ocofaigh
commented
1 month ago The Elaticsearch standard flavor DA is secure by default and complies with fscloud requirements to have KMS encryption. If you require the default encryption, then a new quickstart variation would be required. If thats the case, you can create an issue for that, but I strongly suggest you use KMS encryption here. The genai stack creates Key Protect, and the Elasticsearch DA creates the key, so I see no issues with using KMS encryption here.
There are several configuration items related to use of key management system/KMS (e.g Key Protect) but it is unclear how to provision Elasticsearch without a KMS, i.e., using only the IBM managed encryption.
It appears we just need to make this item "existing_kms_instance_crn" blank if we don't want to use KMS.
If yes, please update the tool tip description of this item to be more clear. Currently its says "If not specified, a root key is created." which is unclear.
The current tool tip text for existing_kms_instancecrn : "The CRN of a Hyper Protect Crypto Services or Key Protect instance in the same account as the Databases for Elasticsearch instance. This value is used to create an authorization policy if skip_iam_authorizationpolicy is false. If not specified, a root key is created."
Also need this option for use in the Gen AI RAG DA Stack: https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/issues/204