search

cloudposse / terraform-aws-dms

Terraform modules for provisioning and managing AWS DMS resources
https://cloudposse.com/accelerate
Apache License 2.0
7 stars 5 forks source link

Using SSM with engine_name = "docdb" #3

Open bneigher opened 1 year ago

bneigher commented 1 year ago

Describe the Bug

I've been failing to get an endpoint deployed (docdb) with ssm. I'm using terragrunt -- with this module as the source. I have successfully created the dms endpoint target (kinesis), the iam roles, and a replication instance.

Terraform says the error:

Error: creating DMS Endpoint (my-database-mongodb): InvalidParameterValueException: The parameter Password must be provided and must not be blank.
    status code: 400, request id: e11ad374-8444-4fc4-9c59-8c5fc420ce46

Which shouldn't be the case because I'm specifically using ssm to provide the credentials with the following format:

{
   "username": db_username,
   "password": db_user_password,
   "engine": "mongo",
   "host": db_server_name",
   "port": db_port_number,
   "ssl": true,
   "dbClusterIdentifier": db_cluster_id
}

Expected Behavior

Im expecting the resource to be created... I can successfully create the dms endpoint source with ssm using the aws console.

Steps to Reproduce

locals {
  ...
}

terraform {
  source = "git::https://github.com/cloudposse/terraform-aws-dms.git//modules/dms-endpoint//?ref=0.1.1"
}

dependency "secret" {
  config_path = "${dirname(find_in_parent_folders("region.hcl"))}/.../secret"
}

dependency "secret_role" {
  config_path = "${dirname(find_in_parent_folders("region.hcl"))}/.../role"
}

dependency "documentdb" {
  config_path = "${dirname(find_in_parent_folders("region.hcl"))}/.../documentdb"
}

dependency "kms" {
  config_path = "${dirname(find_in_parent_folders("region.hcl"))}/.../kms"
}

dependency "certificate" {
  config_path = "${dirname(find_in_parent_folders("region.hcl"))}/.../certificate"
}

inputs = {
  name                            = "${dependency.documentdb.outputs.cluster_name}-mongodb"
  delimiter                       = "" # https://github.com/cloudposse/terraform-aws-dms/blob/main/context.tf#L142
  environment                     = "" # https://github.com/cloudposse/terraform-aws-dms/blob/main/context.tf#L118
  stage                           = "" # https://github.com/cloudposse/terraform-aws-dms/blob/main/context.tf#L124
  endpoint_type                   = "source"
  engine_name                     = "docdb"
  secrets_manager_access_role_arn = element(dependency.secret_role.outputs.roles, 0).arn
  secrets_manager_arn             = dependency.secret.outputs.arn
  ssl_mode                        = "verify-full"
  certificate_arn                 = dependency.certificate.outputs.certificate_arn
  kms_key_arn                     = dependency.kms.outputs.key_arn
  mongodb_settings                = {
    auth_type = "no"
    extract_doc_id = true
  }
}

Screenshots

Here is the plan with redacted information:

  # aws_dms_endpoint.default[0] will be created
  + resource "aws_dms_endpoint" "default" {
      + certificate_arn                 = "arn:aws:dms:us-east-1:xxxxxxxxxx:cert:xxxxxxxxxx"
      + endpoint_arn                    = (known after apply)
      + endpoint_id                     = "my-database-mongodb"
      + endpoint_type                   = "source"
      + engine_name                     = "docdb"
      + extra_connection_attributes     = (known after apply)
      + id                              = (known after apply)
      + kms_key_arn                     = "arn:aws:kms:us-east-1:xxxxxxxxxx:key/xxxxxxxxxx"
      + secrets_manager_access_role_arn = "arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx"
      + secrets_manager_arn             = "arn:aws:secretsmanager:us-east-1:xxxxxxxxxx:secret:xxxxxxxxxx"
      + ssl_mode                        = "verify-full"
      + mongodb_settings {
          + auth_mechanism      = "default"
          + auth_source         = "admin"
          + auth_type           = "no"
          + docs_to_investigate = "1000"
          + extract_doc_id      = "true"
          + nesting_level       = "none"
        }

      + redshift_settings {
          + bucket_folder                     = (known after apply)
          + bucket_name                       = (known after apply)
          + encryption_mode                   = (known after apply)
          + server_side_encryption_kms_key_id = (known after apply)
          + service_access_role_arn           = (known after apply)
        }
    }

Additional Context

Looking at the Terraform Argument Reference, it looks like ssm is not explicitly stated as an option for secrets_manager_arn when using docdb as engine_name. Is this an issue with terraform? Or a bug in this module? Or operator error?

I've been playing around with auth_xxxxx settings in mongodb_settings to no avail

pavlopicket commented 1 month ago

Hello, any update on this issue?