Add byok_key to an old cluster instead of encryption_key

[petrkarytka]

We used an old version (<1.36.0) of the provider when deployed a couple of Confluent clusters initially.

There was the argument "encryption_key" up to the version 1.36.0 under the configuration block "dedicated". Later, in 1.36.0 a separate BYOK resource was introduced.

Is it possible to perform in-place update for the existing clusters by removing "encryption_key" from the code and adding the block "byok_key" that refers to a "confluent_byok_key" resource? We cannot reproduce it with a new temporary cluster to test before moving forward, the old argument is no longer available for new clusters according to the documentation:

Warning: At the moment, using encryption_key for creating Kafka clusters is not available. See this comment for more details.

I would appreciate any recommendations.

[linouk23]

@petrkarytka thanks for creating this issue!

Unfortunately, in-place updates are not supported in TF because they are not supported at the API level.

[linouk23]

@petrkarytka see https://github.com/confluentinc/terraform-provider-confluent/issues/400#issuecomment-2203934955 for additional context, namely,

1. Remove the encryption_key attribute from the confluent_kafka_cluster resource. Users won't have to recreate the cluster, but the confluent_kafka_cluster resource definition might look a bit misleading, as there will be no references to encryption_key / byok_key.

[linouk23]

@petrkarytka there's an update from our side: we talked to the backend team, and we're considering reverting our deprecation change. More specifically:

When creating new Kafka clusters, you should use the byok_key[0].id attribute instead of the dedicated[0].encryption_key attribute, since the latter is no longer supported in the Confluent Cloud API's POST cmk/v2/clusters request.

However, for existing instances of the confluent_kafka_cluster resource, dedicated[0].encryption_key is still supported as a read-only attribute.

In short, your existing instances of the confluent_kafka_cluster resource will not require any updates when using the v2.0.0 version of the TF Provider, and you'll no longer see deprecation messages. Let us know if that helps!

[petrkarytka]

In short, your existing instances of the confluent_kafka_cluster resource will not require any updates when using the v2.0.0 version of the TF Provider, and you'll no longer see deprecation messages. Let us know if that helps!

@linouk23 thank you for the update, that's definitely better, although it doesn't resolve our issue completely because we are using Terraform modules and will have to support two versions of the module for Kafka cluster (one with encryption_key, one with byok_key). Unfortunately some clusters with the 'encryption_key' are already in production and cannot be redeployed.