Open griggi-ws opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
@justinretzolk can you pull down the debug and terraform config files? They are encrypted using Hashicorp public keys.
@griggi-ws are you experiencing this issue in GovCloud, Commercial, or another partition? Can you specify which region you are using?
This is in the standard commercial partition, utilizing the fips endpoints. It occurred across multiple regions, eu-central-1 and us-east-1 being the two I recall explicitly testing prior to rolling back to the earlier version. The debug output was from a run in us-east-1, and the config files are for the same.
@AdamTylerLynch we are seeing this issue as well, in GovCloud in us-gov-west-1. We are on version 4.59.0 of the aws provider.
Upon source code review, there are 3 locations where this specific error message could be raised (not associated with Blue/Green Deployments). They all occur after an AWS API call to ModifyDBInstance().
My hypothesis is that a AWS server side validation routine is rejecting an input value. Most likely something defined in the CloudwatchLogsExportConfiguration
attribute.
A few paths exist to get a root cause:
Hi @griggi-ws, do you still see this error with a more recent version of the provider?
If so, how are you setting the FIPS endpoints? Are you using use_fips_endpoint
on the provider configuration block, or setting the endpoint directly? If you're setting the endpoint directly, are you setting just the hostname, or a full URL?
Terraform Core Version
0.13.7
AWS Provider Version
4.51.0,4.50.0,4.49.0,4.48.0,4.47.0,4.46.0,4.45.0,4.44.0,4.43.0,4.42.0
Affected Resource(s)
Expected Behavior
A change should have been applied (in this case, simply enablement of all cloudwatch log exports on a pair of RDS instances)
Actual Behavior
A non-specific error for "unsupported protocol scheme" upon apply
Relevant Error/Panic Output Snippet
Terraform Configuration Files
I made a sanitization effort and encrypted with hashicorp public key as well, I don't believe I snipped anything critical but let me know what more you need. Unfortunately github isn't liking tgzs with encrypted contents, nor a tgz that was then encrypted, so remote host. https://drive.google.com/file/d/1CwwZCU_fG02e4fK2pMKUD1gQ4pBfJqyt/view?usp=sharing
Steps to Reproduce
Start with/create an RDS instance with some semblance of the following state:
Change enabled_cloudwatch_logs_exports parameter to ["audit","error","general","slowquery"]
Apply
Debug Output
https://drive.google.com/file/d/1D6HOOEB232xP2wjkcoWbxRTKLzyl72f9/view?usp=share_link
Panic Output
No response
Important Factoids
Applies without issue with provider version 4.41.0. Each version since (up to and including 4.51.0) output the same error. After successfully updating cloudwatch exports with 4.41.0, I attempted to apply another change back on 4.50.0 to enable RDS performance insights, and that also failed with the same error. Reverting to 4.41.0 once again was successful.
Also worth noting, we are using the fips endpoints.
References
No response
Would you like to implement a fix?
None