Skip to content

Commit

Permalink
resource/aws_msk_cluster: Update encryption_info.encryption_in_transi…
Browse files Browse the repository at this point in the history 
…t.client_broker default to match API default

Reference: #10673

Output from acceptance testing:

```
--- PASS: TestAccAWSMskCluster_basic (1595.73s)
--- PASS: TestAccAWSMskCluster_BrokerNodeGroupInfo_EbsVolumeSize (1760.04s)
--- PASS: TestAccAWSMskCluster_EncryptionInfo_EncryptionAtRestKmsKeyArn (1603.40s)
--- PASS: TestAccAWSMskCluster_EncryptionInfo_EncryptionInTransit_ClientBroker (1603.85s)
--- PASS: TestAccAWSMskCluster_EncryptionInfo_EncryptionInTransit_InCluster (1598.02s)
--- PASS: TestAccAWSMskCluster_EnhancedMonitoring (1603.10s)
--- PASS: TestAccAWSMskCluster_LoggingInfo (1806.72s)
--- PASS: TestAccAWSMskCluster_NumberOfBrokerNodes (2036.98s)
--- PASS: TestAccAWSMskCluster_OpenMonitoring (1722.68s)
--- PASS: TestAccAWSMskCluster_Tags (1605.63s)

--- PASS: TestAccAWSMskClusterDataSource_Name (1608.30s)
```
  • Loading branch information
@bflad
bflad committed Jul 14, 2020
1 parent ef07aa5 commit e926b92
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 71 deletions.
5 changes: 3 additions & 2 deletions aws/data_source_aws_msk_cluster_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package aws

import (
"fmt"
"regexp"
"testing"

"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
Expand All @@ -22,8 +23,8 @@ func TestAccAWSMskClusterDataSource_Name(t *testing.T) {
Config: testAccMskClusterDataSourceConfigName(rName),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrPair(resourceName, "arn", dataSourceName, "arn"),
resource.TestCheckResourceAttrSet(dataSourceName, "bootstrap_brokers"),
resource.TestCheckResourceAttrSet(dataSourceName, "bootstrap_brokers_tls"),
resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)), // Ordering not guaranteed
resource.TestCheckResourceAttrPair(resourceName, "cluster_name", dataSourceName, "cluster_name"),
resource.TestCheckResourceAttrPair(resourceName, "kafka_version", dataSourceName, "kafka_version"),
resource.TestCheckResourceAttrPair(resourceName, "number_of_broker_nodes", dataSourceName, "number_of_broker_nodes"),
Expand Down
2 changes: 1 addition & 1 deletion aws/resource_aws_msk_cluster.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ func resourceAwsMskCluster() *schema.Resource {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
Default: kafka.ClientBrokerTlsPlaintext,
Default: kafka.ClientBrokerTls,
ValidateFunc: validation.StringInSlice([]string{
kafka.ClientBrokerPlaintext,
kafka.ClientBrokerTlsPlaintext,
Expand Down
66 changes: 4 additions & 62 deletions aws/resource_aws_msk_cluster_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ func TestAccAWSMskCluster_basic(t *testing.T) {
Check: resource.ComposeTestCheckFunc(
testAccCheckMskClusterExists(resourceName, &cluster),
testAccMatchResourceAttrRegionalARN(resourceName, "arn", "kafka", regexp.MustCompile(`cluster/.+`)),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.#", "1"),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.0.az_distribution", kafka.BrokerAZDistributionDefault),
Expand All @@ -89,7 +89,7 @@ func TestAccAWSMskCluster_basic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "encryption_info.#", "1"),
testAccMatchResourceAttrRegionalARN(resourceName, "encryption_info.0.encryption_at_rest_kms_key_arn", "kms", regexp.MustCompile(`key/.+`)),
resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.#", "1"),
resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.0.client_broker", "TLS_PLAINTEXT"),
resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.0.client_broker", "TLS"),
resource.TestCheckResourceAttr(resourceName, "encryption_info.0.encryption_in_transit.0.in_cluster", "true"),
resource.TestCheckResourceAttr(resourceName, "enhanced_monitoring", kafka.EnhancedMonitoringDefault),
resource.TestCheckResourceAttr(resourceName, "kafka_version", "2.2.1"),
Expand Down Expand Up @@ -377,7 +377,7 @@ func TestAccAWSMskCluster_NumberOfBrokerNodes(t *testing.T) {
Config: testAccMskClusterConfigNumberOfBrokerNodes(rName, 3),
Check: resource.ComposeTestCheckFunc(
testAccCheckMskClusterExists(resourceName, &cluster1),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.#", "1"),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.0.client_subnets.#", "3"),
Expand All @@ -401,7 +401,7 @@ func TestAccAWSMskCluster_NumberOfBrokerNodes(t *testing.T) {
Check: resource.ComposeTestCheckFunc(
testAccCheckMskClusterExists(resourceName, &cluster2),
testAccCheckMskClusterNotRecreated(&cluster1, &cluster2),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "bootstrap_brokers", ""),
resource.TestMatchResourceAttr(resourceName, "bootstrap_brokers_tls", regexp.MustCompile(`^(([-\w]+\.){1,}[\w]+:\d+,){2,}([-\w]+\.){1,}[\w]+:\d+$`)),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.#", "1"),
resource.TestCheckResourceAttr(resourceName, "broker_node_group_info.0.client_subnets.#", "3"),
Expand Down Expand Up @@ -727,12 +727,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
Expand All @@ -750,12 +744,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = %[2]d
Expand Down Expand Up @@ -822,12 +810,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
Expand Down Expand Up @@ -904,9 +886,6 @@ resource "aws_msk_cluster" "test" {
encryption_info {
encryption_at_rest_kms_key_arn = "${aws_kms_key.example_key.arn}"
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
}
`, rName)
Expand Down Expand Up @@ -952,7 +931,6 @@ resource "aws_msk_cluster" "test" {
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
in_cluster = %[2]t
}
}
Expand All @@ -968,12 +946,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
Expand All @@ -992,12 +964,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = %[2]d
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
Expand All @@ -1016,12 +982,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
Expand Down Expand Up @@ -1114,12 +1074,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
Expand Down Expand Up @@ -1155,12 +1109,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
Expand All @@ -1182,12 +1130,6 @@ resource "aws_msk_cluster" "test" {
kafka_version = "2.2.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
}
}
broker_node_group_info {
client_subnets = ["${aws_subnet.example_subnet_az1.id}", "${aws_subnet.example_subnet_az2.id}", "${aws_subnet.example_subnet_az3.id}"]
ebs_volume_size = 10
Expand Down
25 changes: 25 additions & 0 deletions website/docs/guides/version-3-upgrade.html.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ Upgrade topics:
- [Resource: aws_elastic_transcoder_preset](#resource-aws_elastic_transcoder_preset)
- [Resource: aws_emr_cluster](#resource-aws_emr_cluster)
- [Resource: aws_lb_listener_rule](#resource-aws_lb_listener_rule)
- [Resource: aws_msk_cluster](#resource-aws_msk_cluster)
- [Resource: aws_s3_bucket](#resource-aws_s3_bucket)
- [Resource: aws_sns_platform_application](#resource-aws_sns_platform_application)
- [Resource: aws_spot_fleet_request](#resource-aws_spot_fleet_request)
Expand Down Expand Up @@ -400,6 +401,30 @@ resource "aws_lb_listener_rule" "example" {
}
```

## Resource: aws_msk_cluster

### encryption_info.encryption_in_transit.client_broker Default Updated to Match API

A few weeks after general availability launch and initial release of the `aws_msk_cluster` resource, the MSK API default for client broker encryption switched from `TLS_PLAINTEXT` to `TLS`. The attribute default has now been updated to match the more secure API default, however existing Terraform configurations may show a difference if this setting is not configured.

To continue using the old default when it was previously not configured, add or modify this configuration:

```hcl
resource "aws_msk_cluster" "example" {
# ... other configuration ...
encryption_info {
# ... potentially other configuration ...
encryption_in_transit {
# ... potentially other configuration ...
client_broker = "TLS_PLAINTEXT"
}
}
}
```

## Resource: aws_s3_bucket

### Removal of Automatic aws_s3_bucket_policy Import
Expand Down
7 changes: 1 addition & 6 deletions website/docs/r/msk_cluster.html.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,11 +155,6 @@ output "zookeeper_connect_string" {
value = aws_msk_cluster.example.zookeeper_connect_string
}
output "bootstrap_brokers" {
description = "Plaintext connection host:port pairs"
value = aws_msk_cluster.example.bootstrap_brokers
}
output "bootstrap_brokers_tls" {
description = "TLS connection host:port pairs"
value = aws_msk_cluster.example.bootstrap_brokers_tls
Expand Down Expand Up @@ -210,7 +205,7 @@ The following arguments are supported:

#### encryption_info encryption_in_transit Argument Reference

* `client_broker` - (Optional) Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT`. Default value is `TLS_PLAINTEXT` when `encryption_in_transit` block defined, but `TLS` when `encryption_in_transit` block omitted.
* `client_broker` - (Optional) Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT`. Default value is `TLS`.
* `in_cluster` - (Optional) Whether data communication among broker nodes is encrypted. Default value: `true`.

#### open_monitoring Argument Reference
Expand Down

0 comments on commit e926b92

Please sign in to comment.