Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provider/aws: Add support for KMS #3928

Merged
merged 14 commits into from
Mar 10, 2016
Merged

provider/aws: Add support for KMS #3928

merged 14 commits into from
Mar 10, 2016

Conversation

radeksimko
Copy link
Member

This is a polished version of #3209

@psytale would you mind giving a look at this? Just wanted to know whether you're happy with the modifications I made and whether all make sense to you.

Test plan

$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=Kms' 2>~/tf.log

Eventual consistency

There's just one concern I have - KMS has apparently similar problem as IAM policies - that is eventual consistency. Creation/deletion doesn't seem to be a problem, but disabling/enabling and key rotation are fields that may take time to propagate.

The way we usually deal with such problem is that we call Describe/Get operations repeatedly until we have a confirmation that status has been changed. The problem with such approach is that KMS is literally inconsistent which means that a single confirmation often doesn't mean propagation:

KEY_ID=$(aws kms create-key --description "aws-eventually-consistent-kms-3" | jq -r .KeyMetadata.KeyId)
echo "Disabling $KEY_ID"
aws kms disable-key --key-id $KEY_ID
echo "$KEY_ID should be now disabled"
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
aws kms describe-key --key-id $KEY_ID | jq .KeyMetadata.Enabled
Disabling 128169fc-a5ac-481f-99f5-730c6980d924
128169fc-a5ac-481f-99f5-730c6980d924 should be now disabled
false
true
false
false
true
true

^ that is why I set the MinTimeout fairly high - 60 secs, but it's naive solution anyway. I'm thinking of creating a special version or modifying the WaitForState helper so that it's counting occurrences of target state in a given time frame and maybe wait for defined percentage (majority) of target status.

Are we silently ignoring this edge case for IAM policies too?

Reported to AWS

I have submitted two feature requests to AWS while I was working on this:

  1. ListAliases to support listing by KeyId, so we don't have to waste so much effort on listing through all
  2. Make KMS read-after-write consistent (which I believe was just an upvote for an existing feature request)

apparentlymart
apparentlymart reviewed Nov 15, 2015
View reviewed changes
website/source/docs/providers/aws/r/kms_alias.html.markdown

# aws\_kms\_alias

Provides a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the start of this paragraph be "Provides an alias for a KMS customer master key"?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed & squashed into the original commit with docs, so I'm not cluttering the git log even more.

@philwitty
Copy link
Contributor

Looks great to me. Really appreciate the help

@yawn yawn mentioned this pull request Nov 16, 2015
Open
@radeksimko radeksimko force-pushed the aws-kms branch 2 times, most recently from c494526 to c965dd7 Compare December 5, 2015 17:29
@boxrick
Copy link

boxrick commented Dec 7, 2015

So is KMS supported within Terraform now ? Or some elements?

@radeksimko
Copy link
Member Author

I wanted to merge this yesterday, so I reran the acceptance tests before doing so.

There are still issues with the eventual consistency - TestAccAWSKmsKey_isEnabled is intermittently failing due to that.

I'm not sure what the best solution is - read my first post above. Even though we wait 1 minute until checking the status, it does not guarantee consistency. Better solution may include waiting for x number of subsequent success statuses.

I will probably try to implement the mentioned solution.

cc @Felivel

@boxrick
Copy link

boxrick commented Dec 7, 2015

Interesting, I am currently playing around with your dev build. Would be particularly handy if IAM Administrators could be specified. Makes it a little difficult to use this without it.

@catsby catsby mentioned this pull request Dec 7, 2015
Closed
@radeksimko radeksimko mentioned this pull request Dec 15, 2015
Closed
This was referenced Dec 22, 2015
Closed
Merged
@catsby
Copy link
Contributor

catsby commented Jan 12, 2016

Hey @radeksimko sorry for the delay – how do you feel about this PR right now?

@catsby catsby added the waiting-response An issue/pull request is waiting for a response from the community label Jan 12, 2016
@radeksimko
Copy link
Member Author

@catsby Feature-wise this is ready, but it would make me feel more confident if we first get thru #4447 and implement it here afterwards to prevent the intermittent test failures.

The other linked issue would help making the initial creation a lot faster, but that's not really something I'd consider to be a blocker for KMS generally.

@radeksimko radeksimko removed the waiting-response An issue/pull request is waiting for a response from the community label Jan 12, 2016
@radeksimko
Copy link
Member Author

Just vendor-ed KMS to make godep happy and make the tests green again.

@boxrick
Copy link

boxrick commented Feb 18, 2016

Do we have any updates with this getting merged back in? Waiting for this functionality!

@radeksimko
Copy link
Member Author

This is now ready for final review as I managed to implement the enhanced retry logic from #4447 that made enabling/disabling keys a lot more stable which made me much more confident that this resource will actually work well.

$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=AWSKms'

TF_ACC=1 go test ./builtin/providers/aws -v -run=AWSKms -timeout 120m
=== RUN   TestAccAWSKmsAlias_basic
--- PASS: TestAccAWSKmsAlias_basic (368.99s)
=== RUN   TestAccAWSKmsAlias_multiple
--- PASS: TestAccAWSKmsAlias_multiple (83.41s)
=== RUN   TestAccAWSKmsKey_basic
--- PASS: TestAccAWSKmsKey_basic (230.95s)
=== RUN   TestAccAWSKmsKey_isEnabled
--- PASS: TestAccAWSKmsKey_isEnabled (657.69s)
PASS
ok      github.com/hashicorp/terraform/builtin/providers/aws    1341.056s

@bigkraig
Copy link
Contributor

bigkraig commented Mar 4, 2016

@psytale @catsby hey guys does this cut the mustard now? It looks like everything has been wrapped up. I just sent in pull request #5453 to implement KMS server side encryption on S3 objects and would really like to be able to get everything into the next release.

@radeksimko radeksimko mentioned this pull request Mar 4, 2016
Merged
philwitty and others added 14 commits March 8, 2016 09:30
@philwitty
Added AWS KMS key & alias support
6648df7
@philwitty
Update AWS KMS with respect to key deletion features
5e18031
@philwitty
Added docs for kms
fd4be28
@radeksimko
aws: kms resources - gofmt all the code
5466d69
@radeksimko
aws: kms validation - Add missing placeholders for Errorf
2b244e2
@radeksimko
aws: kms resources - Simplify error handling
5c9fe66
@radeksimko
aws: kms_alias - Remove unnecessary default ForceNew state
fccffbc
@radeksimko
aws: kms_key - Change field name (deletion_window -> deletion_window_…
4c1f8db 
…in_days)
@radeksimko
aws: kms_key - add forgotten policy read call + normalize
ccedb36
@radeksimko
aws: kms_key + kms_alias - Add acceptance tests
ff2d040
@radeksimko
aws: kms_key - Iterate over all aliases (not just 50)
347913a
@radeksimko
aws: kms_key - Add support for is_enabled + enable_key_rotation
6f8a9c0
@radeksimko
kms: Treat keys in PendingDeletion state as deleted
d4d20a9
@radeksimko
Vendor kms dependencies
dde91b8
@phinze
Copy link
Contributor

phinze commented Mar 10, 2016

This LGTM!

phinze added a commit that referenced this pull request Mar 10, 2016
@phinze
Merge pull request #3928 from TimeIncOSS/aws-kms
d129447 
provider/aws: Add support for KMS
@phinze phinze merged commit d129447 into hashicorp:master Mar 10, 2016
@radeksimko radeksimko deleted the aws-kms branch March 10, 2016 07:02
omeid pushed a commit to omeid/terraform that referenced this pull request Mar 30, 2018
@bflad
Merge pull request hashicorp#3928 from WhileLoop/firehose-splunk-doc-…
fccaaf2 
…cleanup

docs/resource/kinesis_firehose: fix example formatting in kinesis_firehose splunk destination documentation
@ghost
Copy link

ghost commented Apr 27, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 27, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement provider/aws
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@radeksimko @philwitty @boxrick @catsby @bigkraig @phinze @apparentlymart