Closed andrew-raczka closed 3 years ago
Hello @andrew-raczka thanks for reaching. So reading in the documentation the parameter is optional but required to use encryption at rest.
Letting @themantissa and @nikhil-mongo to comment from a product perspective :)
The parameter is required if the cluster is to be encrypted at rest w/ the customer key. It is marked as optional since it's not required to create a cluster. It is required irregardless of how cloud provider access is applied - which is a resource about IAM roles, not specifically encryption at rest - what causes it to be required is the mongodbatlas_encryption_at_rest resource. Hope that helps clear it up.
@themantissa I have not seen this to be the case. I've previously run the two-step apply for cloud provider access followed by creating the mongodbatlas_encryption_at_rest resource without encryption_at_rest_provider = "AWS" in the mongodbatlas_cluster resource and encryption was turned on successfully.
@andrew-raczka as far as I'm aware nothing has changed and this has always been the case. If you've seen otherwise I'm not sure why you did.
Terraform CLI and Terraform MongoDB Atlas Provider Version
Terraform Configuration File
Steps to Reproduce
Expected Behavior
The cluster should be encrypted.
Actual Behavior
The cluster is not encrypted.
Additional Context
When using the two-apply method to deploy cloud provider access and encryption the officially documented steps work as intended when enabling CMEK encryption. When using the single-apply method, the encryption_at_rest_provider must be set within the mongodbatlas_cluster resource for CMEK encryption to be enabled. This attribute is not required and/or set by default with the two-apply method.