Adding SASL and IAM based client_authenticatin to a cluster replaces the cluster instead of updating it

ashevade1 commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

hashicorp/aws: version = "~> 4.6.0"

Affected Resource(s)

aws_msk_cluster

Terraform Configuration Files

resource "aws_msk_cluster" "msk" {
  cluster_name           = var.cluster_name
  kafka_version          = var.kafka_version
  number_of_broker_nodes = var.number_of_brokers
  enhanced_monitoring    = var.enhanced_monitoring
  configuration_info {
    arn      = aws_msk_configuration.msk_config.arn
    revision = aws_msk_configuration.msk_config.latest_revision
  }

  broker_node_group_info {
    instance_type   = var.instance_size
    ebs_volume_size = var.ebs_size
    client_subnets  = var.az_list
    security_groups = var.sg_list
  }

  dynamic "encryption_info" {
    for_each = var.client_authentication_sasl == false  && var.client_authentication_iam == false ? [1] : []
    content {
      # encryption_at_rest_kms_key_arn = "" # Accept default key
      encryption_in_transit {
        client_broker = "TLS_PLAINTEXT"
        in_cluster    = true
      }
    }
  }

  dynamic "encryption_info" {
    for_each = var.client_authentication_sasl == true  ||  var.client_authentication_iam == true ?  [1] : []
    content {
      # encryption_at_rest_kms_key_arn = "" # Accept default key
      encryption_in_transit {
        client_broker = "TLS"
        in_cluster    = true
      }
    }
  }

  logging_info {
    broker_logs {
      cloudwatch_logs {
        enabled   = true
        log_group = aws_cloudwatch_log_group.msk_logs.name
      }
      firehose {
        enabled         = var.enable_firehose_delivery
        delivery_stream = var.firehose_delivery_stream_name
      }
    }
  }

  dynamic "client_authentication" {
    for_each = (var.client_authentication_sasl == true || var.client_authentication_iam == true ) ? [1] : []
    content {
      sasl {
        iam =  var.client_authentication_iam 

        scram = var.client_authentication_sasl
      }
    }
  }

  open_monitoring {
    prometheus {
      jmx_exporter {
        enabled_in_broker = var.enable_jmx_exporter
      }
      node_exporter {
        enabled_in_broker = var.enable_node_exporter
      }
    }
  }

  tags = {
    terraform   = "true"
    environment = var.env
  }

}

Panic Output

Expected Behavior

Existing cluster should be modified , with IAM based client authentication

Actual Behavior

Existing cluster is replaced and destroyed .

Steps to reproduce

Created a MSK Cluster without any authentication. Tried adding support for SASL and IAM authentication by adding this

  client_authentication {
           sasl {
               iam   = true
               scram = true
            }
        }

an attempt to appy the plan says it will replace the MSK cluster. However using the AWS management console, its does allow enabling SASL , IAM based authentication on an pre existing unautheticated cluster Is there a way to prevent replacement of the cluster while allowing addition of SAL, IAM authntication. Blocked on it and any help is appreciated.

.

justinretzolk commented 2 years ago

Hey @ashevade1 👋 Thank you for taking the time to raise this! So that we have all of the necessary information in order to look into this, can you update the issue description with the rest of the information requested in the bug report template?

ashevade1 commented 2 years ago

HI I did attach the required information. @justinretzolk

github-actions[bot] commented 2 years ago

This functionality has been released in v4.13.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] commented 2 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-aws