terraform-provider-awscc icon indicating copy to clipboard operation
terraform-provider-awscc copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

awscc_neptune_db_cluster: state mismatch with defaults based on actual config

Open quixoticmonk opened this issue 9 months ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

  • Terraform v1.7.4
  • AWSCC provider version : v0.77.0

Affected Resource(s)

  • awscc_neptune_db_cluster

Terraform Configuration Files

Terraform configuration file below. No subnet specified as there is no awscc resource for the subnet group. Once deployed, a default subnet is created and attached to the cluster.

resource "awscc_neptune_db_cluster" "default" {
  db_cluster_identifier          = "example"
  backup_retention_period        = 5
  preferred_backup_window        = "07:00-09:00"
  iam_auth_enabled               = true
  db_port                        = 8182
  copy_tags_to_snapshot          = true
  deletion_protection            = false
  enable_cloudwatch_logs_exports = ["audit"]
  engine_version                 = "1.3.1.0"
  preferred_maintenance_window   = "sun:10:00-sun:10:30"
  storage_encrypted              = true
  kms_key_id                     = awscc_kms_key.example.key_id

    tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}



resource "awscc_kms_key" "example" {
  description = "KMS Key for root"
  key_policy = jsonencode({
    "Version" : "2012-10-17",
    "Id" : "KMS-Key-Policy-For-Root",
    "Statement" : [
      {
        "Sid" : "Enable IAM User Permissions",
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "arn:aws:iam::########:root"
        },
        "Action" : "kms:*",
        "Resource" : "*"
      },
    ],
    }
  )
}

Debug Output

Panic Output

Expected Behavior

The DB cluster should be created. On the second run, Terraform identifies a change on the configuration (when there is none) and destroys the existing cluster.

Actual Behavior

  1. Cluster is created.
  2. On second Terraform apply, Terraform identifies the change in the account ( associated subnet, vpc and other configurations) and destroys the existing resource and recreates it.

Logs from the run ..

Terraform will perform the following actions:

  # awscc_neptune_db_cluster.default must be replaced
-/+ resource "awscc_neptune_db_cluster" "default" {
      + associated_roles                 = (known after apply)
      ~ availability_zones               = [
          - "us-east-1f",
          - "us-east-1d",
          - "us-east-1b",
        ] -> (known after apply)
      ~ cluster_resource_id              = "cluster-BIZ5MJGTO7AP3KGJ2XKV6LEDEI" -> (known after apply)
      ~ db_cluster_parameter_group_name  = "default.neptune1.3" -> (known after apply)
      + db_instance_parameter_group_name = (known after apply)
      ~ db_subnet_group_name             = "default" -> (known after apply)
      ~ endpoint                         = "example.cluster-cmphb1zolqxk.us-east-1.neptune.amazonaws.com" -> (known after apply)
      ~ id                               = "example" -> (known after apply)
      ~ kms_key_id                       = "arn:aws:kms:us-east-1:############:key/e9946bf0-54fe-4fe0-aff9-7c5bcea7a009" -> "e9946bf0-54fe-4fe0-aff9-7c5bcea7a009" # forces replacement
      ~ port                             = "8182" -> (known after apply)
      ~ read_endpoint                    = "example.cluster-ro-cmphb1zolqxk.us-east-1.neptune.amazonaws.com" -> (known after apply)
      + restore_to_time                  = (known after apply)
      + serverless_scaling_configuration = (known after apply)
      + snapshot_identifier              = (known after apply)
      + source_db_cluster_identifier     = (known after apply)
        tags                             = [
            {
                key   = "Modified By"
                value = "AWSCC"
            },
        ]
      + use_latest_restorable_time       = (known after apply)
      ~ vpc_security_group_ids           = [
          - "sg-044b064d6706ce34f",
        ] -> (known after apply)
        # (12 unchanged attributes hidden)
    }

Steps to Reproduce

  1. terraform apply
  2. terraform apply

Important Factoids

The Terraform state does include the vpc and az details which are not provided per configuration. The absence of them in the config on a second attempt leads to destroy operation.

            "availability_zones": [
              "us-east-1c",
              "us-east-1a",
              "us-east-1b"
            ],
            "backup_retention_period": 5,
            "cluster_resource_id": "cluster-OFGWFHCRGJDEJ5UMIT36PGGCLU",
            "copy_tags_to_snapshot": true,
            "db_cluster_identifier": "example",
            "db_cluster_parameter_group_name": "default.neptune1.3",

References

quixoticmonk avatar May 22 '24 03:05 quixoticmonk