From 0fd383918fdb3ca1cf1b2273aa286362922612dc Mon Sep 17 00:00:00 2001 From: Pawel Fiuto Date: Tue, 15 Aug 2017 12:09:08 +0200 Subject: [PATCH 1/9] Add support for creation of encrypted EFS --- aws/resource_aws_efs_file_system.go | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/aws/resource_aws_efs_file_system.go b/aws/resource_aws_efs_file_system.go index 445242d4d283..e540185007e7 100644 --- a/aws/resource_aws_efs_file_system.go +++ b/aws/resource_aws_efs_file_system.go @@ -48,6 +48,21 @@ func resourceAwsEfsFileSystem() *schema.Resource { ValidateFunc: validatePerformanceModeType, }, + "encrypted": { + Type: schema.TypeBool, + Optional: true, + Computed: true, + ForceNew: true, + }, + + "kms_key_id": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + ValidateFunc: validateArn, + }, + "tags": tagsSchema(), }, } @@ -76,6 +91,14 @@ func resourceAwsEfsFileSystemCreate(d *schema.ResourceData, meta interface{}) er createOpts.PerformanceMode = aws.String(v.(string)) } + if v, ok := d.GetOk("encrypted"); ok { + createOpts.Encrypted = aws.Bool(v.(bool)) + } + + if v, ok := d.GetOk("kms_key_id"); ok { + createOpts.KmsKeyId = aws.String(v.(string)) + } + log.Printf("[DEBUG] EFS file system create options: %#v", *createOpts) fs, err := conn.CreateFileSystem(createOpts) if err != nil { @@ -196,6 +219,8 @@ func resourceAwsEfsFileSystemRead(d *schema.ResourceData, meta interface{}) erro d.Set("creation_token", fs.CreationToken) d.Set("performance_mode", fs.PerformanceMode) + d.Set("encrypted", fs.Encrypted) + d.Set("kms_key_id", fs.KmsKeyId) return nil } From c2079fd76719c57bfa8edbaac5fe54a0a37b8421 Mon Sep 17 00:00:00 2001 From: Pawel Fiuto Date: Tue, 15 Aug 2017 12:14:03 +0200 Subject: [PATCH 2/9] Add EFS encryption support to EFS data source --- aws/data_source_aws_efs_file_system.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/aws/data_source_aws_efs_file_system.go b/aws/data_source_aws_efs_file_system.go index 014ae1353639..25566df4e52a 100644 --- a/aws/data_source_aws_efs_file_system.go +++ b/aws/data_source_aws_efs_file_system.go @@ -22,12 +22,20 @@ func dataSourceAwsEfsFileSystem() *schema.Resource { ForceNew: true, ValidateFunc: validateMaxLength(64), }, + "encrypted": { + Type: schema.TypeBool, + Computed: true, + }, "file_system_id": { Type: schema.TypeString, Optional: true, Computed: true, ForceNew: true, }, + "kms_key_id": { + Type: schema.TypeString, + Computed: true, + }, "performance_mode": { Type: schema.TypeString, Computed: true, @@ -108,6 +116,8 @@ func dataSourceAwsEfsFileSystemRead(d *schema.ResourceData, meta interface{}) er d.Set("creation_token", fs.CreationToken) d.Set("performance_mode", fs.PerformanceMode) d.Set("file_system_id", fs.FileSystemId) + d.Set("encrypted", fs.Encrypted) + d.Set("kms_key_id", fs.KmsKeyId) return nil } From caab805855b857ac8f246445f78bb8f1a5b4cc95 Mon Sep 17 00:00:00 2001 From: Pawel Fiuto Date: Tue, 15 Aug 2017 13:17:01 +0200 Subject: [PATCH 3/9] Add test for EFS KMS --- aws/resource_aws_efs_file_system_test.go | 53 ++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/aws/resource_aws_efs_file_system_test.go b/aws/resource_aws_efs_file_system_test.go index 93119bb7974e..6cca44b6ba8b 100644 --- a/aws/resource_aws_efs_file_system_test.go +++ b/aws/resource_aws_efs_file_system_test.go @@ -3,6 +3,7 @@ package aws import ( "fmt" "reflect" + "regexp" "testing" "github.com/aws/aws-sdk-go/aws" @@ -170,6 +171,28 @@ func TestAccAWSEFSFileSystem_pagedTags(t *testing.T) { }) } +func TestAccAWSEFSFileSystem_KmsKey(t *testing.T) { + rInt := acctest.RandInt() + keyRegex := regexp.MustCompile("^arn:aws:([a-zA-Z0-9\\-])+:([a-z]{2}-[a-z]+-\\d{1})?:(\\d{12})?:(.*)$") + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckEfsFileSystemDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSEFSFileSystemConfigWithKmsKey(rInt), + Check: resource.ComposeTestCheckFunc( + resource.TestMatchResourceAttr( + "aws_efs_file_system.foo-with-kms", + "kms_key_id", + keyRegex, + ), + ), + }, + }, + }) +} + func testAccCheckEfsFileSystemDestroy(s *terraform.State) error { conn := testAccProvider.Meta().(*AWSClient).efsconn for _, rs := range s.RootModule().Resources { @@ -351,3 +374,33 @@ resource "aws_efs_file_system" "foo-with-performance-mode" { performance_mode = "maxIO" } ` + +func testAccAWSEFSFileSystemConfigWithKmsKey(rInt int) string { + return fmt.Sprintf(` + resource "aws_kms_key" "foo" { + description = "Terraform acc test %d" + policy = < Date: Tue, 15 Aug 2017 15:08:47 +0200 Subject: [PATCH 4/9] Update docs for EFS encryption --- website/docs/d/efs_file_system.html.markdown | 5 +++-- website/docs/r/efs_file_system.html.markdown | 3 +++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/website/docs/d/efs_file_system.html.markdown b/website/docs/d/efs_file_system.html.markdown index 4441e01eb052..1a3fc70542ac 100644 --- a/website/docs/d/efs_file_system.html.markdown +++ b/website/docs/d/efs_file_system.html.markdown @@ -28,7 +28,7 @@ data "aws_efs_file_system" "by_id" { The following arguments are supported: * `file_system_id` - (Optional) The ID that identifies the file system (e.g. fs-ccfc0d65). -* `creation_token` - (Optional) Restricts the list to the file system with this creation token +* `creation_token` - (Optional) Restricts the list to the file system with this creation token. ## Attributes Reference @@ -36,4 +36,5 @@ The following attributes are exported: * `performance_mode` - The PerformanceMode of the file system. * `tags` - The list of tags assigned to the file system. - +* `encrypted` - Whether EFS is encrypted. +* `kms_key_id` - The ARN for the KMS encryption key. diff --git a/website/docs/r/efs_file_system.html.markdown b/website/docs/r/efs_file_system.html.markdown index c65d1322d99a..692b4eb72e71 100644 --- a/website/docs/r/efs_file_system.html.markdown +++ b/website/docs/r/efs_file_system.html.markdown @@ -39,12 +39,15 @@ default generated by Terraform. * `performance_mode` - (Optional) The file system performance mode. Can be either `"generalPurpose"` or `"maxIO"` (Default: `"generalPurpose"`). * `tags` - (Optional) A mapping of tags to assign to the file system. +* `encrypted` - (Optional) If true, the disk will be encrypted. +* `kms_key_id` - (Optional) The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true. ## Attributes Reference The following attributes are exported: * `id` - The ID that identifies the file system (e.g. fs-ccfc0d65). +* `kms_key_id` - The ARN for the KMS encryption key. ## Import From deef469c973c17872573de254774e303f0e9da9a Mon Sep 17 00:00:00 2001 From: Pawel Fiuto Date: Thu, 17 Aug 2017 09:19:44 +0200 Subject: [PATCH 5/9] r/efs: Check if encrypted is set when we use kms --- aws/resource_aws_efs_file_system_test.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/aws/resource_aws_efs_file_system_test.go b/aws/resource_aws_efs_file_system_test.go index 6cca44b6ba8b..64bc1438b1db 100644 --- a/aws/resource_aws_efs_file_system_test.go +++ b/aws/resource_aws_efs_file_system_test.go @@ -187,6 +187,11 @@ func TestAccAWSEFSFileSystem_KmsKey(t *testing.T) { "kms_key_id", keyRegex, ), + resource.TestCheckResourceAttr( + "aws_efs_file_system.foo-with-kms", + "encrypted", + "true", + ), ), }, }, From 6f8a7a702bc4f5c0b7b494a2999e526250df314a Mon Sep 17 00:00:00 2001 From: Pawel Fiuto Date: Thu, 17 Aug 2017 09:25:19 +0200 Subject: [PATCH 6/9] r/efs: Fix code alignment --- aws/resource_aws_efs_file_system_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/resource_aws_efs_file_system_test.go b/aws/resource_aws_efs_file_system_test.go index 64bc1438b1db..f7fae869a88b 100644 --- a/aws/resource_aws_efs_file_system_test.go +++ b/aws/resource_aws_efs_file_system_test.go @@ -405,7 +405,7 @@ func testAccAWSEFSFileSystemConfigWithKmsKey(rInt int) string { resource "aws_efs_file_system" "foo-with-kms" { encrypted = true - kms_key_id = "${aws_kms_key.foo.arn}" + kms_key_id = "${aws_kms_key.foo.arn}" } `, rInt) } From 22092ca1cfdc52dd282acd3fd4c99a218c72e50c Mon Sep 17 00:00:00 2001 From: Pawel Fiuto Date: Thu, 17 Aug 2017 09:39:44 +0200 Subject: [PATCH 7/9] r/efs: Remove unnecessary IAM policy from kms test Actually I cannot see why would we need this policy, test runs fine without it --- aws/resource_aws_efs_file_system_test.go | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/aws/resource_aws_efs_file_system_test.go b/aws/resource_aws_efs_file_system_test.go index f7fae869a88b..a928d3eeb2bc 100644 --- a/aws/resource_aws_efs_file_system_test.go +++ b/aws/resource_aws_efs_file_system_test.go @@ -383,24 +383,7 @@ resource "aws_efs_file_system" "foo-with-performance-mode" { func testAccAWSEFSFileSystemConfigWithKmsKey(rInt int) string { return fmt.Sprintf(` resource "aws_kms_key" "foo" { - description = "Terraform acc test %d" - policy = < Date: Thu, 17 Aug 2017 13:08:48 +0200 Subject: [PATCH 8/9] Check if is true when kms_key_id is specified --- aws/resource_aws_efs_file_system.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/aws/resource_aws_efs_file_system.go b/aws/resource_aws_efs_file_system.go index e540185007e7..2ae4045a9bff 100644 --- a/aws/resource_aws_efs_file_system.go +++ b/aws/resource_aws_efs_file_system.go @@ -97,6 +97,9 @@ func resourceAwsEfsFileSystemCreate(d *schema.ResourceData, meta interface{}) er if v, ok := d.GetOk("kms_key_id"); ok { createOpts.KmsKeyId = aws.String(v.(string)) + if !aws.BoolValue(createOpts.Encrypted) { + return fmt.Errorf("[ERROR] encrypted must be set to true when kms_key_id is specified") + } } log.Printf("[DEBUG] EFS file system create options: %#v", *createOpts) From 8e2bd48c4bab4c4036dc09e444124d6ee871921c Mon Sep 17 00:00:00 2001 From: Ninir Date: Thu, 17 Aug 2017 22:38:09 +0200 Subject: [PATCH 9/9] Added another test acceptance for encrypted EFS --- aws/resource_aws_efs_file_system.go | 19 +++++--- aws/resource_aws_efs_file_system_test.go | 59 ++++++++++++++++-------- 2 files changed, 52 insertions(+), 26 deletions(-) diff --git a/aws/resource_aws_efs_file_system.go b/aws/resource_aws_efs_file_system.go index 2ae4045a9bff..a0f5a59b6fda 100644 --- a/aws/resource_aws_efs_file_system.go +++ b/aws/resource_aws_efs_file_system.go @@ -1,6 +1,7 @@ package aws import ( + "errors" "fmt" "log" "time" @@ -91,15 +92,19 @@ func resourceAwsEfsFileSystemCreate(d *schema.ResourceData, meta interface{}) er createOpts.PerformanceMode = aws.String(v.(string)) } - if v, ok := d.GetOk("encrypted"); ok { - createOpts.Encrypted = aws.Bool(v.(bool)) + encrypted, hasEncrypted := d.GetOk("encrypted") + kmsKeyId, hasKmsKeyId := d.GetOk("kms_key_id") + + if hasEncrypted { + createOpts.Encrypted = aws.Bool(encrypted.(bool)) } - if v, ok := d.GetOk("kms_key_id"); ok { - createOpts.KmsKeyId = aws.String(v.(string)) - if !aws.BoolValue(createOpts.Encrypted) { - return fmt.Errorf("[ERROR] encrypted must be set to true when kms_key_id is specified") - } + if hasKmsKeyId { + createOpts.KmsKeyId = aws.String(kmsKeyId.(string)) + } + + if encrypted == false && hasKmsKeyId { + return errors.New("encrypted must be set to true when kms_key_id is specified") } log.Printf("[DEBUG] EFS file system create options: %#v", *createOpts) diff --git a/aws/resource_aws_efs_file_system_test.go b/aws/resource_aws_efs_file_system_test.go index a928d3eeb2bc..c003fd79257b 100644 --- a/aws/resource_aws_efs_file_system_test.go +++ b/aws/resource_aws_efs_file_system_test.go @@ -171,7 +171,7 @@ func TestAccAWSEFSFileSystem_pagedTags(t *testing.T) { }) } -func TestAccAWSEFSFileSystem_KmsKey(t *testing.T) { +func TestAccAWSEFSFileSystem_kmsKey(t *testing.T) { rInt := acctest.RandInt() keyRegex := regexp.MustCompile("^arn:aws:([a-zA-Z0-9\\-])+:([a-z]{2}-[a-z]+-\\d{1})?:(\\d{12})?:(.*)$") resource.Test(t, resource.TestCase{ @@ -182,22 +182,30 @@ func TestAccAWSEFSFileSystem_KmsKey(t *testing.T) { { Config: testAccAWSEFSFileSystemConfigWithKmsKey(rInt), Check: resource.ComposeTestCheckFunc( - resource.TestMatchResourceAttr( - "aws_efs_file_system.foo-with-kms", - "kms_key_id", - keyRegex, - ), - resource.TestCheckResourceAttr( - "aws_efs_file_system.foo-with-kms", - "encrypted", - "true", - ), + resource.TestMatchResourceAttr("aws_efs_file_system.foo-with-kms", "kms_key_id", keyRegex), + resource.TestCheckResourceAttr("aws_efs_file_system.foo-with-kms", "encrypted", "true"), ), }, }, }) } +func TestAccAWSEFSFileSystem_kmsConfigurationWithoutEncryption(t *testing.T) { + rInt := acctest.RandInt() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckEfsFileSystemDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSEFSFileSystemConfigWithKmsKeyNoEncryption(rInt), + ExpectError: regexp.MustCompile(`encrypted must be set to true when kms_key_id is specified`), + }, + }, + }) +} + func testAccCheckEfsFileSystemDestroy(s *terraform.State) error { conn := testAccProvider.Meta().(*AWSClient).efsconn for _, rs := range s.RootModule().Resources { @@ -382,13 +390,26 @@ resource "aws_efs_file_system" "foo-with-performance-mode" { func testAccAWSEFSFileSystemConfigWithKmsKey(rInt int) string { return fmt.Sprintf(` - resource "aws_kms_key" "foo" { - description = "Terraform acc test %d" - } +resource "aws_kms_key" "foo" { + description = "Terraform acc test %d" +} - resource "aws_efs_file_system" "foo-with-kms" { - encrypted = true - kms_key_id = "${aws_kms_key.foo.arn}" - } - `, rInt) +resource "aws_efs_file_system" "foo-with-kms" { + encrypted = true + kms_key_id = "${aws_kms_key.foo.arn}" +} +`, rInt) +} + +func testAccAWSEFSFileSystemConfigWithKmsKeyNoEncryption(rInt int) string { + return fmt.Sprintf(` +resource "aws_kms_key" "foo" { + description = "Terraform acc test %d" +} + +resource "aws_efs_file_system" "foo-with-kms" { + encrypted = false + kms_key_id = "${aws_kms_key.foo.arn}" +} +`, rInt) }