feat(rdb): add update encryption at rest (#2829)

jremy42 · web-flow · commit 3bbc7a612f79 · 2024-12-03T10:59:27.000Z
diff --git a/internal/services/rdb/instance.go b/internal/services/rdb/instance.go
@@ -307,7 +307,6 @@ func ResourceInstance() *schema.Resource {
 			"encryption_at_rest": {
 				Type:        schema.TypeBool,
 				Optional:    true,
-				ForceNew:    true,
 				Description: "Enable or disable encryption at rest for the database instance",
 			},
 			// Common
@@ -662,6 +661,21 @@ func ResourceRdbInstanceUpdate(ctx context.Context, d *schema.ResourceData, m in
 		}
 	}
 
+	if d.HasChange("encryption_at_rest") {
+		oldValue, newValue := d.GetChange("encryption_at_rest")
+
+		if oldValue.(bool) && !newValue.(bool) {
+			return diag.FromErr(errors.New("disabling encryption_at_rest is not supported once it has been enabled"))
+		}
+
+		upgradeInstanceRequests = append(upgradeInstanceRequests,
+			rdb.UpgradeInstanceRequest{
+				Region:           region,
+				InstanceID:       ID,
+				EnableEncryption: scw.BoolPtr(newValue.(bool)),
+			})
+	}
+
 	// Carry out the upgrades
 	for i := range upgradeInstanceRequests {
 		_, err = waitForRDBInstance(ctx, rdbAPI, region, ID, d.Timeout(schema.TimeoutUpdate))
diff --git a/internal/services/rdb/instance_test.go b/internal/services/rdb/instance_test.go
@@ -1328,6 +1328,61 @@ func TestAccInstance_EncryptionAtRestFalse(t *testing.T) {
 	})
 }
 
+func TestAccInstance_UpdateEncryptionAtRest(t *testing.T) {
+	tt := acctest.NewTestTools(t)
+	defer tt.Cleanup()
+
+	latestEngineVersion := rdbchecks.GetLatestEngineVersion(tt, postgreSQLEngineName)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.PreCheck(t) },
+		ProviderFactories: tt.ProviderFactories,
+		CheckDestroy:      rdbchecks.IsInstanceDestroyed(tt),
+		Steps: []resource.TestStep{
+			// Step 1: Create without encryption
+			{
+				Config: fmt.Sprintf(`
+					resource scaleway_rdb_instance main {
+						name               = "test-rdb-update-encryption"
+						node_type          = "db-dev-s"
+						engine             = %q
+						is_ha_cluster      = false
+						disable_backup     = true
+						user_name          = "user_no_enc"
+						password           = "thiZ_is_v&ry_s3cret"
+						encryption_at_rest = false
+						tags               = [ "terraform-test", "no-encryption" ]
+					}
+				`, latestEngineVersion),
+				Check: resource.ComposeTestCheckFunc(
+					isInstancePresent(tt, "scaleway_rdb_instance.main"),
+					resource.TestCheckResourceAttr("scaleway_rdb_instance.main", "encryption_at_rest", "false"),
+				),
+			},
+			// Step 2: Update encryption to true
+			{
+				Config: fmt.Sprintf(`
+					resource scaleway_rdb_instance main {
+						name               = "test-rdb-update-encryption"
+						node_type          = "db-dev-s"
+						engine             = %q
+						is_ha_cluster      = false
+						disable_backup     = true
+						user_name          = "user_enc"
+						password           = "thiZ_is_v&ry_s3cret"
+						encryption_at_rest = true
+						tags               = [ "terraform-test", "with-encryption" ]
+					}
+				`, latestEngineVersion),
+				Check: resource.ComposeTestCheckFunc(
+					isInstancePresent(tt, "scaleway_rdb_instance.main"),
+					resource.TestCheckResourceAttr("scaleway_rdb_instance.main", "encryption_at_rest", "true"),
+				),
+			},
+		},
+	})
+}
+
 func isInstancePresent(tt *acctest.TestTools, n string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
diff --git a/internal/services/rdb/testdata/instance-update-encryption-at-rest.cassette.yaml b/internal/services/rdb/testdata/instance-update-encryption-at-rest.cassette.yaml
