hashicorp · bflad · Nov 5, 2020 · Oct 29, 2020
diff --git a/aws/resource_aws_rds_cluster.go b/aws/resource_aws_rds_cluster.go
@@ -212,18 +212,8 @@ func resourceAwsRDSCluster() *schema.Resource {
  "storage_encrypted": {
  Type: schema.TypeBool,
  Optional: true,
+ Computed: true,
  ForceNew: true,
- DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
- // Allow configuration to be unset when using engine_mode serverless, as its required to be true
- // InvalidParameterCombination: Aurora Serverless DB clusters are always encrypted at rest. Encryption can't be disabled.
- if d.Get("engine_mode").(string) != "serverless" {
- return false
- }
- if new != "false" {
- return false
- }
- return true
- },
  },
 
  "s3_import": {

diff --git a/aws/resource_aws_rds_cluster_test.go b/aws/resource_aws_rds_cluster_test.go
@@ -1817,6 +1817,46 @@ func TestAccAWSRDSCluster_SnapshotIdentifier_EngineVersion_Equal(t *testing.T) {
  })
 }
 
+func TestAccAWSRDSCluster_SnapshotIdentifier_KmsKeyId(t *testing.T) {
+ var dbCluster, sourceDbCluster rds.DBCluster
+ var dbClusterSnapshot rds.DBClusterSnapshot
+
+ rName := acctest.RandomWithPrefix("tf-acc-test")
+ kmsKeyResourceName := "aws_kms_key.test"
+ sourceDbResourceName := "aws_rds_cluster.source"
+ snapshotResourceName := "aws_db_cluster_snapshot.test"
+ resourceName := "aws_rds_cluster.test"
+
+ resource.ParallelTest(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ CheckDestroy: testAccCheckAWSDBInstanceDestroy,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccAWSRDSClusterConfig_SnapshotIdentifier_KmsKeyId(rName),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckAWSClusterExists(sourceDbResourceName, &sourceDbCluster),
+ testAccCheckDbClusterSnapshotExists(snapshotResourceName, &dbClusterSnapshot),
+ testAccCheckAWSClusterExists(resourceName, &dbCluster),
+ resource.TestCheckResourceAttrPair(resourceName, "kms_key_id", kmsKeyResourceName, "arn"),
+ ),
+ },
+ {
+ ResourceName: resourceName,
+ ImportState: true,
+ ImportStateVerify: true,
+ ImportStateVerifyIgnore: []string{
+ "apply_immediately",
+ "cluster_identifier_prefix",
+ "master_password",
+ "skip_final_snapshot",
+ "snapshot_identifier",
+ },
+ },
+ },
+ })
+}
+
 func TestAccAWSRDSCluster_SnapshotIdentifier_MasterPassword(t *testing.T) {
  var dbCluster, sourceDbCluster rds.DBCluster
  var dbClusterSnapshot rds.DBClusterSnapshot
@@ -3632,6 +3672,33 @@ resource "aws_rds_cluster" "test" {
 `, rName, engine, engineVersionSource, rName, rName, engine, engineVersion)
 }
 
+func testAccAWSRDSClusterConfig_SnapshotIdentifier_KmsKeyId(rName string) string {
+ return fmt.Sprintf(`
+resource "aws_kms_key" "test" {
+ deletion_window_in_days = 7
+}
+
+resource "aws_rds_cluster" "source" {
+ cluster_identifier = "%[1]s-source"
+ master_password = "barbarbarbar"
+ master_username = "foo"
+ skip_final_snapshot = true
+}
+
+resource "aws_db_cluster_snapshot" "test" {
+ db_cluster_identifier = aws_rds_cluster.source.id
+ db_cluster_snapshot_identifier = %[1]q
+}
+
+resource "aws_rds_cluster" "test" {
+ cluster_identifier = %[1]q
+ kms_key_id = aws_kms_key.test.arn
+ skip_final_snapshot = true
+ snapshot_identifier = aws_db_cluster_snapshot.test.id
+}
+`, rName)
+}
+
 func testAccAWSRDSClusterConfig_SnapshotIdentifier_MasterPassword(rName, masterPassword string) string {
  return fmt.Sprintf(`
 resource "aws_rds_cluster" "source" {

diff --git a/website/docs/r/rds_cluster.html.markdown b/website/docs/r/rds_cluster.html.markdown
@@ -129,7 +129,7 @@ The following arguments are supported:
 * `skip_final_snapshot` - (Optional) Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from `final_snapshot_identifier`. Default is `false`.
 * `snapshot_identifier` - (Optional) Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot.
 * `source_region` - (Optional) The source region for an encrypted replica DB cluster.
-* `storage_encrypted` - (Optional) Specifies whether the DB cluster is encrypted. The default is `false` for `provisioned` `engine_mode` and `true` for `serverless` `engine_mode`.
+* `storage_encrypted` - (Optional) Specifies whether the DB cluster is encrypted. The default is `false` for `provisioned` `engine_mode` and `true` for `serverless` `engine_mode`. When restoring an unencrypted `snapshot_identifier`, the `kms_key_id` argument must be provided to encrypt the restored cluster. Terraform will only perform drift detection if a configuration value is provided.
 * `tags` - (Optional) A map of tags to assign to the DB cluster.
 * `vpc_security_group_ids` - (Optional) List of VPC security groups to associate with the Cluster