From 281beb08cd12896f59037cdf8027a6358dbc5d70 Mon Sep 17 00:00:00 2001
From: Deepak Selvan <dselvan@gmail.com>
Date: Sat, 30 Dec 2017 22:39:09 -0800
Subject: [PATCH 1/2] Fix for aws_rds_cluster resource for creating encrypted
 cross region replicated aurora clusters

---
 aws/resource_aws_rds_cluster.go      | 10 ++++
 aws/resource_aws_rds_cluster_test.go | 90 ++++++++++++++++++++++++++++
 2 files changed, 100 insertions(+)

diff --git a/aws/resource_aws_rds_cluster.go b/aws/resource_aws_rds_cluster.go
index b70b6154f50..f76d76452d5 100644
--- a/aws/resource_aws_rds_cluster.go
+++ b/aws/resource_aws_rds_cluster.go
@@ -254,6 +254,12 @@ func resourceAwsRDSCluster() *schema.Resource {
 				Computed: true,
 			},
 
+			"source_region": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+			},
+
 			"tags": tagsSchema(),
 		},
 	}
@@ -413,6 +419,10 @@ func resourceAwsRDSClusterCreate(d *schema.ResourceData, meta interface{}) error
 			createOpts.KmsKeyId = aws.String(attr.(string))
 		}
 
+		if attr, ok := d.GetOk("source_region"); ok {
+			createOpts.SourceRegion = aws.String(attr.(string))
+		}
+
 		log.Printf("[DEBUG] Create RDS Cluster as read replica: %s", createOpts)
 		resp, err := conn.CreateDBCluster(createOpts)
 		if err != nil {
diff --git a/aws/resource_aws_rds_cluster_test.go b/aws/resource_aws_rds_cluster_test.go
index 1a1b46341f1..2f600130151 100644
--- a/aws/resource_aws_rds_cluster_test.go
+++ b/aws/resource_aws_rds_cluster_test.go
@@ -230,6 +230,25 @@ func TestAccAWSRDSCluster_encrypted(t *testing.T) {
 	})
 }
 
+func TestAccAWSRDSCluster_EncryptedCrossRegionReplication(t *testing.T) {
+	var v rds.DBCluster
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSClusterDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSClusterConfigEncryptedCrossRegionReplica(acctest.RandInt()),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSClusterExists("aws_rds_cluster.test_primary", &v),
+					testAccCheckAWSClusterExists("aws_rds_cluster.test_replica", &v),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSRDSCluster_backupsUpdate(t *testing.T) {
 	var v rds.DBCluster
 
@@ -859,3 +878,74 @@ resource "aws_rds_cluster" "default" {
   depends_on = ["aws_iam_role.another_rds_sample_role"]
 }`, n, n, n)
 }
+
+func testAccAWSClusterConfigEncryptedCrossRegionReplica(n int) string {
+	return fmt.Sprintf(`
+		provider "aws" {
+			alias  = "useast1"
+			region = "us-east-1"
+		}
+		
+		provider "aws" {
+			alias  = "uswest2"
+			region = "us-west-2"
+		}
+		
+		resource "aws_rds_cluster_instance" "test_instance" {
+			provider = "aws.uswest2"
+			identifier = "tf-aurora-instance-%d"
+			cluster_identifier = "${aws_rds_cluster.test_primary.id}"
+			instance_class = "db.t2.small"
+		}
+
+		resource "aws_rds_cluster" "test_primary" {
+			provider = "aws.uswest2"
+			cluster_identifier = "tf-aurora-cluster-%d"
+			availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
+			database_name = "mydb"
+			master_username = "foo"
+			master_password = "mustbeeightcharaters"
+			storage_encrypted = true
+			skip_final_snapshot = true
+		}
+
+		data "aws_caller_identity" "current" {}
+
+		resource "aws_kms_key" "kms_key_east" {
+			provider = "aws.useast1"
+			description = "Terraform acc test %d"
+			policy = <<POLICY
+			{
+				"Version": "2012-10-17",
+				"Id": "kms-tf-1",
+				"Statement": [
+					{
+						"Sid": "Enable IAM User Permissions",
+						"Effect": "Allow",
+						"Principal": {
+							"AWS": "*"
+						},
+						"Action": "kms:*",
+						"Resource": "*"
+					}
+				]
+			}
+			POLICY
+		}
+
+		resource "aws_rds_cluster" "test_replica" {
+			provider = "aws.useast1"
+			depends_on = ["aws_rds_cluster.test_primary", "aws_rds_cluster_instance.test_instance", "aws_kms_key.kms_key_east"]
+			cluster_identifier = "tf-aurora-replica-cluster-%d"
+			availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
+			database_name = "mydb"
+			master_username = "foo"
+			master_password = "mustbeeightcharaters"
+			kms_key_id = "${aws_kms_key.kms_key_east.arn}"
+			storage_encrypted = true
+			skip_final_snapshot = true
+			replication_source_identifier = "arn:aws:rds:us-west-2:${data.aws_caller_identity.current.account_id}:cluster:${aws_rds_cluster.test_primary.cluster_identifier}"
+			source_region = "us-west-2"
+		}
+`, n, n, n, n)
+}

From 2717612f4b7b0bbc2168c614a96ff7bd01e899c8 Mon Sep 17 00:00:00 2001
From: Radek Simko <radek.simko@gmail.com>
Date: Thu, 15 Feb 2018 16:43:52 +0000
Subject: [PATCH 2/2] Fix test

---
 aws/resource_aws_rds_cluster_test.go | 206 ++++++++++++++++++---------
 1 file changed, 135 insertions(+), 71 deletions(-)

diff --git a/aws/resource_aws_rds_cluster_test.go b/aws/resource_aws_rds_cluster_test.go
index 2f600130151..90d0d0bdcf6 100644
--- a/aws/resource_aws_rds_cluster_test.go
+++ b/aws/resource_aws_rds_cluster_test.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/hashicorp/terraform/helper/acctest"
 	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/terraform"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -231,18 +232,25 @@ func TestAccAWSRDSCluster_encrypted(t *testing.T) {
 }
 
 func TestAccAWSRDSCluster_EncryptedCrossRegionReplication(t *testing.T) {
-	var v rds.DBCluster
+	var primaryCluster rds.DBCluster
+	var replicaCluster rds.DBCluster
+
+	// record the initialized providers so that we can use them to
+	// check for the cluster in each region
+	var providers []*schema.Provider
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testAccCheckAWSClusterDestroy,
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: testAccProviderFactories(&providers),
+		CheckDestroy:      testAccCheckWithProviders(testAccCheckAWSClusterDestroyWithProvider, &providers),
 		Steps: []resource.TestStep{
 			{
 				Config: testAccAWSClusterConfigEncryptedCrossRegionReplica(acctest.RandInt()),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSClusterExists("aws_rds_cluster.test_primary", &v),
-					testAccCheckAWSClusterExists("aws_rds_cluster.test_replica", &v),
+					testAccCheckAWSClusterExistsWithProvider("aws_rds_cluster.test_primary",
+						&primaryCluster, testAccAwsRegionProviderFunc("us-west-2", &providers)),
+					testAccCheckAWSClusterExistsWithProvider("aws_rds_cluster.test_replica",
+						&replicaCluster, testAccAwsRegionProviderFunc("us-east-1", &providers)),
 				),
 			},
 		},
@@ -308,13 +316,18 @@ func TestAccAWSRDSCluster_iamAuth(t *testing.T) {
 }
 
 func testAccCheckAWSClusterDestroy(s *terraform.State) error {
+	return testAccCheckAWSClusterDestroyWithProvider(s, testAccProvider)
+}
+
+func testAccCheckAWSClusterDestroyWithProvider(s *terraform.State, provider *schema.Provider) error {
+	conn := provider.Meta().(*AWSClient).rdsconn
+
 	for _, rs := range s.RootModule().Resources {
 		if rs.Type != "aws_rds_cluster" {
 			continue
 		}
 
 		// Try to find the Group
-		conn := testAccProvider.Meta().(*AWSClient).rdsconn
 		var err error
 		resp, err := conn.DescribeDBClusters(
 			&rds.DescribeDBClustersInput{
@@ -398,6 +411,10 @@ func testAccCheckAWSClusterSnapshot(rInt int) resource.TestCheckFunc {
 }
 
 func testAccCheckAWSClusterExists(n string, v *rds.DBCluster) resource.TestCheckFunc {
+	return testAccCheckAWSClusterExistsWithProvider(n, v, func() *schema.Provider { return testAccProvider })
+}
+
+func testAccCheckAWSClusterExistsWithProvider(n string, v *rds.DBCluster, providerF func() *schema.Provider) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
 		if !ok {
@@ -408,7 +425,8 @@ func testAccCheckAWSClusterExists(n string, v *rds.DBCluster) resource.TestCheck
 			return fmt.Errorf("No DB Instance ID is set")
 		}
 
-		conn := testAccProvider.Meta().(*AWSClient).rdsconn
+		provider := providerF()
+		conn := provider.Meta().(*AWSClient).rdsconn
 		resp, err := conn.DescribeDBClusters(&rds.DescribeDBClustersInput{
 			DBClusterIdentifier: aws.String(rs.Primary.ID),
 		})
@@ -881,71 +899,117 @@ resource "aws_rds_cluster" "default" {
 
 func testAccAWSClusterConfigEncryptedCrossRegionReplica(n int) string {
 	return fmt.Sprintf(`
-		provider "aws" {
-			alias  = "useast1"
-			region = "us-east-1"
-		}
-		
-		provider "aws" {
-			alias  = "uswest2"
-			region = "us-west-2"
-		}
-		
-		resource "aws_rds_cluster_instance" "test_instance" {
-			provider = "aws.uswest2"
-			identifier = "tf-aurora-instance-%d"
-			cluster_identifier = "${aws_rds_cluster.test_primary.id}"
-			instance_class = "db.t2.small"
-		}
+provider "aws" {
+  alias  = "useast1"
+  region = "us-east-1"
+}
 
-		resource "aws_rds_cluster" "test_primary" {
-			provider = "aws.uswest2"
-			cluster_identifier = "tf-aurora-cluster-%d"
-			availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
-			database_name = "mydb"
-			master_username = "foo"
-			master_password = "mustbeeightcharaters"
-			storage_encrypted = true
-			skip_final_snapshot = true
-		}
+provider "aws" {
+  alias  = "uswest2"
+  region = "us-west-2"
+}
 
-		data "aws_caller_identity" "current" {}
+data "aws_availability_zones" "us-east-1" {
+  provider = "aws.useast1"
+}
 
-		resource "aws_kms_key" "kms_key_east" {
-			provider = "aws.useast1"
-			description = "Terraform acc test %d"
-			policy = <<POLICY
-			{
-				"Version": "2012-10-17",
-				"Id": "kms-tf-1",
-				"Statement": [
-					{
-						"Sid": "Enable IAM User Permissions",
-						"Effect": "Allow",
-						"Principal": {
-							"AWS": "*"
-						},
-						"Action": "kms:*",
-						"Resource": "*"
-					}
-				]
-			}
-			POLICY
-		}
+data "aws_availability_zones" "us-west-2" {
+  provider = "aws.uswest2"
+}
 
-		resource "aws_rds_cluster" "test_replica" {
-			provider = "aws.useast1"
-			depends_on = ["aws_rds_cluster.test_primary", "aws_rds_cluster_instance.test_instance", "aws_kms_key.kms_key_east"]
-			cluster_identifier = "tf-aurora-replica-cluster-%d"
-			availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
-			database_name = "mydb"
-			master_username = "foo"
-			master_password = "mustbeeightcharaters"
-			kms_key_id = "${aws_kms_key.kms_key_east.arn}"
-			storage_encrypted = true
-			skip_final_snapshot = true
-			replication_source_identifier = "arn:aws:rds:us-west-2:${data.aws_caller_identity.current.account_id}:cluster:${aws_rds_cluster.test_primary.cluster_identifier}"
-			source_region = "us-west-2"
-		}
-`, n, n, n, n)
+resource "aws_rds_cluster_instance" "test_instance" {
+  provider = "aws.uswest2"
+  identifier = "tf-aurora-instance-%[1]d"
+  cluster_identifier = "${aws_rds_cluster.test_primary.id}"
+  instance_class = "db.t2.small"
+}
+
+resource "aws_rds_cluster_parameter_group" "default" {
+  provider = "aws.uswest2"
+  name        = "tf-aurora-prm-grp-%[1]d"
+  family      = "aurora5.6"
+  description = "RDS default cluster parameter group"
+
+  parameter {
+    name  = "binlog_format"
+    value = "STATEMENT"
+    apply_method = "pending-reboot"
+  }
+}
+
+resource "aws_rds_cluster" "test_primary" {
+  provider = "aws.uswest2"
+  cluster_identifier = "tf-test-primary-%[1]d"
+  availability_zones = ["${slice(data.aws_availability_zones.us-west-2.names, 0, 3)}"]
+  db_cluster_parameter_group_name = "${aws_rds_cluster_parameter_group.default.name}"
+  database_name = "mydb"
+  master_username = "foo"
+  master_password = "mustbeeightcharaters"
+  storage_encrypted = true
+  skip_final_snapshot = true
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_kms_key" "kms_key_east" {
+  provider = "aws.useast1"
+  description = "Terraform acc test %[1]d"
+  policy = <<POLICY
+  {
+    "Version": "2012-10-17",
+    "Id": "kms-tf-1",
+    "Statement": [
+      {
+        "Sid": "Enable IAM User Permissions",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": "*"
+        },
+        "Action": "kms:*",
+        "Resource": "*"
+      }
+    ]
+  }
+  POLICY
+}
+
+resource "aws_vpc" "main" {
+  provider   = "aws.useast1"
+  cidr_block = "10.0.0.0/16"
+  tags {
+  	Name = "terraform-acctest-rds-cluster-encrypted-cross-region-replica"
+  }
+}
+
+resource "aws_subnet" "db" {
+  provider          = "aws.useast1"
+  count             = 3
+  vpc_id            = "${aws_vpc.main.id}"
+  availability_zone = "${data.aws_availability_zones.us-east-1.names[count.index]}"
+  cidr_block        = "10.0.${count.index}.0/24"
+}
+
+resource "aws_db_subnet_group" "replica" {
+  provider   = "aws.useast1"
+  name       = "test_replica-subnet-%[1]d"
+  subnet_ids = ["${aws_subnet.db.*.id}"]
+}
+
+resource "aws_rds_cluster" "test_replica" {
+  provider = "aws.useast1"
+  cluster_identifier = "tf-test-replica-%[1]d"
+  db_subnet_group_name = "${aws_db_subnet_group.replica.name}"
+  database_name = "mydb"
+  master_username = "foo"
+  master_password = "mustbeeightcharaters"
+  kms_key_id = "${aws_kms_key.kms_key_east.arn}"
+  storage_encrypted = true
+  skip_final_snapshot = true
+  replication_source_identifier = "arn:aws:rds:us-west-2:${data.aws_caller_identity.current.account_id}:cluster:${aws_rds_cluster.test_primary.cluster_identifier}"
+  source_region = "us-west-2"
+  depends_on = [
+  	"aws_rds_cluster_instance.test_instance"
+  ]
+}
+`, n)
 }