cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard
verified publisher icon aws-cloudformation

cannot change EKS cluster encryption config without replacement

Open rittneje opened this issue 3 years ago • 1 comments

Name of the resource

AWS::EKS::Cluster

Resource Name

No response

Issue Description

EKS supports enabling (but not disabling) secret encryption on an existing cluster. https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html

However, attempting to enable encryption via CloudFormation will force a replacement for no reason. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-encryptionconfig

Expected Behavior

Enabling encryption on an existing cluster via CloudFormation should be allowed.

Observed Behavior

CloudFormation forces a cluster replacement for no reason.

Test Cases

Create an EKS cluster with encryption disabled. Then update the stack to enable it.

Other Details

No response

rittneje avatar Jul 05 '22 12:07 rittneje

Thank you for reaching out, currently we do not support associating encryption config to EKS Clusters through Cloudformation after cluster creation. Please refer to Cloudformation document for property update requires replacement. We do not have a plan to support updating encryption config through CFN at the moment. Currently the workaround is to associate encryption config to the cluster through EKS API directly.

lynnnnnnluo avatar Aug 04 '22 17:08 lynnnnnnluo

@lynnnnnnluo Was this actually released? I don't see anything about it. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html

rittneje avatar Nov 22 '22 22:11 rittneje

Thank you for reaching out, currently we do not support associating encryption config to EKS Clusters through Cloudformation after cluster creation. Please refer to Cloudformation document for property update requires replacement. We do not have a plan to support updating encryption config through CFN at the moment. Currently the workaround is to associate encryption config to the cluster through EKS API directly.

Doing this results in the cluster drifting from the stack config, which is something that I imagine most people want to avoid. The only solution to that that I can think of (without recreating the cluster) is to set the cluster deletion policy to retain, remove the cluster from the template, apply the template, re-add the cluster to the template, now with encryption enabled, importing the cluster to the stack and finally resetting the deletion policy of the cluster to the original value. This is a lot of work for something that should be quite simple.

BalzGuenat avatar Jan 30 '23 10:01 BalzGuenat

Why this is closed? Can this be fixed

ktaborski avatar Mar 14 '23 11:03 ktaborski