-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EKS supports adding KMS envelope encryption to existing clusters #19144
EKS supports adding KMS envelope encryption to existing clusters #19144
Conversation
9bfe731
to
41a2479
Compare
I'm currently trying to test my changes on existing resources I have and for some reason I haven't figured out yet, adding an encryption config is showing in the plan it wants to recreate all the resources that depend on the cluster id, so I'm still working that part out |
I tested this locally and it seems like it mostly works properly When I made any changes to the kms key including tags, it would cause k8s resources to be recreated. I'm not sure why that is, but it only seems to happen when I make changes to kms related things. It may be the issue with the k8s provider depending on attributes from the eks cluster, or it may be something else, but I was able to work around with |
I think my previous comment on random unexpected changes may have been a false alarm and just an ami update on my worker nodes |
This is something that I'm waiting for until we enable encryption on our EKS clusters... one thing that I'd ask is how this would react if the key were changed? I'm not sure how EKS reacts at the moment when you change a KMS key out on a running cluster (or if it's possible). |
On enabling KMS encryption on a cluster through the UI:
Interesting. Not sure how that should be handled in the AWS provider... You can add it without re-creation, but you may not delete or change it without re-creation 🤔 |
The AWS docs also note that if the KMS key is deleted, the cluster will be put in a degraded state with no recovery possible. |
…ars' test (hashicorp#13826). Acceptance test output: % make testacc TEST=./aws TESTARGS='-run=TestAccAWSEksCluster_basic\|TestAccAWSEksCluster_disappears' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSEksCluster_basic\|TestAccAWSEksCluster_disappears -timeout 180m === RUN TestAccAWSEksCluster_basic === PAUSE TestAccAWSEksCluster_basic === RUN TestAccAWSEksCluster_disappears === PAUSE TestAccAWSEksCluster_disappears === CONT TestAccAWSEksCluster_basic === CONT TestAccAWSEksCluster_disappears --- PASS: TestAccAWSEksCluster_basic (673.27s) --- PASS: TestAccAWSEksCluster_disappears (681.94s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 685.380s
Acceptance test output: % make testacc TEST=./aws TESTARGS='-run=TestAccAWSEksCluster_EncryptionConfig_Update' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSEksCluster_EncryptionConfig_Update -timeout 180m === RUN TestAccAWSEksCluster_EncryptionConfig_Update === PAUSE TestAccAWSEksCluster_EncryptionConfig_Update === CONT TestAccAWSEksCluster_EncryptionConfig_Update --- PASS: TestAccAWSEksCluster_EncryptionConfig_Update (3710.17s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 3713.264s
f6e63ea
to
d0c797c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀.
--- PASS: TestAccAWSEksAddon_defaultTags_providerAndResource_duplicateTag (13.06s)
--- PASS: TestAccAWSEksClusterAuthDataSource_basic (35.66s)
--- PASS: TestAccAWSEksCluster_disappears (663.49s)
--- PASS: TestAccAWSEksClusterDataSource_basic (669.81s)
--- PASS: TestAccAWSEksAddon_ResolveConflicts (692.68s)
--- PASS: TestAccAWSEksCluster_EncryptionConfig_Create (684.23s)
--- PASS: TestAccAWSEksAddon_ServiceAccountRoleArn (709.75s)
--- PASS: TestAccAWSEksAddon_disappears (765.17s)
--- PASS: TestAccAWSEksAddon_defaultTags_providerAndResource_overlappingTag (770.80s)
--- PASS: TestAccAWSEksAddon_defaultAndIgnoreTags (773.99s)
--- PASS: TestAccAWSEksAddon_ignoreTags (783.60s)
--- PASS: TestAccAWSEksAddon_basic (786.96s)
--- PASS: TestAccAWSEksAddon_defaultTags_updateToResourceOnly (816.06s)
--- PASS: TestAccAWSEksAddonDataSource_basic (843.84s)
--- PASS: TestAccAWSEksAddon_Tags (845.59s)
--- PASS: TestAccAWSEksAddon_AddonVersion (862.43s)
--- PASS: TestAccAWSEksAddon_defaultTags_providerAndResource_nonOverlappingTag (872.41s)
--- PASS: TestAccAWSEksAddon_defaultTags_updateToProviderOnly (884.25s)
--- PASS: TestAccAWSEksAddon_defaultTags_providerOnly (893.72s)
--- PASS: TestAccAWSEksAddon_disappears_Cluster (981.36s)
--- PASS: TestAccAWSEksCluster_basic (1125.14s)
--- PASS: TestAccAWSEksCluster_Tags (653.81s)
--- PASS: TestAccAWSEksCluster_VpcConfig_SecurityGroupIds (687.15s)
--- PASS: TestAccAWSEksCluster_Logging (741.46s)
--- PASS: TestAccAWSEksFargateProfile_basic (1030.07s)
--- PASS: TestAccAWSEksCluster_VpcConfig_PublicAccessCidrs (1049.77s)
--- PASS: TestAccAWSEksFargateProfile_Selector_Labels (984.60s)
--- PASS: TestAccAWSEksNodeGroup_basic (977.04s)
--- PASS: TestAccAWSEksNodeGroup_Name_Generated (977.05s)
--- PASS: TestAccAWSEksFargateProfile_disappears (1065.38s)
--- PASS: TestAccAWSEksNodeGroup_NamePrefix (978.04s)
--- PASS: TestAccAWSEksNodeGroup_disappears (985.59s)
--- PASS: TestAccAWSEksFargateProfile_Multi_Profile (1100.67s)
--- PASS: TestAccAWSEksCluster_NetworkConfig_ServiceIpv4Cidr (1260.12s)
--- PASS: TestAccAWSEksFargateProfile_Tags (933.01s)
--- PASS: TestAccAWSEksCluster_VpcConfig_EndpointPublicAccess (1407.38s)
--- PASS: TestAccAWSEksNodeGroup_DiskSize (997.18s)
--- PASS: TestAccAWSEksNodeGroup_InstanceTypes_Multiple (1008.28s)
--- PASS: TestAccAWSEksNodeGroup_CapacityType_Spot (1340.83s)
--- PASS: TestAccAWSEksCluster_VpcConfig_EndpointPrivateAccess (1881.90s)
--- PASS: TestAccAWSEksNodeGroup_AmiType (1687.08s)
--- PASS: TestAccAWSEksCluster_Version (2118.06s)
--- PASS: TestAccAWSEksNodeGroup_InstanceTypes_Single (996.18s)
--- PASS: TestAccAWSEksNodeGroup_RemoteAccess_Ec2SshKey (1089.43s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_DesiredSize (1067.10s)
--- PASS: TestAccAWSEksNodeGroup_RemoteAccess_SourceSecurityGroupIds (1118.86s)
--- PASS: TestAccAWSEksNodeGroup_Labels (1203.31s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_Zero_DesiredSize_MinSize (851.72s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_MaxSize (1056.34s)
--- PASS: TestAccAWSEksNodeGroup_LaunchTemplate_Name (1295.48s)
--- PASS: TestAccAWSEksNodeGroup_LaunchTemplate_Id (1356.98s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_MinSize (1156.83s)
--- PASS: TestAccAWSEksNodeGroup_Tags (1077.66s)
--- PASS: TestAccAWSEksNodeGroup_Taints (1164.17s)
--- PASS: TestAccAWSEksNodeGroup_LaunchTemplate_Version (2019.20s)
--- PASS: TestAccAWSEksCluster_EncryptionConfig_Update (3640.80s)
--- PASS: TestAccAWSEksNodeGroup_ForceUpdateVersion (3926.33s)
--- PASS: TestAccAWSEksNodeGroup_ReleaseVersion (3926.54s)
--- PASS: TestAccAWSEksNodeGroup_Version (3896.32s)
This functionality has been released in v3.47.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Closes #17952
References
https://aws.amazon.com/about-aws/whats-new/2021/03/amazon-eks-supports-adding-kms-envelope-encryption-to-existing-clusters/
Output from acceptance testing: