Open milalima opened 2 years ago
Hey @milalima 👋 Thank you for taking the time to raise this! In this case, it looks like it's the change in broker_node_group_info.security_groups
that is causing the replacement of the resource. There are certain arguments that, when changed, require recreating resources. Usually this is due to an API limitation where that part of the configuration can't be modified without recreating the resource entirely. For example, in this case, there are functions in the AWS Go SDK to update the broker count, storage, and type, but no function to update the broker security group configuration.
With that in mind, in this case, the only way to prevent recreating the resource would be to not modify the broker_node_group_info.security_groups
configuration. I realize this may not be the answer you were looking for, but I hope that some of this information helps.
The manual procedure for modifying the security groups that an MSK cluster belongs to are documented, but are very roundabout. It's possible to do this manually by locating the attached ENIs used by the cluster brokers, and then assigning the desired security groups using EC2 management commands.
Knowing this, I wonder if it's possible to add support for changing MSK cluster security groups to the terraform provider so these changes can be automated without requiring recreation of the cluster.
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
As explained in the doc, this is not a permanent change, the new brokers will still use the old security group.
If you change the security group that is associated with the brokers of a cluster, and then add new brokers to that cluster, Amazon MSK associates the new brokers with the original security group that was associated with the cluster when the cluster was created. However, for a cluster to work correctly, all of its brokers must be associated with the same security group. Therefore, if you add new brokers after changing the security group, you must follow the previous procedure again and update the ENIs of the new brokers.
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Expected Behavior
Actual Behavior
It is deleting the whole cluster and recreating a new one. This impacts the development team since it is also changing the hostnames.
Steps to Reproduce
Do any changes in the cluster
It is possible to look into the cloudtrail the API
deletecluster
being called. The user agent for above operation was "APN/1.0 HashiCorp/1.0 Terraform/1.1.4 (+https://www.terraform.io) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.43.40 (go1.17.6; linux; amd64)". So it seems like a terraform script deleted and recreated the MSK cluster.What can I do not delete the cluster and only update it? .