Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resource/msk_scram_secret_association: update secret handling on read/update #16832

Closed
wants to merge 1 commit into from
Closed

resource/msk_scram_secret_association: update secret handling on read/update #16832

wants to merge 1 commit into from

Conversation

anGie44
Copy link
Contributor

@anGie44 anGie44 commented Dec 18, 2020
edited
Loading

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #16791

Release note for CHANGELOG:

resource/msk_scram_secret_association: update secret handling on read/update

Output from acceptance testing:

--- PASS: TestAccAwsMskScramSecretAssociation_update (1696.19s)
--- PASS: TestAccAwsMskScramSecretAssociation_disappears (1714.16s)
--- PASS: TestAccAwsMskScramSecretAssociation_distributedKeyManagement (1719.34s)
--- PASS: TestAccAwsMskScramSecretAssociation_basic (1751.14s)
--- PASS: TestAccAwsMskScramSecretAssociation_disappears_Cluster (1796.78s)

@ghost ghost added size/M Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/kafka Issues and PRs that pertain to the kafka service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Dec 18, 2020
@anGie44 anGie44 force-pushed the b-scram-secret-association-secret-management branch from 1a2b060 to 222a8c0 Compare December 18, 2020 06:49
@ghost ghost added size/L Managed by automation to categorize the size of a PR. and removed size/M Managed by automation to categorize the size of a PR. labels Dec 18, 2020
@anGie44 anGie44 force-pushed the b-scram-secret-association-secret-management branch from 222a8c0 to 824fe52 Compare December 18, 2020 16:58
@anGie44 anGie44 marked this pull request as ready for review December 18, 2020 17:58
@anGie44 anGie44 requested a review from a team as a code owner December 18, 2020 17:58
@pandarouxbsd
Copy link

pandarouxbsd commented Dec 22, 2020
edited
Loading

Hi @anGie44 ,

Great fix, thanks. It seems that 1 test is nos passing (goreleaser). Is it a normal behavior ?
And when I try to remove the resources, it appears like this:

  - resource "aws_msk_scram_secret_association" "attach_to_cluster" {
      - cluster_arn     = "arn:aws:kafka:eu-west-1:XXXXX:cluster/rio-kafka-sasl-default/99999999999" -> null
      - id              = "arn:aws:kafka:eu-west-1:XXXXX:cluster/rio-kafka-sasl-default/99999999999"" -> null
      - scram_secrets   = [
          - "arn:aws:secretsmanager:eu-west-1:XXXXX:secret:AmazonMSK_ST_Akhq_20201013111302148600000001-ATFaph",
          - "arn:aws:secretsmanager:eu-west-1:XXXXX:secret:AmazonMSK_ST_Schema-Registry_20201013111302148900000002-dTOIjg",
          - "arn:aws:secretsmanager:eu-west-1:XXXXX:secret:AmazonMSK_Tf-Module_Test_20201222103500220200000001-J7Dl92",
        ] -> null
      - secret_arn_list = [
          - "arn:aws:secretsmanager:eu-west-1:XXXXX:secret:AmazonMSK_Tf-Module_Test_20201222103500220200000001-J7Dl92",
        ] -> null
    }

Maybe it should appears like this:

  - resource "aws_msk_scram_secret_association" "attach_to_cluster" {
      - cluster_arn     = "arn:aws:kafka:eu-west-1:XXXXX:cluster/rio-kafka-sasl-default/99999999999" -> null
      - id              = "arn:aws:kafka:eu-west-1:XXXXX:cluster/rio-kafka-sasl-default/99999999999"" -> null
      - secret_arn_list = [
             "arn:aws:secretsmanager:eu-west-1:XXXXX:secret:AmazonMSK_ST_Akhq_20201013111302148600000001-ATFaph",
             "arn:aws:secretsmanager:eu-west-1:XXXXX:secret:AmazonMSK_ST_Schema-Registry_20201013111302148900000002-dTOIjg",
          - "arn:aws:secretsmanager:eu-west-1:XXXXX:secret:AmazonMSK_Tf-Module_Test_20201222103500220200000001-J7Dl92",
        ] -> null
    }

What do you think ?

Anyway, I tested it and it works very well.
I hope we can get it in upcoming release !

@bflad bflad self-assigned this Jan 12, 2021
bflad
bflad suggested changes Jan 12, 2021
View reviewed changes
Copy link
Contributor

@bflad bflad left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, trying to workaround how Terraform CLI and the Terraform Plugin SDK expect full management of all elements within a TypeList/TypeSet leads to problematic edge cases and breaks practitioner experience with the rest of the Terraform provider ecosystem. For example, setting up the resource in this manner prevents import from working correctly as noted by the ImportStateVerifyIgnore. It is likely best to approach the problem from a different angle.

If there really is a strong use case for 1:1 management like other association resources, it may be best to consider something along the lines of the following to treat that use case separately in the logic:

  • Mark secret_arn_list as Optional + Computed
  • Add secret_arn as new TypeString + Optional + Computed + ConflictsWith attribute
  • In the import function, support an optional delimited import ID that triggers secondary behavior of d.Set("secret_arn", ...) and d.SetId() with the cluster ARN
  • In the read function, perform d.Get("secret_arn") check against the list of secret ARNs to trigger resource recreation

Please reach out if you have questions.

Base automatically changed from master to main January 23, 2021 01:00
@bflad bflad removed their assignment Feb 4, 2021
@anGie44
Copy link
Contributor Author

anGie44 commented Aug 17, 2021

Closing this per comment above, as solution should be approached differently to ensure resource's behavior does not lose functionality like import.

@anGie44 anGie44 closed this Aug 17, 2021
@anGie44 anGie44 deleted the b-scram-secret-association-secret-management branch August 17, 2021 16:35
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bflad bflad bflad requested changes

Assignees
No one assigned
Labels
documentation Introduces or discusses updates to documentation. service/kafka Issues and PRs that pertain to the kafka service. size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws_msk_scram_secret_association overrides/removes existing secret associations
3 participants
@anGie44 @pandarouxbsd @bflad