Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enabling encryption at rest with any provider for a Cluster will throw error #517

Closed
robbertkauffman opened this issue Aug 17, 2021 · 6 comments
Closed

Enabling encryption at rest with any provider for a Cluster will throw error #517

robbertkauffman opened this issue Aug 17, 2021 · 6 comments
Labels
bug

Comments

@robbertkauffman
Copy link
Contributor

robbertkauffman commented Aug 17, 2021
edited
Loading

Terraform CLI and Terraform MongoDB Atlas Provider Version

Terraform 1.0.4
Provider 1.0.0

Terraform Configuration File

# Copy-paste your configuration info here
terraform {
  required_providers {
    mongodbatlas = {
      source = "mongodb/mongodbatlas"
      version = "1.0.0"
    }
  }
}

resource "mongodbatlas_cluster" "iac_cluster" {
  project_id   = var.project_id
  name         = var.cluster_name
  cluster_type = "REPLICASET"
  replication_specs {
      num_shards = 1
      regions_config {
          region_name = var.region
          electable_nodes = var.electable_nodes
          priority = var.region_priority
          read_only_nodes = var.read_only_nodes
          analytics_nodes = var.analytics_nodes
      }
  }

  provider_name               = var.cloud_provider
  provider_instance_size_name = var.cluster_tier 
  provider_disk_type_name     = var.disk_size 
  
  mongo_db_major_version = var.major_version

  provider_backup_enabled = var.provider_backup_enabled
  pit_enabled  = var.pit_enabled

  encryption_at_rest_provider = "AZURE"
}

resource "mongodbatlas_encryption_at_rest" "key_vault" {
  project_id = var.atlas_project_id

  azure_key_vault = {
    enabled             = true
    client_id           = var.azure_keyvault_accesspolicy_principal_appid 
    azure_environment   = "AZURE"
    subscription_id     = var.azure_subscription
    resource_group_name = var.azure_rg
    key_vault_name      = var.azure_key_vault_name 
    key_identifier      = var.azure_key_identifier
    secret              = var.azure_authentication_secret
    tenant_id           = var.azure_tenant_id
  }
}

The above assumes Azure Key Vault is already created and Encryption at Rest is already configured at the project-level in Atlas. Happy to share the full script which creates these resources as well if relevant.

Steps to Reproduce

  1. terraform init
  2. terraform apply

Expected Behavior

Should have applied the plan successfully. The same TF script works without any issues on 0.8.2 and 0.9.1.

Actual Behavior

Terraform throws an error when setting encryption at rest for the cluster:

│ Error: error setting `azure_key_vault_config` for Encryption At Rest (5beae24579358e0ae95492af): azure_key_vault_config.0.enabled: '' expected type 'bool', got unconvertible type 'string'
│ 
│   with module.atlas_project.mongodbatlas_encryption_at_rest.key_vault,
│   on modules/atlas_projects/atlas_projects.tf line 24, in resource "mongodbatlas_encryption_at_rest" "key_vault":
│   24: resource "mongodbatlas_encryption_at_rest" "key_vault" {

I have tried switching to the new syntax (azure_key_vault_config instead of azure_key_vault) but this let to the same outcome. Since this error didn't occur with the exact same TF scripts on previous versions, I highly suspect it's a bug with the provider.

Additional Context

I have tried the new style config:

resource "mongodbatlas_encryption_at_rest" "key_vault" {
  azure_key_vault_config {
    enabled             = true
    ...

But it also fails with the old style config:

resource "mongodbatlas_encryption_at_rest" "key_vault" {
  azure_key_vault = {
    enabled             = true
    ...

Oddly enough, the error isn't thrown until it actually starts applying the changes. Syntax errors (if this would be a syntax error like the error implies) are usually thrown at start when reading the script to create the plan. Additionally, after this error is thrown it doesn't allow me to run terraform destroy to 'revert' the changes as it throws the same error again and aborts.
@themantissa
Copy link
Collaborator

Already reported internally, issue known and will be fixed by internal ticket INTMDB-243. Expect in 1.0.1 bug fix release.

@themantissa themantissa changed the title Enabling encryption at rest with Azure Key Vault for a Cluster will throw error Enabling encryption at rest with any provider for a Cluster will throw error Aug 18, 2021
@nleite
Copy link

nleite commented Aug 24, 2021

@themantissa any ETA on the 1.0.1 release ?

@themantissa
Copy link
Collaborator

@nleite we are working to get this out ASAP so hopefully quite soon.

@narun4sk
Copy link

just to raise an awareness - we are also affected by the same bug on AWS.

@themantissa themantissa linked a pull request Aug 31, 2021 that will close this issue
INTMDB-243: Fixes a bug for encryption at rest with new parameters #531
Closed
10 tasks
@themantissa
Copy link
Collaborator

We have a pre-release of 1.0.1 ready - we'll release the GA version tomorrow. If you have time to try it out before then it's here: https://github.com/mongodb/terraform-provider-mongodbatlas/releases/tag/v1.0.1-pre.1

@themantissa
Copy link
Collaborator

Fixed in recent release 1.0.1

@nleite nleite mentioned this issue Sep 3, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
4 participants
@nleite @themantissa @robbertkauffman @narun4sk