-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
f/aws_fsx_lustre_file_system specify custom KMS Key #15057
f/aws_fsx_lustre_file_system specify custom KMS Key #15057
Conversation
Hey @nikhil-goenka , can you rebase? |
…m-KMS-Key' into aws_fsx_lustre_file_system-custom-KMS-Key
…m-KMS-Key' into aws_fsx_lustre_file_system-custom-KMS-Key
# Conflicts: # aws/resource_aws_fsx_lustre_file_system.go # website/docs/r/fsx_lustre_file_system.html.markdown
…ferredBackupWindow
…ferredBackupWindow
Done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some minor changes
* `deployment_type` - (Optional) The filesystem deployment type. One of: `SCRATCH_1`, `SCRATCH_2`, `PERSISTENT_1`. | ||
* `per_unit_storage_throughput` - (Optional) Describes the amount of read and write throughput for each 1 tebibyte of storage, in MB/s/TiB, required for the `PERSISTENT_1` deployment_type. For valid values, see the [AWS documentation](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateFileSystemLustreConfiguration.html). | ||
* `deployment_type` - (Optional) - The filesystem deployment type. One of: `SCRATCH_1`, `SCRATCH_2`, `PERSISTENT_1`. | ||
* `kms_key_id` - (Optional) ARN for the KMS Key to encrypt the file system at rest. Defaults to an AWS managed KMS Key, required for the `PERSISTENT_1`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its not really required as the default key is used if not passed, let remove the required comment is misleading,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated the comment.
} | ||
|
||
if v, ok := d.GetOk("kms_key_id"); ok { | ||
if t == fsx.LustreDeploymentTypePersistent1 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let remove the type check, AFAIK this kind of check isn't usually done in terraform as this should return an error to the user as the actual API would for an illegal combination.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can add a comment that this is relevant only for TypePersistent1
instead of the required one
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed
also run |
…ferredBackupWindow
Looks good, @nikhil-goenka, can you add a check for the |
Check as in a test case ? --- PASS: TestAccAWSFsxLustreFileSystem_DeploymentTypePersistent1 (493.11s) |
yes, add something along the lines of:
|
added |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
--- PASS: TestAccAWSFsxLustreFileSystem_DeploymentTypePersistent1 (523.35s)
--- PASS: TestAccAWSFsxLustreFileSystem_KmsKeyId (1170.71s)
--- PASS: TestAccAWSFsxLustreFileSystem_basic (612.21s)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great overall, @nikhil-goenka, just one non-obvious testing issue, then we can get this in. 👍
|
||
data "aws_kms_alias" "fsx" { | ||
name = "alias/aws/fsx" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this KMS Key guaranteed to exist in AWS accounts that have not provisioned FSx before? Generally, AWS-managed keys are not created until then. It might be best to remove this here and update the test step to just check for a regular expression so there is not a test dependency the first run in a new account.
data "aws_kms_alias" "fsx" { | |
name = "alias/aws/fsx" | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that is a valid reason, either we can add regex match or just remove the check, since it has to be kms by default and we don't need to verify it.(how it was before)
let me know your thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was able to confirm in a separate AWS account that the FSx KMS Key and its associated Alias is not automatically available. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
@@ -432,6 +432,7 @@ func TestAccAWSFsxLustreFileSystem_automaticBackupRetentionDays(t *testing.T) { | |||
func TestAccAWSFsxLustreFileSystem_DeploymentTypePersistent1(t *testing.T) { | |||
var filesystem fsx.FileSystem | |||
resourceName := "aws_fsx_lustre_file_system.test" | |||
datakmsKeyArn := "data.aws_kms_alias.fsx" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Related to below
datakmsKeyArn := "data.aws_kms_alias.fsx" |
@@ -446,6 +447,7 @@ func TestAccAWSFsxLustreFileSystem_DeploymentTypePersistent1(t *testing.T) { | |||
resource.TestCheckResourceAttr(resourceName, "per_unit_storage_throughput", "50"), | |||
resource.TestCheckResourceAttr(resourceName, "deployment_type", fsx.LustreDeploymentTypePersistent1), | |||
resource.TestCheckResourceAttr(resourceName, "automatic_backup_retention_days", "0"), | |||
resource.TestCheckResourceAttrPair(resourceName, "kms_key_id", datakmsKeyArn, "target_key_arn"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally TestCheckResourceAttrPair()
is a really good check, however since the data source is not guaranteed to exist the first FSx provisioning in a new account, we should opt for the less fun regular expression:
resource.TestCheckResourceAttrPair(resourceName, "kms_key_id", datakmsKeyArn, "target_key_arn"), | |
testAccMatchResourceAttrRegionalARN(resourceName, "kms_key_id", "kms", regexp.MustCompile(`key/.+`)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modified
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work, @nikhil-goenka 🚀
Output from acceptance testing:
--- PASS: TestAccAWSFsxLustreFileSystem_disappears (482.28s)
--- PASS: TestAccAWSFsxLustreFileSystem_Tags (508.59s)
--- PASS: TestAccAWSFsxLustreFileSystem_automaticBackupRetentionDays (551.98s)
--- PASS: TestAccAWSFsxLustreFileSystem_WeeklyMaintenanceStartTime (571.03s)
--- PASS: TestAccAWSFsxLustreFileSystem_DeploymentTypeScratch2 (575.30s)
--- PASS: TestAccAWSFsxLustreFileSystem_basic (593.79s)
--- PASS: TestAccAWSFsxLustreFileSystem_DeploymentTypePersistent1 (617.47s)
--- PASS: TestAccAWSFsxLustreFileSystem_KmsKeyId (914.80s)
--- PASS: TestAccAWSFsxLustreFileSystem_StorageCapacity (1056.09s)
--- PASS: TestAccAWSFsxLustreFileSystem_SecurityGroupIds (1181.96s)
--- PASS: TestAccAWSFsxLustreFileSystem_ImportedFileChunkSize (1219.00s)
--- PASS: TestAccAWSFsxLustreFileSystem_ImportPath (1347.76s)
--- PASS: TestAccAWSFsxLustreFileSystem_ExportPath (1609.11s)
This has been released in version 3.8.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Relates OR Closes #14815
Release note for CHANGELOG:
Output from acceptance testing: