Open rymancl opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Thanks for taking the time to split this off @rymancl 🎉 I wanted to leave a couple of notes based on the research I did on #28321.
The older issue was more specifically that toggling encrypt_at_rest.enabled
from false
to true
would trigger replacement under certain circumstances (mainly in the aws_elasticsearch_domain
resource), which is why we broke this issue out; this replacement is being caused by aws_opensearch_domain.foo.encrypt_at_rest.kms_key_id
.
The kms_key_id
argument is currently ForceNew
, however, there seems to be some inconsistency that we need to look at to determine if that's appropriate. My findings below:
The opensearchservice.UpdateDomainConfigInput
type has a EncryptionAtRestOptions
field, which seems to indicate that this can be enabled without recreation. This is backed up by AWS' Encryption of data at rest for Amazon OpenSearch Service document, which has a reference API call to enable encryption at rest:
You can also enable encryption through the configuration API. The following request enables encryption of data at rest on an existing domain:
{
"ClusterConfig":{
"EncryptionAtRestOptions":{
"Enabled": true,
"KmsKeyId":"arn:aws:kms:us-east-1:123456789012:alias/my-key"
}
}
}
However, while the API documentation for UpdateDomainConfig
also lists the EncryptionAtRestOptions
object, it's documentation states:
Specifies whether the domain should encrypt data at rest, and if so, the Key Management Service (KMS) key to use. Can be used only to create a new domain, not update an existing one.
It's unclear to me whether this should be ForceNew
or can be updated in place; I'll leave this open and marked as a bug until we're able to investigate further.
In order to help test this a bit, I created two new domains that match my existing one.
test-encryption
in which I'll try to enable encryption at rest [for the first time] via the consoletest-encryption-cli
in which I'll try to enable encryption at rest [for the first time] via the AWS CLIVia console, it let me add encryption at rest without issue.
Via CLI, it let me add encryption at rest without issue.
aws opensearch update-domain-config --domain-name test-encryption-cli --encryption-at-rest-options Enabled=true,KmsKeyId=REDACTED --profile dev
Interestingly, both of these do show a step for "Creating a new environment".
However, the cluster health always stays green. I suspect this is doing a sort of in-place migration to a new cluster/nodes, whereas what the TF provider is trying to do is actually destroy the domain and make a new one. That would have downtime but the AWS ways do not.
I'm also not sure if any of this logic differs with the Go SDK.
But I suspect that ForceNew
is only needed when encrypt_at_rest.enabled
is already set as true
in state. That implies the domain data is already encrypted and you're re-encrypting with a new key; this jives with the messages presented by AWS when enabling encryption-at-rest for the first time:
Encryption will be enabled Once node-to-node encryption and/or encryption of data at rest are enabled, you will no longer be able to disable or modify them. Enabling encryption may have an impact on performance.
Let me know if I can test any other scenarios. Thanks!
And just to confirm, if I don't set kms_key_id
it does not try to recreate the resource.
Terraform Core Version
v1.4.6
AWS Provider Version
v5.1.0
Affected Resource(s)
Expected Behavior
Enabling encryption at rest for the first time on a domain should not require recreating it
Actual Behavior
Enabling encryption at rest for the first time on a domain is causing Terraform to recreate the resource
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Steps to Reproduce
encrypt_at_rest.enabled
totrue
for the first timeDebug Output
Panic Output
No response
Important Factoids
Also tested on
This happens for both
aws_opensearch_domain
&aws_elasticsearch_domain
.References
Similar to #28321
Would you like to implement a fix?
No