Add Redis AUTH, in-transit and at-rest encryption #2090
Conversation
nathanielks
changed the title
|
This is ready for review! Questions I have for reviewers are:
This is my first code contribution and it's been a great experience. Thank you for writing such good software! The testing helpers and clear patterns made contributing a breeze. I hadn't ever really looked at source till last night and I've got a PR put together today!! Thanks again! |
nathanielks
changed the title
radeksimko
added
the
enhancement
|
@nathanielks Thanks for tackling this and glad you found contributing so straightforward. You should also update the corresponding documentation page and since #2088 was merged, you can undo the changes you made in the For completeness I suggest updating the |
nathanielks
force-pushed
the
transit-encryption
branch
from
f18c925
to
5096a32
Compare
|
@ewbankkit hitting a bit of a blocker and not sure how to resolve! The AWS Go SDK has a few different structs it's using for Elasticache. Terraform uses the |
nathanielks
force-pushed
the
transit-encryption
branch
from
5096a32
to
092f58b
Compare
|
I've tested by adding just the auth token to the CreateCacheClusterInput and the API errors with the following: |
|
Eagerly awaiting this! |
|
Maybe @radeksimko or another core committer can recommend how to resolve this issue? |
|
@ewbankkit Can I get your eyes on #2090 (comment)? |
|
@nathanielks (not a Terraform committer, just a contributor with a vested interested in encryption support in AWS resources in Terraform...) What do you think about splitting the AUTH work to a separate PR, since the encryption-at-creation options are simpler and working, rather than delaying the entire package until whatever is going on with AUTH can be resolved? (Thanks very much for working on adding this support, BTW!) |
|
@nathanielks Also, as much as this sounds like "Why don't you go down to the DMV..." (apologies!) you may want to engage with AWS support on the error you're getting. That could be related to the AWS region or account you're using for testing, or it could be a bug with AWS... I wouldn't necessarily expect the Terraform folks to have any knowledge past what we have re: freshly released AWS features. (Which I am learning the hard way are often buggy in surprising/hilarious ways...) |
Unfortunately they're tied together. AUTH depends on in-transit encryption (which practically is a good thing, but annoying at the moment!)
That's a great call! They may also be able to explain why the Go sdk is structured like it is! I'll reach out on their repo as well 😄 |
|
(also, the auth-only tests were to illustrate they'll need in-transit encryption) |
|
@nathanielks Sure, but: I was envisioning pulling the auth work out of this PR, holding it, getting the encryption PR merged (which should be simple because it's easy setup-time-only parameters), which insures that encryption functionality at least will be available in provider version 1.3.0. Then bring the auth functionality back in a separate PR, on top of the existing and already committed encryption functionality, and with a little luck that'll make 1.3.0 too. There's no question this is a little self-serving, as I care lots about getting the encryption support in ASAP, and not much for the auth functionality (yet), but I do think this is a good approach for getting the working 2/3 of your work committed and checkpointed, so however long it takes AWS to help you or fix their doc or bug doesn't delay getting the whole thing in. :-) (Just a thought, thx for reading.) |
|
@handlerbot Ah! Thanks for clarifying! So the problem isn't AUTH, it's 100% with the structs that the Go SDK provides for us. AUTH in this PR actually works fine, but it's only for Replication Groups as they are the only resource that exposes any encryption parameters. I'm now trying to figure out how to get Encryption set up on basic Clusters per @ewbankkit's request. You can actually get the same functionality with a replication group as you can with a cluster. Enabling encryption forces the creation of a new resource, so we're forced to create a new something. Whether that's a cache cluster or a replication group, I'm not sure it entirely matters. To get a replication group that behaves like a cache cluster, go ahead and use this config: To that end, @ewbankkit, is it 100% necessary to add encryption support to |
|
And more fuel in support of using replication groups, the in-transit option is only supported by redis 3.2.4 and above, which is what replication groups require... |
|
@ewbankkit looking into this further, the encryption options are only supported by Replication Groups in the API as well: https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateReplicationGroup.html, so we can't create a cache cluster with encryption enabled. It's only replication groups. |
|
@nathanielks Yes, my bad. The User Guide seems to indicate that |
|
Would it be easier to split this up into 2 pr's, one for auth one for encryption? |
|
@ewbankkit do you know how to bump this to get this reviewed? I think I've followed the contribution guidelines and haven't seen any core committers come around. |
|
Acceptance tests are passing: |
|
@myoung34 No need to split into two PR's. Encryption can only be added to Replication Groups and that's what this PR does. |
|
@nathanielks I suggest patience 😄. |
|
@radeksimko this is ready for you! Acceptance tests written and passing! |
radeksimko
added
the
size/L
|
@radeksimko does any additional work need done to get this merged in? |
|
It's on their radar |
|
Good eyes, @ChrisMcKee |
There was a problem hiding this comment.
Hi @nathanielks
sorry for the delay in reviewing your PR.
I left you a few comments with varying levels of importance. Let me know if you have any questions or you need further clarification.
Thanks for the contribution.
| @@ -165,6 +187,18 @@ func resourceAwsElasticacheReplicationGroupCreate(d *schema.ResourceData, meta i | |||
| params.SnapshotName = aws.String(v.(string)) | |||
| } | |||
|
|
|||
| if _, ok := d.GetOk("transit_encryption"); ok { | |||
There was a problem hiding this comment.
It will sound like a nitpick, but would you mind changing the field name to transit_encryption_enabled? It will better communicate the fact that this is a boolean field and make space for potential future transit_encryption block which may define some further settings of the encryption.
| params.TransitEncryptionEnabled = aws.Bool(d.Get("transit_encryption").(bool)) | ||
| } | ||
|
|
||
| if _, ok := d.GetOk("at_rest_encryption"); ok { |
There was a problem hiding this comment.
Likewise - would you mind changing it to at_rest_encryption_enabled for the same reasons as the above field?
| @@ -310,6 +344,9 @@ func resourceAwsElasticacheReplicationGroupRead(d *schema.ResourceData, meta int | |||
| } | |||
|
|
|||
| d.Set("auto_minor_version_upgrade", c.AutoMinorVersionUpgrade) | |||
| d.Set("at_rest_encryption", c.AtRestEncryptionEnabled) | |||
| d.Set("transit_encryption", c.TransitEncryptionEnabled) | |||
| d.Set("auth_token", c.TransitEncryptionEnabled) | |||
There was a problem hiding this comment.
Typo ☝️
Because we cannot get the token back from the API (for obvious reasons) I think we should just make it nil if c.AuthTokenEnabled != nil && !*c.AuthTokenEnabled otherwise leave it alone during Read().
There was a problem hiding this comment.
ah, great catch!
| @@ -532,3 +569,16 @@ func validateAwsElastiCacheReplicationGroupId(v interface{}, k string) (ws []str | |||
| } | |||
| return | |||
| } | |||
|
|
|||
| func validateAwsElastiCacheReplicationGroupAuthToken(v interface{}, k string) (ws []string, errors []error) { | |||
There was a problem hiding this comment.
Nitpick: We tend to keep our validation functions in aws/validators.go + tests in aws/validators_test.go. It would be nice to move it there too, it's not a blocker for this PR though.
| @@ -970,3 +1048,108 @@ resource "aws_elasticache_replication_group" "bar" { | |||
| } | |||
| }`, rInt, rInt, rInt, rInt, rName) | |||
| } | |||
|
|
|||
| var testAccAWSElasticacheReplicationGroupEnableAtRestEncryptionConfig = fmt.Sprintf(` | |||
There was a problem hiding this comment.
Nitpick: It's a common convention to turn these configs into functions and pass the random strings from the body of the test as argument. It makes it easier to build & compare fields which include these random strings and also makes the config reusable (as it doesn't contain a random string generated once during initiation of the variable).
I know we don't follow that convention everywhere yet, but it's been a common theme of many recent test changes. 😉
radeksimko
added
the
waiting-response
nathanielks
force-pushed
the
transit-encryption
branch
from
092f58b
to
8b67b88
Compare
…s.go, as well as tests
…nctions instead of vars
|
@radeksimko requested changes have been made, tests still passing! |
radeksimko
removed
the
waiting-response
* Add Data Source: aws_elb * Fix dataSourceAwsElb typo * Fix dataSourceAwsElb Schema name field to not include Computed * Remove dataSourceAwsElb schema defaults for computed fields * Remove dataSourceAwsElb schema defaults for nested computed fields too * Corrected depends_on entry for EIP depends_on = ["aws_internet_gateway.gw"] is the correct syntax * Add sweeper for IAM Server Certificates * test/aws_config_delivery_channel: Add missing dependencies * d/aws_elb r/aws_elb: hashicorp#2004 review comments * Remove enable_deletion_protection from testAccDataSourceAWSELBConfigBasic * Replace unnecessary errwrap.Wrapf with fmt.Errorf * Reduce flattenAwsELbResource to ec2conn and elbconn instead of meta * Properly name TestAccDataSourceAWSELB_basic resources * Use t.Name() for description and TestName tags * d/aws_elb: Fix documentation sidebar ordering after merging master with new d/aws_elasticache_replication_group * Makefile: Add sweep target * Update cognito_user_pool.markdown * Update CHANGELOG.md * r/aws_elasticache_security_group: add import support (hashicorp#2277) * r/aws_elasticache_security_group: add import support * r/aws_elasticache_security_group: hashicorp#2277 review updates * Use d.Id() instead of d.Get("name") on read, which allows using schema.ImportStatePassthrough * d.Set("security_group_names") on read * Set AWS_DEFAULT_REGION to us-east-1 on import testing * Update CHANGELOG.md * documentation: remove antislashes in page titles * Added missing WARN debug lines when reading a non-existing resource * Removed <wbr> from documentation titles * vendor: Bump aws-sdk-go to v.1.12.44 * Add logs for iam server certificate delete conflict (hashicorp#2533) * Query elb API for load balancer arn causing delete conflict - For IAM server certificate. * Use regex for lb name. * Edits for hashicorp#2533 * r/aws_sqs_queue_policy: Support import by queue URL (hashicorp#2544) * Update CHANGELOG.md * r/aws_elasticsearch_domain: Add LogPublishingOption (hashicorp#2285) * WIP * Add enabled * Use cwl policy * Reflect reviews * Update CHANGELOG.md * Add force_destroy field to aws_athena_database (hashicorp#2363) * Add force_destroy field to aws_athena_database. Fixes hashicorp#2362. * Remove unnecessary import. * Code review feedback * Update CHANGELOG.md * Add more example and missing field * New Resource: aws_media_store_container (hashicorp#2448) * New Resource: aws_media_store_container * Reflect reviews * remove policy * Update CHANGELOG.md * Add Redis AUTH, in-transit and at-rest encryption (hashicorp#2090) * add AUTH, at-rest and in-transit encryption to Elasticache replication groups * add _enabled to transit/at_rest encyrption parameters * added one more _enabled * move validateAwsElastiCacheReplicationGroupAuthToken to aws/validators.go, as well as tests * set auth_token to nil during Reads * update Replication Group encryption acceptance tests to use config functions instead of vars * Fix whitespacing (tabs -> spaces) * docs/elasticache_replication_group: Add missing fields * Update CHANGELOG.md * r/aws_dynamodb_table: Ensure ttl is properly read (hashicorp#2452) * r/aws_dynamodb_table: Ensure ttl is properly read * r/aws_dynamodb_table: hashicorp#2452 review updates * Add timeToLiveOutput.TimeToLiveDescription nil check * Simplify logic to d.Set ttl * Update CHANGELOG.md * Bump aws-sdk-go to v.1.12.45 * New Resource: PublicDnsNamespace (hashicorp#2569) * WIP * Add test, docs * Reflect reviews * Modify error handling * Update CHANGELOG.md * New Resource: ServiceDiscovery PrivateDNS Namespace (hashicorp#2589) * New Resource: service_discovery_private_dns_namespace * Reflect reviews * Update CHANGELOG.md
|
Hooray!! |
bflad
added
the
service/elasticache
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
AWS announced support for
AUTH, in-transit and at-rest encryption. This aims to add that to terraform!