Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resource/aws_msk_cluster: Update encryption_info.encryption_in_transit.client_broker default to match API default #14132

Merged
merged 2 commits into from
Jul 14, 2020
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions aws/data_source_aws_msk_cluster_test.go
Original file line number Diff line number Diff line change
@@ -2,6 +2,7 @@ package aws

import (
"fmt"
"regexp"
"testing"

"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
@@ -22,8 +23,8 @@ func TestAccAWSMskClusterDataSource_Name(t *testing.T) {
Config: testAccMskClusterDataSourceConfigName(rName),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrPair(resourceName, "arn", dataSourceName, "arn"),
resource.TestCheckResourceAttrSet(dataSourceName, "bootstrap_brokers"),
resource.TestCheckResourceAttrSet(dataSourceName, "bootstrap_brokers_tls"),
resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)), // Hostname ordering not guaranteed between resource and data source reads
resource.TestCheckResourceAttrPair(resourceName, "cluster_name", dataSourceName, "cluster_name"),
resource.TestCheckResourceAttrPair(resourceName, "kafka_version", dataSourceName, "kafka_version"),
resource.TestCheckResourceAttrPair(resourceName, "number_of_broker_nodes", dataSourceName, "number_of_broker_nodes"),
2 changes: 1 addition & 1 deletion aws/resource_aws_msk_cluster.go
Original file line number Diff line number Diff line change
@@ -166,7 +166,7 @@ func resourceAwsMskCluster() *schema.Resource {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
Default: kafka.ClientBrokerTlsPlaintext,
Default: kafka.ClientBrokerTls,
ValidateFunc: validation.StringInSlice([]string{
kafka.ClientBrokerPlaintext,
kafka.ClientBrokerTlsPlaintext,
66 changes: 4 additions & 62 deletions aws/resource_aws_msk_cluster_test.go
Original file line number Diff line number Diff line change
@@ -71,7 +71,7 @@ func TestAccAWSMskCluster_basic(t *testing.T) {
Check: resource.ComposeTestCheckFunc(
testAccCheckMskClusterExists(resourceName, &cluster),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "kafka", regexp.MustCompile(`cluster/.+`)),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.#", "1"),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.0.az_distribution", kafka.BrokerAZDistributionDefault),
@@ -89,7 +89,7 @@ func TestAccAWSMskCluster_basic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "encryption_info.#", "1"),
testAccMatchResourceAttrRegionalARN(resourceName, "encryption_info.0.encryption_at_rest_kms_key_arn", "kms", regexp.MustCompile(`key/.+`)),
resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.#", "1"),
resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.0.client_broker", "TLS_PLAINTEXT"),
resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.0.client_broker", "TLS"),
resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.0.in_cluster", "true"),
resource.TestCheckResourceAttr(resourceName, "enhanced_monitoring", kafka.EnhancedMonitoringDefault),
resource.TestCheckResourceAttr(resourceName, "kafka_version", "2.2.1"),
@@ -377,7 +377,7 @@ func TestAccAWSMskCluster_NumberOfBrokerNodes(t *testing.T) {
Config: testAccMskClusterConfigNumberOfBrokerNodes(rName, 3),
Check: resource.ComposeTestCheckFunc(
testAccCheckMskClusterExists(resourceName, &cluster1),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.#", "1"),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.0.client_subnets.#", "3"),
@@ -401,7 +401,7 @@ func TestAccAWSMskCluster_NumberOfBrokerNodes(t *testing.T) {
Check: resource.ComposeTestCheckFunc(
testAccCheckMskClusterExists(resourceName, &cluster2),
testAccCheckMskClusterNotRecreated(&cluster1, &cluster2),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.#", "1"),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.0.client_subnets.#", "3"),
@@ -727,12 +727,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3

encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}

broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
@@ -750,12 +744,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3

encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}

broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = %[2]d
@@ -822,12 +810,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3

encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}

broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
@@ -904,9 +886,6 @@ resource "aws_msk_cluster" "test" {

encryption_info {
encryption_at_rest_kms_key_arn = "${aws_kms_key.example_key.arn}"
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
}
`, rName)
@@ -952,7 +931,6 @@ resource "aws_msk_cluster" "test" {

encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
in_cluster = %[2]t
}
}
@@ -968,12 +946,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3

encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}

broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
@@ -992,12 +964,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = %[2]d

encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}

broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
@@ -1016,12 +982,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3

encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}

broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
@@ -1114,12 +1074,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3

encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}

broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
@@ -1155,12 +1109,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3

encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}

broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
@@ -1182,12 +1130,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3

encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}

broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
25 changes: 25 additions & 0 deletions website/docs/guides/version-3-upgrade.html.md
Original file line number Diff line number Diff line change
@@ -25,6 +25,7 @@ Upgrade topics:
- [Resource: aws_elastic_transcoder_preset](#resource-aws_elastic_transcoder_preset)
- [Resource: aws_emr_cluster](#resource-aws_emr_cluster)
- [Resource: aws_lb_listener_rule](#resource-aws_lb_listener_rule)
- [Resource: aws_msk_cluster](#resource-aws_msk_cluster)
- [Resource: aws_s3_bucket](#resource-aws_s3_bucket)
- [Resource: aws_sns_platform_application](#resource-aws_sns_platform_application)
- [Resource: aws_spot_fleet_request](#resource-aws_spot_fleet_request)
@@ -400,6 +401,30 @@ resource "aws_lb_listener_rule" "example" {
}
```

## Resource: aws_msk_cluster

### encryption_info.encryption_in_transit.client_broker Default Updated to Match API

A few weeks after general availability launch and initial release of the `aws_msk_cluster` resource, the MSK API default for client broker encryption switched from `TLS_PLAINTEXT` to `TLS`. The attribute default has now been updated to match the more secure API default, however existing Terraform configurations may show a difference if this setting is not configured.

To continue using the old default when it was previously not configured, add or modify this configuration:

```hcl
resource "aws_msk_cluster" "example" {
# ... other configuration ...

encryption_info {
# ... potentially other configuration ...

encryption_in_transit {
# ... potentially other configuration ...

client_broker = "TLS_PLAINTEXT"
}
}
}
```

## Resource: aws_s3_bucket

### Removal of Automatic aws_s3_bucket_policy Import
7 changes: 1 addition & 6 deletions website/docs/r/msk_cluster.html.markdown
Original file line number Diff line number Diff line change
@@ -155,11 +155,6 @@ output "zookeeper_connect_string" {
value = aws_msk_cluster.example.zookeeper_connect_string
}

output "bootstrap_brokers" {
description = "Plaintext connection host:port pairs"
value = aws_msk_cluster.example.bootstrap_brokers
}

output "bootstrap_brokers_tls" {
description = "TLS connection host:port pairs"
value = aws_msk_cluster.example.bootstrap_brokers_tls
@@ -210,7 +205,7 @@ The following arguments are supported:

#### encryption_info encryption_in_transit Argument Reference

* `client_broker` - (Optional) Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT`. Default value is `TLS_PLAINTEXT` when `encryption_in_transit` block defined, but `TLS` when `encryption_in_transit` block omitted.
* `client_broker` - (Optional) Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT`. Default value is `TLS`.
* `in_cluster` - (Optional) Whether data communication among broker nodes is encrypted. Default value: `true`.

#### open_monitoring Argument Reference