[Bug]: aws_redshiftserverless_workgroup has persistent changes

[matschundbrei]

Terraform Core Version

1.3.5

AWS Provider Version

4.40.0

Affected Resource(s)

• aws_redshiftserverless_workgroup

Expected Behavior

Apply config parameters consistently

Actual Behavior

Two new out of order config_parameter appear, that I cannot control from terraform (see Errors), changes persist between runs and cannot be applied (see Errors)

Relevant Error/Panic Output Snippet

# On plan:
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
Terraform will perform the following actions:
  # aws_redshiftserverless_workgroup.data will be updated in-place
  ~ resource "aws_redshiftserverless_workgroup" "data" {
        id                   = "redacted"
        tags                 = {}
        # (11 unchanged attributes hidden)
      ~ config_parameter {
          ~ parameter_key   = "auto_mv" -> "datestyle"
          ~ parameter_value = "true" -> "ISO, MDY"
        }
      ~ config_parameter {
          ~ parameter_key   = "datestyle" -> "enable_user_activity_logging"
          ~ parameter_value = "ISO, MDY" -> "true"
        }
      ~ config_parameter {
          ~ parameter_key   = "enable_case_sensitive_identifier" -> "query_group"
          ~ parameter_value = "false" -> "default"
        }
      ~ config_parameter {
          ~ parameter_key   = "enable_user_activity_logging" -> "search_path"
          ~ parameter_value = "true" -> "$user, public"
        }
      ~ config_parameter {
          ~ parameter_key   = "query_group" -> "max_query_execution_time"
          ~ parameter_value = "default" -> "14400"
        }
      - config_parameter {
          - parameter_key   = "search_path" -> null
          - parameter_value = "$user, public" -> null
        }
      - config_parameter {
          - parameter_key   = "max_query_execution_time" -> null
          - parameter_value = "14400" -> null
        }
    }
Plan: 0 to add, 1 to change, 0 to destroy.

# On apply:
aws_redshiftserverless_workgroup.data: Modifying... [id=redacted]
╷
│ Error: error updating Redshift Serverless Workgroup ([redacted]): ValidationException: Can't update multiple configurations at the same time for workgroup [redacted].
│ 
│   with aws_redshiftserverless_workgroup.data,
│   on redshift.tf line 9, in resource "aws_redshiftserverless_workgroup" "data":
│    9: resource "aws_redshiftserverless_workgroup" "data" {
│ 
╵
ERRO[2022-11-22T18:32:43Z] Application execution failed                  PID=135315

# verify output when trying to add the parameters from above in order observed:
$ terraform validate
╷
│ Error: expected config_parameter.0.parameter_key to be one of [datestyle enable_user_activity_logging query_group search_path max_query_execution_time], got auto_mv
│ 
│   with aws_redshiftserverless_workgroup.data,
│   on redshift.tf line 16, in resource "aws_redshiftserverless_workgroup" "data":
│   16:     parameter_key   = "auto_mv"
│ 
╵
╷
│ Error: expected config_parameter.2.parameter_key to be one of [datestyle enable_user_activity_logging query_group search_path max_query_execution_time], got enable_case_sensitive_identifier
│ 
│   with aws_redshiftserverless_workgroup.data,
│   on redshift.tf line 24, in resource "aws_redshiftserverless_workgroup" "data":
│   24:     parameter_key   = "enable_case_sensitive_identifier"
│ 
╵
ERRO[2022-11-22T18:16:25Z] Application execution failed                  PID=13459

Terraform Configuration Files

I left out IAM (aws_iam_role.redshift.arn) and VPC (data.aws_subnets.private.ids) config to keep up clarity, ping me if you need an example.

resource "aws_redshiftserverless_namespace" "data" {
  namespace_name       = "example_text"
  admin_username       = "example-admin"
  admin_user_password  = "supersecret"
  default_iam_role_arn = aws_iam_role.redshift.arn
}

resource "aws_redshiftserverless_workgroup" "data" {
  namespace_name      = aws_redshiftserverless_namespace.data.namespace_name
  workgroup_name      = "example_text_workgroup"
  base_capacity       = 32
  subnet_ids          = data.aws_subnets.private.ids
  publicly_accessible = false
  config_parameter {
    parameter_key   = "datestyle"
    parameter_value = "ISO, MDY"
  }
  config_parameter {
    parameter_key   = "enable_user_activity_logging"
    parameter_value = "true"
  }
  config_parameter {
    parameter_key   = "query_group"
    parameter_value = "default"
  }
  config_parameter {
    parameter_key   = "search_path"
    parameter_value = "$user, public"
  }
  config_parameter {
    parameter_key   = "max_query_execution_time"
    parameter_value = "14400"
  }
  # WORKAROUND (TESTED)
  # lifecycle {
  #   ignore_changes = [
  #     config_parameter,
  #   ]
  # }
}

Steps to Reproduce

1. apply the configuration to create a redshift-serverless working group
2. try to apply again and receive the error above
3. that's it

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[pedropperez]

The two new additional configuration keys are not showing in the CLI documentation either.

[matschundbrei]

edit: redacted internal ids

[DrFaust92]

possible solution is to change the params to set instead of list type and remove validation for key. ill take a look if someone wont before i do.

[DrFaust92]

    Error: error creating Redshift Serverless Workgroup : ValidationException: The parameter key auto_mv isn't supported. Supported values: [[max_query_execution_time, search_path, datestyle, query_group, enable_user_activity_logging]]

so one thing before the ordering issue, some of the options. arent valid even if i remove the provider side validation

[meetvasu15]

@DrFaust92 I think ordering them right wont resolve it for now, seems like there is an underlying issue with updating the config_parameter with the UpdateWorkgroup API. The work around suggested is to basically recreate the workgroup if there are changes to config param. aws/aws-cli #7507

FWIW, changes to anything other than config_parameter block of the workgroup must not trigger a UpdateWorkgroup API call with config_parameter value in them for that see hashicorp/terrafrom#28255

[igordrnobrega]

Hey guys, is there any news related to this? Thanks

[pedropperez]

The additional parameters need to be enabled for the drift to disappear. The api documentation already includes them.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.