diff --git a/aws/resource_aws_efs_file_system.go b/aws/resource_aws_efs_file_system.go index 2ae4045a9bf..a0f5a59b6fd 100644 --- a/aws/resource_aws_efs_file_system.go +++ b/aws/resource_aws_efs_file_system.go @@ -1,6 +1,7 @@ package aws import ( + "errors" "fmt" "log" "time" @@ -91,15 +92,19 @@ func resourceAwsEfsFileSystemCreate(d *schema.ResourceData, meta interface{}) er createOpts.PerformanceMode = aws.String(v.(string)) } - if v, ok := d.GetOk("encrypted"); ok { - createOpts.Encrypted = aws.Bool(v.(bool)) + encrypted, hasEncrypted := d.GetOk("encrypted") + kmsKeyId, hasKmsKeyId := d.GetOk("kms_key_id") + + if hasEncrypted { + createOpts.Encrypted = aws.Bool(encrypted.(bool)) } - if v, ok := d.GetOk("kms_key_id"); ok { - createOpts.KmsKeyId = aws.String(v.(string)) - if !aws.BoolValue(createOpts.Encrypted) { - return fmt.Errorf("[ERROR] encrypted must be set to true when kms_key_id is specified") - } + if hasKmsKeyId { + createOpts.KmsKeyId = aws.String(kmsKeyId.(string)) + } + + if encrypted == false && hasKmsKeyId { + return errors.New("encrypted must be set to true when kms_key_id is specified") } log.Printf("[DEBUG] EFS file system create options: %#v", *createOpts) diff --git a/aws/resource_aws_efs_file_system_test.go b/aws/resource_aws_efs_file_system_test.go index a928d3eeb2b..c003fd79257 100644 --- a/aws/resource_aws_efs_file_system_test.go +++ b/aws/resource_aws_efs_file_system_test.go @@ -171,7 +171,7 @@ func TestAccAWSEFSFileSystem_pagedTags(t *testing.T) { }) } -func TestAccAWSEFSFileSystem_KmsKey(t *testing.T) { +func TestAccAWSEFSFileSystem_kmsKey(t *testing.T) { rInt := acctest.RandInt() keyRegex := regexp.MustCompile("^arn:aws:([a-zA-Z0-9\\-])+:([a-z]{2}-[a-z]+-\\d{1})?:(\\d{12})?:(.*)$") resource.Test(t, resource.TestCase{ @@ -182,22 +182,30 @@ func TestAccAWSEFSFileSystem_KmsKey(t *testing.T) { { Config: testAccAWSEFSFileSystemConfigWithKmsKey(rInt), Check: resource.ComposeTestCheckFunc( - resource.TestMatchResourceAttr( - "aws_efs_file_system.foo-with-kms", - "kms_key_id", - keyRegex, - ), - resource.TestCheckResourceAttr( - "aws_efs_file_system.foo-with-kms", - "encrypted", - "true", - ), + resource.TestMatchResourceAttr("aws_efs_file_system.foo-with-kms", "kms_key_id", keyRegex), + resource.TestCheckResourceAttr("aws_efs_file_system.foo-with-kms", "encrypted", "true"), ), }, }, }) } +func TestAccAWSEFSFileSystem_kmsConfigurationWithoutEncryption(t *testing.T) { + rInt := acctest.RandInt() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckEfsFileSystemDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSEFSFileSystemConfigWithKmsKeyNoEncryption(rInt), + ExpectError: regexp.MustCompile(`encrypted must be set to true when kms_key_id is specified`), + }, + }, + }) +} + func testAccCheckEfsFileSystemDestroy(s *terraform.State) error { conn := testAccProvider.Meta().(*AWSClient).efsconn for _, rs := range s.RootModule().Resources { @@ -382,13 +390,26 @@ resource "aws_efs_file_system" "foo-with-performance-mode" { func testAccAWSEFSFileSystemConfigWithKmsKey(rInt int) string { return fmt.Sprintf(` - resource "aws_kms_key" "foo" { - description = "Terraform acc test %d" - } +resource "aws_kms_key" "foo" { + description = "Terraform acc test %d" +} - resource "aws_efs_file_system" "foo-with-kms" { - encrypted = true - kms_key_id = "${aws_kms_key.foo.arn}" - } - `, rInt) +resource "aws_efs_file_system" "foo-with-kms" { + encrypted = true + kms_key_id = "${aws_kms_key.foo.arn}" +} +`, rInt) +} + +func testAccAWSEFSFileSystemConfigWithKmsKeyNoEncryption(rInt int) string { + return fmt.Sprintf(` +resource "aws_kms_key" "foo" { + description = "Terraform acc test %d" +} + +resource "aws_efs_file_system" "foo-with-kms" { + encrypted = false + kms_key_id = "${aws_kms_key.foo.arn}" +} +`, rInt) }