terraform-provider-aws
terraform-provider-aws copied to clipboard
hashicorp
Force replacement on `snapshot_identifier` change for DB cluster resources
Description
Changes to the snapshot_identifier attribute of the aws_rds_cluster, aws_docdb_cluster, and aws_neptune_cluster resources will now trigger a replacement. Previously, changing this attribute would result in a successful apply, but without the cluster actually being restored (only the resource state was changed).
Relations
Closes #15563
References
The aws_db_instance already forces re-creation on changes to this attribute:
https://github.com/hashicorp/terraform-provider-aws/blob/2eab277a0bf5662507d87e67512354394ef5d241/internal/service/rds/instance.go#L504-L509
Output from Acceptance Testing
$ make testacc PKG=rds TESTS="TestAccRDSCluster_snapshotIdentifier|TestAccRDSCluster_SnapshotIdentifier_"
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/rds/... -v -count 1 -parallel 20 -run='TestAccRDSCluster_snapshotIdentifier|TestAccRDSCluster_SnapshotIdentifier_' -timeout 180m
--- PASS: TestAccRDSCluster_SnapshotIdentifier_kmsKeyID (387.21s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_masterUsername (387.64s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_masterPassword (406.97s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_tags (407.33s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_preferredMaintenanceWindow (412.53s)
--- PASS: TestAccRDSCluster_snapshotIdentifier (427.10s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_encryptedRestore (427.47s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_preferredBackupWindow (447.51s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_vpcSecurityGroupIDs (471.06s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_deletionProtection (488.49s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/rds 491.514s
$ make testacc PKG=docdb TESTS=TestAccDocDBCluster_
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/docdb/... -v -count 1 -parallel 20 -run='TestAccDocDBCluster_' -timeout 180m
--- PASS: TestAccDocDBCluster_missingUserNameCausesError (11.19s)
--- PASS: TestAccDocDBCluster_kmsKey (148.65s)
--- PASS: TestAccDocDBCluster_generatedName (163.32s)
--- PASS: TestAccDocDBCluster_namePrefix (163.42s)
--- PASS: TestAccDocDBCluster_basic (163.52s)
--- PASS: TestAccDocDBCluster_encrypted (165.76s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_Add (170.45s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_Remove (175.05s)
--- PASS: TestAccDocDBCluster_backupsUpdate (186.64s)
--- PASS: TestAccDocDBCluster_updateCloudWatchLogsExports (186.82s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_Update (192.92s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier (205.86s)
--- PASS: TestAccDocDBCluster_updateTags (206.89s)
--- PASS: TestAccDocDBCluster_deleteProtection (251.82s)
--- PASS: TestAccDocDBCluster_takeFinalSnapshot (286.18s)
--- PASS: TestAccDocDBCluster_port (309.54s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_PrimarySecondaryClusters (2489.61s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/docdb 2494.494s
$ make testacc PKG=neptune TESTS=TestAccNeptuneCluster_
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/neptune/... -v -count 1 -parallel 20 -run='TestAccNeptuneCluster_' -timeout 180m
--- PASS: TestAccNeptuneCluster_kmsKey (130.25s)
--- PASS: TestAccNeptuneCluster_serverlessConfiguration (132.60s)
--- PASS: TestAccNeptuneCluster_namePrefix (132.66s)
--- PASS: TestAccNeptuneCluster_basic (135.38s)
--- PASS: TestAccNeptuneCluster_disappears (140.03s)
--- PASS: TestAccNeptuneCluster_iamAuth (154.69s)
--- PASS: TestAccNeptuneCluster_backupsUpdate (176.37s)
--- PASS: TestAccNeptuneCluster_tags (176.93s)
--- PASS: TestAccNeptuneCluster_encrypted (195.02s)
--- PASS: TestAccNeptuneCluster_updateIAMRoles (208.46s)
--- PASS: TestAccNeptuneCluster_updateCloudWatchLogsExports (208.55s)
--- PASS: TestAccNeptuneCluster_deleteProtection (216.99s)
--- PASS: TestAccNeptuneCluster_copyTagsToSnapshot (237.41s)
--- PASS: TestAccNeptuneCluster_takeFinalSnapshot (297.45s)
--- PASS: TestAccNeptuneCluster_restoreFromSnapshot (443.41s)
--- PASS: TestAccNeptuneCluster_updateEngineVersion (1611.70s)
--- PASS: TestAccNeptuneCluster_updateEngineMajorVersion (2122.90s)
--- PASS: TestAccNeptuneCluster_GlobalClusterIdentifier_PrimarySecondaryClusters (2651.09s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/neptune 2654.582s
Community Note
Voting for Prioritization
- Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
- Please see our prioritization guide for information on how we prioritize.
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
For Submitters
- Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
- For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
- Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
We should also ensure consistency for the AWS services that are veneers on top of RDS:
I want to add caution that there are dragons lurking inside of this change that will catch users off guard.
- If your restoring an automated back from the same cluster. The
ForceNewwill in essence taint the cluster and destroy it before creating a new one from thesnapshot_identifier. As part of the cluster destroy all automated snapshots are are pruned and lost all your data. The new cluster says it can't find thesnapshot_identifier. I filed a support ticket (12024155471) with AWS today to confirm this.At this time, retaining Automated-Snapshots for Aurora is not possible, as it is currently not a flag or marker in the CLI or API call.[1] - With the current code we define
snapshot_identifieronly long enough to get the cluster created and then remove the extra code in terraform. This newForceNewdoesn't have any validation to check to see if the goal is just someone cleaning up the dead reference that no longer is relevant. It might be acceptable to change from anarn:..to an empty string but not the other way around.
Hi @TechIsCool 👋 - Thanks for your comment! I've added DiffSuppressFunc's which should address your second point by allowing removal of the snapshot_idenfitier without a forced replacement.
The automated snapshot scenario is a more difficult one to account for as the snapshot deletion occurs outside the provider workflow. To my knowledge we can't (reliably) distinguish between automated and manual snapshots from identifier alone, which rules out a validation step that could error or warn at plan time. At a minimum we should include some documentation that calls attention to this possibility in each of the impacted resources. I'll also bring this point back to discuss internally and decide if we should consider holding this change for a major release, or pursuing other options.
Thanks again!
After discussing internally, we are going to hold this until v5.0.0 in order to make these changes as visible as possible.
This functionality has been released in v5.0.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.