Home > Enterprise >  Terraform - Encrypting a db instance forces replacement
Terraform - Encrypting a db instance forces replacement

Time:11-03

I have a postgres RDS instance in AWS that I created using terraform.

resource "aws_db_instance" "..." {
  ...
}

Now I'm trying to encrypt that instance by adding

resource "aws_db_instance" "..." {
  ...
  storage_encrypted = true
}

But when I run terraform plan, it says that it's going to force replacement

# aws_db_instance.... must be replaced
...
~ storage_encrypted                     = false -> true # forces replacement

What can I do to prevent terraform from replacing my db instance?

CodePudding user response:

Terraform is not at fault here. You simply cannot change the encryption setting on an RDS instance after it was originally created. You can / need to create a snapshot of the current db, copy encrypt the snapshot and then restore from that snapshot: https://aws.amazon.com/premiumsupport/knowledge-center/update-encryption-key-rds/

This will cause a downtime of the DB. And terraform does not do that for you automatically, you need to do this manually. After the DB is restored terraform should not longer try to replace the DB since the expected config now matches the actual config.

Technically you can ignore_changes the storage_encrypted property but of course that causes terraform to simply ignore any storage encryption changes.

Page link:https//www.codepudding.com/Enterprise/176919.html

Prev:If I remove an S3 lifecycle rule that moves items to Glacier, will it move all the Glacier items out
Next:CDK pipelines branching strategy
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding