resource/rds_db_instance: Correctly create cross-region encrypted replica

[micahhausler]

• Bumped AWS SDK to v1.8.41

The AWS SDK generates and sets the rds.CreateDBInstanceReadReplicaInput.PreSignedUrl for you if you set the .SourceRegion.

Closes #864

[catsby]

LGTM, thanks!

[bofoy]

We've upgraded to terraform 0.10.0 but we're still having trouble creating encrypted cross-region read replicas. We are getting Error creating DB Instance: InvalidParameterValue: PreSignedUrl could not be authenticated.

We noticed in the source that the SourceRegion is taken from the kms_key_id. Is this as intended? The docs state that the kms_key_id should be the KMS key of the destination instance. Which in this case would be a different region than the source. I would think that the SourceRegion would be equal to the source db instance region, not derived from the kms_key_id of the replica instance.

For example: we are creating a master db instance in us-east-1 and a replica in eu-west-1. The kms_key_id given to the replica would have the eu-west-1 in it's key arn hence setting the SourceRegion to eu-west-1 where it should be us-east-1, if we understand your code correctly.

[omeid]

From AmazonRDS/API/CreateDBInstanceReadReplica docs

If you create an encrypted Read Replica in a different AWS Region, then you must specify a KMS key for the destination AWS Region. KMS encryption keys are specific to the AWS Region that they are created in, and you can't use encryption keys from one AWS Region in another AWS Region.

So I am not sure how did this ever worked. Wasted a good hour or two on this.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!