables.tf | 8 -------- website/docs/r/encryption_at_rest.html.markdown | 8 +++----- 5 files changed, 3 insertions(+), 25 deletions(-) diff --git a/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/atlas-encryption.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/atlas-encryption.tf index 84f55679c6..6ec6f82bae 100644 --- a/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/atlas-encryption.tf +++ b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/atlas-encryption.tf @@ -2,8 +2,6 @@ resource "mongodbatlas_encryption_at_rest" "test" { project_id = var.project_id aws_kms = { - access_key_id = var.access_key - secret_access_key = var.secret_key enabled = true customer_master_key_id = var.customer_master_key region = var.atlas_region diff --git a/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/variables.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/variables.tf index 9451c23ef4..2acbb63a09 100644 --- a/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/variables.tf +++ b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/variables.tf @@ -23,11 +23,3 @@ variable "cpa_role_id" { description = "AWS IAM ROLE ARN" default = "" } -variable "access_key" { - description = "The access key for AWS Account" - default = "" -} -variable "secret_key" { - description = "The secret key for AWS Account" - default = "" -} diff --git a/examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf b/examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf index 84f55679c6..6ec6f82bae 100644 --- a/examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf +++ b/examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf @@ -2,8 +2,6 @@ resource "mongodbatlas_encryption_at_rest" "test" { project_id = var.project_id aws_kms = { - access_key_id = var.access_key - secret_access_key = var.secret_key enabled = true customer_master_key_id = var.customer_master_key region = var.atlas_region diff --git a/examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf b/examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf index 9451c23ef4..2acbb63a09 100644 --- a/examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf +++ b/examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf @@ -23,11 +23,3 @@ variable "cpa_role_id" { description = "AWS IAM ROLE ARN" default = "" } -variable "access_key" { - description = "The access key for AWS Account" - default = "" -} -variable "secret_key" { - description = "The secret key for AWS Account" - default = "" -} diff --git a/website/docs/r/encryption_at_rest.html.markdown b/website/docs/r/encryption_at_rest.html.markdown index 6f34edc19a..6a7daf48b2 100644 --- a/website/docs/r/encryption_at_rest.html.markdown +++ b/website/docs/r/encryption_at_rest.html.markdown @@ -32,10 +32,9 @@ resource "mongodbatlas_encryption_at_rest" "test" { aws_kms = { enabled = true - access_key_id = "AKIAIOSFODNN7EXAMPLE" - secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" - customer_master_key_id = "030gce02-586d-48d2-a966-05ea954fde0g" + customer_master_key_id = "5ce83906-6563-46b7-8045-11c20e3a5766" region = "US_EAST_1" + role_id = "60815e2fe01a49138a928ebb" } azure_key_vault = { @@ -66,9 +65,8 @@ resource "mongodbatlas_encryption_at_rest" "test" { * `google_cloud_kms` - (Required) Specifies GCP KMS configuration details and whether Encryption at Rest is enabled for an Atlas project. ### aws_kms +Refer to the example in the [official github repository](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples) to implement Encryption at Rest * `enabled` - Specifies whether Encryption at Rest is enabled for an Atlas project, To disable Encryption at Rest, pass only this parameter with a value of false, When you disable Encryption at Rest, Atlas also removes the configuration details. -* `access_key_id` - The IAM access key ID with permissions to access the customer master key specified by customerMasterKeyID. -* `secret_access_key` - The IAM secret access key with permissions to access the customer master key specified by customerMasterKeyID. * `customer_master_key_id` - The AWS customer master key used to encrypt and decrypt the MongoDB master keys. * `region` - The AWS region in which the AWS customer master key exists: CA_CENTRAL_1, US_EAST_1, US_EAST_2, US_WEST_1, US_WEST_2, SA_EAST_1 * `role_id` - ID of an AWS IAM role authorized to manage an AWS customer master key. To find the ID for an existing IAM role check the `role_id` attribute of the `mongodbatlas_cloud_provider_access` resource.