Managing encryption at rest using iam roles fails

[awasilyev]

Hi.
It was mentioned in the https://support.mongodb.com/case/00734936 that it is possible to configure encryption at rest with iam roles using latest provider version. Getting errors trying to do that.

Terraform CLI and Terraform MongoDB Atlas Provider Version

Terraform v0.13.4
Provider version 0.8.0-rc.1

Terraform Configuration File

resource "mongodbatlas_encryption_at_rest" "this" {
  project_id = mongodbatlas_project.this.id

  aws_kms = {
    enabled = true
    #access_key_id          = var.aws_access_key_id
    #secret_access_key      = var.aws_secret_access_key
    customer_master_key_id = var.customer_managed_key_id
    region                 = var.region_name
  }
  azure_key_vault = {
    enabled = false
  }

  google_cloud_kms = {
    enabled = false
  }
}

resource "mongodbatlas_cloud_provider_access" "this" {
  count      = var.enable_encryption_at_rest ? 1 : 0
  project_id = mongodbatlas_project.this.id
  provider_name        = "AWS"
  iam_assumed_role_arn = module.iam_role.arn
}

Steps to Reproduce

terraform init; terraform apply

Expected Behavior

encryption at rest configured

Actual Behavior

terraform fails.
If no aws keys passed, it fails with:

Error: error creating Encryption At Rest: PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/60003ba7e76e13078dc934ec/encryptionAtRest: 400 (request "MISSING_ATTRIBUTE") The required attribute accessKeyID was not specified.

  on ../../../devops-tf-atlas-mongodb/modules/project/main.tf line 43, in resource "mongodbatlas_encryption_at_rest" "this":
  43: resource "mongodbatlas_encryption_at_rest" "this" {

Error: error updating cloud provider access PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/60003ba7e76e13078dc934ec/cloudProviderAccess/6001b929198813622c28c3ac: 400 (request "INVALID_ATTRIBUTE") Invalid attribute iamAssumedRoleArn specified.

if aws keys passed, it fails with

Error: error creating Encryption At Rest: PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/60003ba7e76e13078dc934ec/encryptionAtRest: 400 (request "AWS_KMS_CREDENTIALS_AUTH_DEPRECATED") Credentials based authentication is no longer supported for AWS KMS.

Debug Output

Crash Output

Additional Context

References

[nikhil-mongo]

@awasilyev Please use role_id in the aws_kms section of the code as below:

resource "mongodbatlas_encryption_at_rest" "this" {
  project_id = mongodbatlas_project.this.id

  aws_kms = {
    enabled = true
    #access_key_id          = var.aws_access_key_id
    #secret_access_key      = var.aws_secret_access_key
    customer_master_key_id = var.customer_managed_key_id
    region                 = var.region_name
    role_id                = // **returned as attribute to resource "mongodbatlas_cloud_provider_access" "this"**
  }
  azure_key_vault = {
    enabled = false
  }

  google_cloud_kms = {
    enabled = false
  }
}

resource "mongodbatlas_cloud_provider_access" "this" {
count = var.enable_encryption_at_rest ? 1 : 0
project_id = mongodbatlas_project.this.id
provider_name = "AWS"
iam_assumed_role_arn = module.iam_role.arn
}

role_id - ID of an AWS IAM role authorized to manage an AWS customer master key. To find the ID for an existing IAM role check the role_id attribute of the mongodbatlas_cloud_provider_access resource.

This is mentioned in the documentation and shall be released with v0.8. We have released the v0.8-pre.1

Please let us know if you are facing any issue.

[themantissa]

v0.8.0 is still in pre-release (you can see the latest versions on the main repo site and in the Terraform registry are both still 0.7.0) - v0.8.0 is still marked pre-release in the repo as per our normal process (we have also changed the name to reflect this as well). We plan to have 0.8.0 out shortly but are still working out a few issues to ensure it's ready. It will be fully released with a guide soon.