search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.76k stars 9.12k forks source link

Elastic search node to node encryption #25026

Closed Mdeshmukh93 closed 2 years ago

Mdeshmukh93 commented 2 years ago

Hi,

we are performing ES node to node encryption via terraform but when we run terragrunt plan it is recreating whole ES domain. but as per terraform document (ref-1) any ES cluster version greater than 6.7, it should not re-create domain.need your assistance on how to proceed further.

here is the domain its been re-creating entirely

`-/+ resource "aws_elasticsearch_domain" "this" { ~ arn = "arn:aws:es:us-west-2:8977:domain/prod-ce-elk" -> (known after apply) ~ domain_id = "8947/prod-ce-elk" -> (known after apply) ~ endpoint = "vpc-prod-ce-elk-yh**kq.us-west-2.es.amazonaws.com" -> (known after apply) ~ id = "arn:aws:es:us-west-2:8947:domain/prod-ce-elk" -> (known after apply) ~ kibana_endpoint = "vpc-prod-ce-elk-yh**kq.us-west-2.es.amazonaws.com/_plugin/kibana/" -> (known after apply) tags = { "CostCenter" = "207" "Data" = "Confidential" "Environment" = "prod-ce" "Stack" = "prod-ce" "terraform_managed" = "true"

~ node_to_node_encryption { ~ enabled = false -> true # forces replacement } }`

Note: we have Elastic search/open search version 7.7 running

ref1:https://urldefense.com/v3/__https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain*node_to_node_encryption__;Iw!!BHlfX_zbyOAjqHI!0FiwyGhdMXwpB8b1MOp1M9OEZua8WpDiaSEt7x7mixFxxPS6TvM3PVMeWi7PW4l4mlmnJMILXXIiFm9MHn8_TwPo-h12v14bzjI$

justinretzolk commented 2 years ago

Hey @Mdeshmukh93 👋 Thank you for taking the time to raise this! So that we have all of the necessary information in order to look into this, can you update the issue description to include all of the information requested in the bug report template?

Mdeshmukh93 commented 2 years ago

Hi @justinretzolk,

Terraform CLI and Terraform AWS Provider Version

terraform version Terraform v1.1.0 terraform provider version terraform { required_version = ">= 1.1.0" required_providers { aws = "4.1.0" } }

Affected Resource(s)

resource "aws_elasticsearch_domain"

Terraform Configuration Files

resource "aws_elasticsearch_domain" "this" {

domain_name = "elasticsearch_domain" elasticsearch_version = var.es_version

cluster_config { instance_type = var.instance_type instance_count = var.instance_count dedicated_master_enabled = var.instance_count >= var.dedicated_master_threshold ? true : false dedicated_master_count = var.instance_count >= var.dedicated_master_threshold ? 3 : 0 dedicated_master_type = var.instance_count >= var.dedicated_master_threshold ? var.dedicated_master_type != "false" ? var.dedicated_master_type : var.instance_type : ""

zone_awareness_enabled = var.es_zone_awareness

dynamic "zone_awareness_config" {
  for_each = var.es_zone_awareness ? tolist([""]) : []
  content {
    availability_zone_count = var.az_awareness_zone_count
  }
}

} node_to_node_encryption { enabled = var.node_to_node_encryption_enabled } encrypt_at_rest { enabled = var.encrypt_at_rest }

advanced_options = { "rest.action.multi.allow_explicit_index" = "true" }

domain_endpoint_options { enforce_https = var.enforce_https tls_security_policy = var.tls_security_policy }

vpc_options { subnet_ids = local.subnets security_group_ids = [ join("", aws_security_group.this.*.id)]

}

ebs_options { volume_size = var.ebs_volume_size volume_type = var.ebs_volume_type }

snapshot_options { automated_snapshot_start_hour = var.snapshot_start_time }

}

Debug Output

`-/+ resource "aws_elasticsearch_domain" "this" { ~ arn = "arn:aws🇪🇸us-west-2:8977:domain/prod-ce-elk" -> (known after apply) ~ domain_id = "8947/prod-ce-elk" -> (known after apply) ~ endpoint = "vpc-prod-ce-elk-yhkq.us-west-2.es.amazonaws.com" -> (known after apply) ~ id = "arn:aws🇪🇸us-west-2:8947:domain/prod-ce-elk" -> (known after apply) ~ kibana_endpoint = "vpc-prod-ce-elk-yh****kq.us-west-2.es.amazonaws.com/_plugin/kibana/" -> (known after apply)

~ node_to_node_encryption { ~ enabled = false -> true # forces replacement } }`

Expected Behavior

Since we have Elastic search version > 6.7 , node to node encryption has to enabled without recreating entire domain

Actual Behavior

its recreating entire domain, when trying to enable ES node to node encryption

Steps to Reproduce

  1. terraform plan

References

Note: we have Elastic search/open search version 7.7 running in our ENV

ref1:https://urldefense.com/v3/__https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain*node_to_node_encryption__;Iw!!BHlfX_zbyOAjqHI!0FiwyGhdMXwpB8b1MOp1M9OEZua8WpDiaSEt7x7mixFxxPS6TvM3PVMeWi7PW4l4mlmnJMILXXIiFm9MHn8_TwPo-h12v14bzjI$

RITESHBRID commented 2 years ago

The mentioned issue has been fixed in provider version 4.11

justinretzolk commented 2 years ago

Hey @Mdeshmukh93 👋 As mentioned above, it looks like this was fixed with AWS Provider version 4.11 (changelog can be found here). Given that's the case, we'll close this issue. If you feel we've done this in error, please do let me know.

github-actions[bot] commented 2 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.