Closed Mdeshmukh93 closed 2 years ago
Hey @Mdeshmukh93 👋 Thank you for taking the time to raise this! So that we have all of the necessary information in order to look into this, can you update the issue description to include all of the information requested in the bug report template?
Hi @justinretzolk,
terraform version Terraform v1.1.0 terraform provider version terraform { required_version = ">= 1.1.0" required_providers { aws = "4.1.0" } }
resource "aws_elasticsearch_domain"
resource "aws_elasticsearch_domain" "this" {
domain_name = "elasticsearch_domain" elasticsearch_version = var.es_version
cluster_config { instance_type = var.instance_type instance_count = var.instance_count dedicated_master_enabled = var.instance_count >= var.dedicated_master_threshold ? true : false dedicated_master_count = var.instance_count >= var.dedicated_master_threshold ? 3 : 0 dedicated_master_type = var.instance_count >= var.dedicated_master_threshold ? var.dedicated_master_type != "false" ? var.dedicated_master_type : var.instance_type : ""
zone_awareness_enabled = var.es_zone_awareness
dynamic "zone_awareness_config" {
for_each = var.es_zone_awareness ? tolist([""]) : []
content {
availability_zone_count = var.az_awareness_zone_count
}
}
} node_to_node_encryption { enabled = var.node_to_node_encryption_enabled } encrypt_at_rest { enabled = var.encrypt_at_rest }
advanced_options = { "rest.action.multi.allow_explicit_index" = "true" }
domain_endpoint_options { enforce_https = var.enforce_https tls_security_policy = var.tls_security_policy }
vpc_options { subnet_ids = local.subnets security_group_ids = [ join("", aws_security_group.this.*.id)]
}
ebs_options { volume_size = var.ebs_volume_size volume_type = var.ebs_volume_type }
snapshot_options { automated_snapshot_start_hour = var.snapshot_start_time }
}
`-/+ resource "aws_elasticsearch_domain" "this" { ~ arn = "arn:aws🇪🇸us-west-2:8977:domain/prod-ce-elk" -> (known after apply) ~ domain_id = "8947/prod-ce-elk" -> (known after apply) ~ endpoint = "vpc-prod-ce-elk-yhkq.us-west-2.es.amazonaws.com" -> (known after apply) ~ id = "arn:aws🇪🇸us-west-2:8947:domain/prod-ce-elk" -> (known after apply) ~ kibana_endpoint = "vpc-prod-ce-elk-yh****kq.us-west-2.es.amazonaws.com/_plugin/kibana/" -> (known after apply)
~ node_to_node_encryption { ~ enabled = false -> true # forces replacement } }`
Since we have Elastic search version > 6.7 , node to node encryption has to enabled without recreating entire domain
its recreating entire domain, when trying to enable ES node to node encryption
terraform plan
Note: we have Elastic search/open search version 7.7 running in our ENV
The mentioned issue has been fixed in provider version 4.11
Hey @Mdeshmukh93 👋 As mentioned above, it looks like this was fixed with AWS Provider version 4.11
(changelog can be found here). Given that's the case, we'll close this issue. If you feel we've done this in error, please do let me know.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Hi,
we are performing ES node to node encryption via terraform but when we run terragrunt plan it is recreating whole ES domain. but as per terraform document (ref-1) any ES cluster version greater than 6.7, it should not re-create domain.need your assistance on how to proceed further.
here is the domain its been re-creating entirely
`-/+ resource "aws_elasticsearch_domain" "this" { ~ arn = "arn:aws:es:us-west-2:8977:domain/prod-ce-elk" -> (known after apply) ~ domain_id = "8947/prod-ce-elk" -> (known after apply) ~ endpoint = "vpc-prod-ce-elk-yh**kq.us-west-2.es.amazonaws.com" -> (known after apply) ~ id = "arn:aws:es:us-west-2:8947:domain/prod-ce-elk" -> (known after apply) ~ kibana_endpoint = "vpc-prod-ce-elk-yh**kq.us-west-2.es.amazonaws.com/_plugin/kibana/" -> (known after apply) tags = { "CostCenter" = "207" "Data" = "Confidential" "Environment" = "prod-ce" "Stack" = "prod-ce" "terraform_managed" = "true"
~ node_to_node_encryption { ~ enabled = false -> true # forces replacement } }`
Note: we have Elastic search/open search version 7.7 running
ref1:https://urldefense.com/v3/__https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain*node_to_node_encryption__;Iw!!BHlfX_zbyOAjqHI!0FiwyGhdMXwpB8b1MOp1M9OEZua8WpDiaSEt7x7mixFxxPS6TvM3PVMeWi7PW4l4mlmnJMILXXIiFm9MHn8_TwPo-h12v14bzjI$