Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EKS supports adding KMS envelope encryption to existing clusters #19144

Merged
merged 20 commits into from
Jun 23, 2021

Conversation

voidlily
Copy link
Contributor

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #17952

References

https://aws.amazon.com/about-aws/whats-new/2021/03/amazon-eks-supports-adding-kms-envelope-encryption-to-existing-clusters/

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

@voidlily voidlily requested a review from a team as a code owner April 28, 2021 19:39
@ghost ghost added size/XS Managed by automation to categorize the size of a PR. service/eks Issues and PRs that pertain to the eks service. labels Apr 28, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Apr 28, 2021
@voidlily voidlily force-pushed the eks-update-encryption-config branch from 9bfe731 to 41a2479 Compare April 28, 2021 19:39
@voidlily
Copy link
Contributor Author

voidlily commented May 3, 2021

I'm currently trying to test my changes on existing resources I have and for some reason I haven't figured out yet, adding an encryption config is showing in the plan it wants to recreate all the resources that depend on the cluster id, so I'm still working that part out

@voidlily
Copy link
Contributor Author

voidlily commented May 3, 2021

I tested this locally and it seems like it mostly works properly

When I made any changes to the kms key including tags, it would cause k8s resources to be recreated. I'm not sure why that is, but it only seems to happen when I make changes to kms related things. It may be the issue with the k8s provider depending on attributes from the eks cluster, or it may be something else, but I was able to work around with terraform plan -target on the kms related changes I was testing with.

@voidlily
Copy link
Contributor Author

voidlily commented May 5, 2021

I think my previous comment on random unexpected changes may have been a false alarm and just an ami update on my worker nodes

@js-timbirkett
Copy link

This is something that I'm waiting for until we enable encryption on our EKS clusters... one thing that I'd ask is how this would react if the key were changed? I'm not sure how EKS reacts at the moment when you change a KMS key out on a running cluster (or if it's possible).

@js-timbirkett
Copy link

js-timbirkett commented May 11, 2021

On enabling KMS encryption on a cluster through the UI:

This action cannot be undone
Once enabled, secrets encryption cannot be modified or removed.

Interesting. Not sure how that should be handled in the AWS provider... You can add it without re-creation, but you may not delete or change it without re-creation 🤔

@sidewinder12s
Copy link

On enabling KMS encryption on a cluster through the UI:

This action cannot be undone
Once enabled, secrets encryption cannot be modified or removed.

Interesting. Not sure how that should be handled in the AWS provider... You can add it without re-creation, but you may not delete or change it without re-creation 🤔

The AWS docs also note that if the KMS key is deleted, the cluster will be put in a degraded state with no recovery possible.

voidlily and others added 19 commits June 18, 2021 10:16
…ars' test (hashicorp#13826).

Acceptance test output:

% make testacc TEST=./aws TESTARGS='-run=TestAccAWSEksCluster_basic\|TestAccAWSEksCluster_disappears'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSEksCluster_basic\|TestAccAWSEksCluster_disappears -timeout 180m
=== RUN   TestAccAWSEksCluster_basic
=== PAUSE TestAccAWSEksCluster_basic
=== RUN   TestAccAWSEksCluster_disappears
=== PAUSE TestAccAWSEksCluster_disappears
=== CONT  TestAccAWSEksCluster_basic
=== CONT  TestAccAWSEksCluster_disappears
--- PASS: TestAccAWSEksCluster_basic (673.27s)
--- PASS: TestAccAWSEksCluster_disappears (681.94s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	685.380s
Acceptance test output:

% make testacc TEST=./aws TESTARGS='-run=TestAccAWSEksCluster_EncryptionConfig_Update'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSEksCluster_EncryptionConfig_Update -timeout 180m
=== RUN   TestAccAWSEksCluster_EncryptionConfig_Update
=== PAUSE TestAccAWSEksCluster_EncryptionConfig_Update
=== CONT  TestAccAWSEksCluster_EncryptionConfig_Update
--- PASS: TestAccAWSEksCluster_EncryptionConfig_Update (3710.17s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	3713.264s
@ewbankkit ewbankkit force-pushed the eks-update-encryption-config branch from f6e63ea to d0c797c Compare June 21, 2021 14:11
@github-actions github-actions bot added service/amplify Issues and PRs that pertain to the amplify service. service/ec2 Issues and PRs that pertain to the ec2 service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. size/XL Managed by automation to categorize the size of a PR. and removed size/XS Managed by automation to categorize the size of a PR. labels Jun 21, 2021
@ewbankkit ewbankkit removed needs-triage Waiting for first response or review from a maintainer. service/amplify Issues and PRs that pertain to the amplify service. service/ec2 Issues and PRs that pertain to the ec2 service. labels Jun 21, 2021
@github-actions github-actions bot added service/amplify Issues and PRs that pertain to the amplify service. service/ec2 Issues and PRs that pertain to the ec2 service. labels Jun 22, 2021
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

--- PASS: TestAccAWSEksAddon_defaultTags_providerAndResource_duplicateTag (13.06s)
--- PASS: TestAccAWSEksClusterAuthDataSource_basic (35.66s)
--- PASS: TestAccAWSEksCluster_disappears (663.49s)
--- PASS: TestAccAWSEksClusterDataSource_basic (669.81s)
--- PASS: TestAccAWSEksAddon_ResolveConflicts (692.68s)
--- PASS: TestAccAWSEksCluster_EncryptionConfig_Create (684.23s)
--- PASS: TestAccAWSEksAddon_ServiceAccountRoleArn (709.75s)
--- PASS: TestAccAWSEksAddon_disappears (765.17s)
--- PASS: TestAccAWSEksAddon_defaultTags_providerAndResource_overlappingTag (770.80s)
--- PASS: TestAccAWSEksAddon_defaultAndIgnoreTags (773.99s)
--- PASS: TestAccAWSEksAddon_ignoreTags (783.60s)
--- PASS: TestAccAWSEksAddon_basic (786.96s)
--- PASS: TestAccAWSEksAddon_defaultTags_updateToResourceOnly (816.06s)
--- PASS: TestAccAWSEksAddonDataSource_basic (843.84s)
--- PASS: TestAccAWSEksAddon_Tags (845.59s)
--- PASS: TestAccAWSEksAddon_AddonVersion (862.43s)
--- PASS: TestAccAWSEksAddon_defaultTags_providerAndResource_nonOverlappingTag (872.41s)
--- PASS: TestAccAWSEksAddon_defaultTags_updateToProviderOnly (884.25s)
--- PASS: TestAccAWSEksAddon_defaultTags_providerOnly (893.72s)
--- PASS: TestAccAWSEksAddon_disappears_Cluster (981.36s)
--- PASS: TestAccAWSEksCluster_basic (1125.14s)
--- PASS: TestAccAWSEksCluster_Tags (653.81s)
--- PASS: TestAccAWSEksCluster_VpcConfig_SecurityGroupIds (687.15s)
--- PASS: TestAccAWSEksCluster_Logging (741.46s)
--- PASS: TestAccAWSEksFargateProfile_basic (1030.07s)
--- PASS: TestAccAWSEksCluster_VpcConfig_PublicAccessCidrs (1049.77s)
--- PASS: TestAccAWSEksFargateProfile_Selector_Labels (984.60s)
--- PASS: TestAccAWSEksNodeGroup_basic (977.04s)
--- PASS: TestAccAWSEksNodeGroup_Name_Generated (977.05s)
--- PASS: TestAccAWSEksFargateProfile_disappears (1065.38s)
--- PASS: TestAccAWSEksNodeGroup_NamePrefix (978.04s)
--- PASS: TestAccAWSEksNodeGroup_disappears (985.59s)
--- PASS: TestAccAWSEksFargateProfile_Multi_Profile (1100.67s)
--- PASS: TestAccAWSEksCluster_NetworkConfig_ServiceIpv4Cidr (1260.12s)
--- PASS: TestAccAWSEksFargateProfile_Tags (933.01s)
--- PASS: TestAccAWSEksCluster_VpcConfig_EndpointPublicAccess (1407.38s)
--- PASS: TestAccAWSEksNodeGroup_DiskSize (997.18s)
--- PASS: TestAccAWSEksNodeGroup_InstanceTypes_Multiple (1008.28s)
--- PASS: TestAccAWSEksNodeGroup_CapacityType_Spot (1340.83s)
--- PASS: TestAccAWSEksCluster_VpcConfig_EndpointPrivateAccess (1881.90s)
--- PASS: TestAccAWSEksNodeGroup_AmiType (1687.08s)
--- PASS: TestAccAWSEksCluster_Version (2118.06s)
--- PASS: TestAccAWSEksNodeGroup_InstanceTypes_Single (996.18s)
--- PASS: TestAccAWSEksNodeGroup_RemoteAccess_Ec2SshKey (1089.43s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_DesiredSize (1067.10s)
--- PASS: TestAccAWSEksNodeGroup_RemoteAccess_SourceSecurityGroupIds (1118.86s)
--- PASS: TestAccAWSEksNodeGroup_Labels (1203.31s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_Zero_DesiredSize_MinSize (851.72s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_MaxSize (1056.34s)
--- PASS: TestAccAWSEksNodeGroup_LaunchTemplate_Name (1295.48s)
--- PASS: TestAccAWSEksNodeGroup_LaunchTemplate_Id (1356.98s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_MinSize (1156.83s)
--- PASS: TestAccAWSEksNodeGroup_Tags (1077.66s)
--- PASS: TestAccAWSEksNodeGroup_Taints (1164.17s)
--- PASS: TestAccAWSEksNodeGroup_LaunchTemplate_Version (2019.20s)
--- PASS: TestAccAWSEksCluster_EncryptionConfig_Update (3640.80s)
--- PASS: TestAccAWSEksNodeGroup_ForceUpdateVersion (3926.33s)
--- PASS: TestAccAWSEksNodeGroup_ReleaseVersion (3926.54s)
--- PASS: TestAccAWSEksNodeGroup_Version (3896.32s)

@ewbankkit ewbankkit merged commit 8740daf into hashicorp:main Jun 23, 2021
@github-actions github-actions bot added this to the v3.47.0 milestone Jun 23, 2021
@github-actions
Copy link

This functionality has been released in v3.47.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
service/amplify Issues and PRs that pertain to the amplify service. service/ec2 Issues and PRs that pertain to the ec2 service. service/eks Issues and PRs that pertain to the eks service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Amazon EKS now supports adding KMS envelope encryption to existing clusters
4 participants