Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Encryption at rest return inconsistent plan when setting secret access key #1529

Merged
merged 1 commit into from
Oct 16, 2023

Conversation

andreaangiolillo
Copy link
Collaborator

@andreaangiolillo andreaangiolillo commented Oct 16, 2023

Description

Ticket: INTMDB-1202
Help Ticket: HELP-50897

The encryption at rest resource returns inconsistent results after apply when the secret access key is provided

--
2023-10-16T16:05:09.424+0100 [ERROR] vertex "mongodbatlas_encryption_at_rest.mongoencrypt" error: Provider produced inconsistent result after apply
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to mongodbatlas_encryption_at_rest.mongoencrypt, provider "provider[\"registry.terraform.io/mongodb/mongodbatlas\"]" produced an unexpected new value: .aws_kms_config[0].secret_access_key: inconsistent
│ values for sensitive attribute.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

This PR updates the logic to use the secret_access_key from the state file instead from the API response since the field is not returned.

NOTE

Credentials based authentication is no longer supported by the API, if users try to pass accessKeyID and secretAccessKey for the encryption at rest resource for a new project, they will get the following error

{
    "detail": "Credentials based authentication is no longer supported for AWS KMS.",
    "error": 400,
    "errorCode": "AWS_KMS_CREDENTIALS_AUTH_DEPRECATED",
    "parameters": [],
    "reason": "Bad Request"
}

The Atlas team made the decision to allow customers to keep providing these credentials if the project was already using them to allow them to migrate to the new IAM role-based. As a result, if the user was already providing those credentials, they will still be able to do so. New projects will get the error instead. This is why there are no acceptance tests defined and the terraform documentation does not include a test about it. (code mms/NDSUISvc.java

    // Prevent credentials in a request when creds are not currently
    // in use.  Allow users with creds to keep using them until they switch
    if (!hasExistingCreds && hasCredentialsInRequest) {
      throw new SvcException(NDSErrorCode.AWS_KMS_CREDENTIALS_AUTH_DEPRECATED);
    }

Unfortunately, we cannot deprecate the fields as long as they are supported in the API.

How did I reproduce the issue

I ran Atlas locally and removed the validation in mms/NDSUISvc.java

Type of change:

  • Bug fix (non-breaking change which fixes an issue). Please, add the "bug" label to the PR.
  • New feature (non-breaking change which adds functionality). Please, add the "enhancement" label to the PR.
  • Breaking change (fix or feature that would cause existing functionality to not work as expected). Please, add the "breaking change" label to the PR.
  • This change requires a documentation update
  • Documentation fix/enhancement

Required Checklist:

  • I have signed the MongoDB CLA
  • I have read the contribution guidelines
  • I have added tests that prove my fix is effective or that my feature works per HashiCorp requirements
  • I have added any necessary documentation (if appropriate)
  • I have run make fmt and formatted my code
  • If changes include deprecations or removals, I defined an isolated PR with a relevant title as it will be used in the auto-generated changelog.

Further comments

Next Steps

  • I am reaching out to the team owning the API to see if they plan to deprecate the fields for the API

@github-actions
Copy link
Contributor

Code Coverage

Package Line Rate Health
github.com/mongodb/terraform-provider-mongodbatlas/mongodbatlas 2%
github.com/mongodb/terraform-provider-mongodbatlas/mongodbatlas/framework/validator 68%
github.com/mongodb/terraform-provider-mongodbatlas/mongodbatlas/util 12%
Summary 3% (271 / 10291)

@andreaangiolillo andreaangiolillo marked this pull request as ready for review October 16, 2023 15:36
@andreaangiolillo andreaangiolillo requested a review from a team as a code owner October 16, 2023 15:36
Copy link
Member

@AgustinBettati AgustinBettati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great investigation, LGTM. Would update our terraform migration issues document with this case.

@andreaangiolillo andreaangiolillo merged commit 5f51eed into master Oct 16, 2023
@andreaangiolillo andreaangiolillo deleted the INTMDB-1202 branch October 16, 2023 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants