作者:手机用户2602925213 | 来源:互联网 | 2023-09-06 08:45
This issue was originally opened by as hashicorp/terraform#18984. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
| hcl
resource "aws_kms_key" "kms" {
description = "rds-tf-encrypt/${var.env_prefix}"
}
resource "random_id" "db_snapshot_suffix" {
keepers = {
rds_snapshot = "${var.snapshot_identifier}"
}
byte_length = 8
}
# Create RDS instance
resource "aws_db_instance" "rds" {
identifier = "${var.name_prefix}-${var.env_prefix}${var.version_prefix}"
allocated_storage = "${var.storage}"
engine = "${var.engine}"
engine_version = "${lookup(var.engine_version, var.engine)}"
instance_class = "${var.instance_class}"
publicly_accessible = "${var.publicly_accessible}"
backup_retention_period = "${var.backup_retention_period}"
apply_immediately = "${var.apply_immediately}"
multi_az = "${var.multi_az}"
storage_type = "${var.storage_type}"
storage_encrypted = true
kms_key_id = "${aws_kms_key.kms.arn}"
final_snapshot_identifier = "${var.final_snapshot_identifier}-${var.env_prefix}-${random_id.db_snapshot_suffix.hex}"
skip_final_snapshot = "${var.env_prefix == "prd" ? false : true}"
name = "${var.db_name}"
username = "${var.username}"
password = "${var.password}"
vpc_security_group_ids = ["${var.vpc_security_group_ids}"]
db_subnet_group_name = "${aws_db_subnet_group.default.name}"
parameter_group_name = "${var.parameter_group_name}"
monitoring_interval = "${var.monitoring_interval}"
monitoring_role_arn = "${var.monitoring_role_arn}"
snapshot_identifier = "${var.snapshot_identifier}" |
### Expected Behavior
When running the TF above, the new database should be encrypted with the KMS key provided, not the key from the snapshot.
### Actual Behavior
The new RDS instance is created using the snapshot's KMS key for encryption
### Steps to Reproduce
### Additional Context
To update an RDS encryption key, you can create a copy of the snapshot and change the key for the copy. Couldn't you update TF to first copy the snapshot and apply the new key to the snapshot and then restore from the snapshot if both `kms_key_id` and `snapshot_identifier` are provided?
该提问来源于开源项目:hashicorp/terraform-provider-aws
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!