I have a resource that is a DB Snapshot, and I am trying to create a copy of that DB Snapshot but have it that copy be encrypted, but I am running into this error:
terraform validate
╷
│ Error: Value for unconfigurable attribute
│
│ with aws_db_snapshot_copy.postgres_unencrypted_db_encrypted_snapshot,
│ on initial_unencrypted_aws_rds_db.tf line 48, in resource “aws_db_snapshot_copy” “postgres_unencrypted_db_encrypted_snapshot”:
│ 48: encrypted = true
│
│ Can’t configure a value for “encrypted”: its value will be decided automatically based on the result of applying this configuration.
╵
I haven’t used RDS for a while so I might be misremembering, but I suspect that whether the DB snapshot copy is encrypted depends on whether the source snapshot was encrypted itself, and so the encrypted attribute of aws_db_snapshot_copy is telling you whether the source was encrypted, and cannot be used to force encryption of the copy when the source wasn’t encrypted.
If I’m right about that (please check the RDS documentation to confirm) then you may need to specify encryption in the original aws_db_snapshot resource instead, and therefore not have any unencrypted snapshot, or alternatively to create two snapshots directly where one is encrypted but with the risk that the two snapshots might not be exactly equivalent (if the database changed in the meantime).
I would also like to use aws_db_snapshot_copy to make an encrypted copy of an unencrypted snapshot. The documentation suggests that specifying storage_encrypted and kms_key_id will apply to the read of the source snapshot and the write of the copy - i.e. allow for creating an encrypted copy of an encrypted snapshot. Is there any way to specify that the source snapshot is not encrypted, but that the copy should be? This can be achieved via click-ops through the AWS console.