resource/aws_rds_cluster_instance is being destroyed and re-created when adding new resources in the tf file.

[tayyabgilani]

Description

Terraform Version 1.4.6 AWS provider version 4.67.0

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.67.0"
    }
  }
  required_version = ">=1.4.6"
}

RDS cluster/instance resources

resource "aws_rds_cluster" "cluster" {
  cluster_identifier              = "aurora-cluster-demo"
  engine                          = "aurora-mysql"
  db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.default.id
  db_subnet_group_name            = aws_db_subnet_group.database.name
  engine_version                  = "8.0.mysql_aurora.3.02.2"
  availability_zones              = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]]
  database_name                   = "mydb"
  master_username                 = "foo"
  master_password                 = "A12dadf125"
  skip_final_snapshot             = true
  apply_immediately               = true
  enabled_cloudwatch_logs_exports = [
    "audit",
    "error",
    "general",
    "slowquery"
  ]
  serverlessv2_scaling_configuration {
    max_capacity = 1.0
    min_capacity = 0.5
  }
  lifecycle {
    ignore_changes = [engine_version]
  }
}

resource "aws_rds_cluster_instance" "cluster_instances_reader" {
  apply_immediately                     = true
  auto_minor_version_upgrade            = true
  availability_zone                     = data.aws_availability_zones.available.names[1]
  ca_cert_identifier                    = "rds-ca-2019"
  cluster_identifier                    = aws_rds_cluster.cluster.id
  copy_tags_to_snapshot                 = false
  db_parameter_group_name               = aws_db_parameter_group.default.id
  db_subnet_group_name                  = aws_db_subnet_group.database.name
  engine                                = "aurora-mysql"
  engine_version                        = "8.0.mysql_aurora.3.02.2"
  identifier                            = "database-1-aurora-reader"
  identifier_prefix                     = null
  instance_class                        = "db.serverless"
  performance_insights_enabled          = true
  performance_insights_retention_period = 7
  promotion_tier                        = 1
  publicly_accessible                   = false
  tags                                  = {}
  tags_all                              = {}
  lifecycle {
    ignore_changes = [engine_version]
  }
}

resource "aws_rds_cluster_instance" "cluster_instances_writer" {
  apply_immediately                     = true
  auto_minor_version_upgrade            = true
  availability_zone                     = data.aws_availability_zones.available.names[0]
  ca_cert_identifier                    = "rds-ca-2019"
  cluster_identifier                    = aws_rds_cluster.cluster.id
  copy_tags_to_snapshot                 = false
  db_parameter_group_name               = aws_db_parameter_group.default.id
  db_subnet_group_name                  = aws_db_subnet_group.database.name
  engine                                = "aurora-mysql"
  engine_version                        = "8.0.mysql_aurora.3.02.2"
  identifier                            = "database-1-aurora-writer"
  identifier_prefix                     = null
  instance_class                        = "db.serverless"
  performance_insights_enabled          = true
  performance_insights_retention_period = 7
  promotion_tier                        = 1
  publicly_accessible                   = false
  tags                                  = {}
  tags_all                              = {}
  lifecycle {
    ignore_changes = [engine_version]
  }
}

Plan Output

# aws_rds_cluster.cluster must be replaced
-/+ resource "aws_rds_cluster" "cluster" {
      ~ allocated_storage                   = 1 -> (known after apply)
      ~ arn                                 =  -> (known after apply)
      ~ availability_zones                  = [ # forces replacement
          - "eu-west-1c",
            # (2 unchanged elements hidden)
        ]
      - backtrack_window                    = 0 -> null
      + cluster_identifier_prefix           = (known after apply)
      ~ cluster_members                     = [
          - "database-1-aurora-reader",
          - "database-1-aurora-writer",
        ] -> (known after apply)
      ~ cluster_resource_id                 = -> (known after apply)
      - deletion_protection                 = false -> null
      ~ endpoint                            =  -> (known after apply)
      ~ engine_version_actual               =-> (known after apply)
      ~ hosted_zone_id                      = -> (known after apply)
      - iam_database_authentication_enabled = false -> null
      ~ iam_roles                           = [] -> (known after apply)
      ~ id                                  = "aurora-cluster-demo" -> (known after apply)
      - iops                                = 0 -> null
      + kms_key_id                          = (known after apply)
      ~ master_user_secret                  = [] -> (known after apply)
      + master_user_secret_kms_key_id       = (known after apply)
      ~ network_type                        = "IPV4" -> (known after apply)
      ~ port                                = 3306 -> (known after apply)
      ~ preferred_backup_window             = "22:04-22:34" -> (known after apply)
      ~ preferred_maintenance_window        = "fri:03:03-fri:03:33" -> (known after apply)
      ~ reader_endpoint                     =  -> (known after apply)
      ~ storage_encrypted                   = false -> (known after apply)
      + storage_type                        = (known after apply)
      - tags                                = {} -> null
      ~ tags_all                            = {} -> (known after apply)
      ~ vpc_security_group_ids              = [
          - "sg-0ceeef054862e22e7",
        ] -> (known after apply)
        # (16 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_rds_cluster_instance.cluster_instances_reader must be replaced
-/+ resource "aws_rds_cluster_instance" "cluster_instances_reader" {
      + apply_immediately                     = (known after apply)
      ~ arn                                   = -> (known after apply)
      ~ cluster_identifier                    =  -> (known after apply) # forces replacement
      ~ dbi_resource_id                       = -> (known after apply)
      ~ endpoint                              = -> (known after apply)
      ~ engine_version_actual                 = "8.0.mysql_aurora.3.02.2" -> (known after apply)
      ~ id                                    = "database-1-aurora-reader" -> (known after apply)
      + identifier_prefix                     = (known after apply)
      + kms_key_id                            = (known after apply)
      + monitoring_role_arn                   = (known after apply)
      ~ network_type                          = "IPV4" -> (known after apply)
      ~ performance_insights_kms_key_id       = -> (known after apply)
      ~ port                                  = 3306 -> (known after apply)
      ~ preferred_backup_window               = "22:04-22:34" -> (known after apply)
      ~ preferred_maintenance_window          = "mon:03:05-mon:03:35" -> (known after apply)
      ~ storage_encrypted                     = false -> (known after apply)
      - tags                                  = {} -> null
      ~ tags_all                              = {} -> (known after apply)
      ~ writer                                = false -> (known after apply)
        # (15 unchanged attributes hidden)
    }

  # aws_rds_cluster_instance.cluster_instances_writer must be replaced
-/+ resource "aws_rds_cluster_instance" "cluster_instances_writer" {
      + apply_immediately                     = (known after apply)
      ~ arn                                   = -> (known after apply)
      ~ cluster_identifier                    =-> (known after apply) # forces replacement
      ~ dbi_resource_id                       =  -> (known after apply)
      ~ endpoint                              =  -> (known after apply)
      ~ engine_version_actual                 = "8.0.mysql_aurora.3.02.2" -> (known after apply)
      ~ id                                    = "database-1-aurora-writer" -> (known after apply)
      + identifier_prefix                     = (known after apply)
      + kms_key_id                            = (known after apply)
      + monitoring_role_arn                   = (known after apply)
      ~ network_type                          = "IPV4" -> (known after apply)
      ~ performance_insights_kms_key_id       = -> (known after apply)
      ~ port                                  = 3306 -> (known after apply)
      ~ preferred_backup_window               = "22:04-22:34" -> (known after apply)
      ~ preferred_maintenance_window          = "thu:01:11-thu:01:41" -> (known after apply)
      ~ storage_encrypted                     = false -> (known after apply)
      - tags                                  = {} -> null
      ~ tags_all                              = {} -> (known after apply)
      ~ writer                                = true -> (known after apply)
        # (15 unchanged attributes hidden)
    }

  # aws_route_table.privateRT will be updated in-place
  ~ resource "aws_route_table" "privateRT" {
        id               = "rtb-0538dfe8b9d7f73d8"
      ~ route            = [
          - {
              - carrier_gateway_id         = ""
              - cidr_block                 = "0.0.0.0/0"
              - core_network_arn           = ""
              - destination_prefix_list_id = ""
              - egress_only_gateway_id     = ""
              - gateway_id                 = ""
              - instance_id                = ""
              - ipv6_cidr_block            = ""
              - local_gateway_id           = ""
              - nat_gateway_id             = "nat-xxxxxxxxxxxxx"
              - network_interface_id       = ""
              - transit_gateway_id         = ""
              - vpc_endpoint_id            = ""
              - vpc_peering_connection_id  = ""
            },
          + {
              + carrier_gateway_id         = ""
              + cidr_block                 = "0.0.0.0/0"
              + core_network_arn           = ""
              + destination_prefix_list_id = ""
              + egress_only_gateway_id     = ""
              + gateway_id                 = "nat-xxxxxxxxxx"
              + instance_id                = ""
              + ipv6_cidr_block            = ""
              + local_gateway_id           = ""
              + nat_gateway_id             = ""
              + network_interface_id       = ""
              + transit_gateway_id         = ""
              + vpc_endpoint_id            = ""
              + vpc_peering_connection_id  = ""
            },
        ]
        tags             = {
            "Name" = "private-RT"
        }
        # (5 unchanged attributes hidden)
    }

  # aws_secretsmanager_secret.example will be created
  + resource "aws_secretsmanager_secret" "example" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = "aurora-rds-secret"
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + rotation_enabled               = (known after apply)
      + rotation_lambda_arn            = (known after apply)
      + tags_all                       = (known after apply)
    }

Plan: 4 to add, 1 to change, 3 to destroy.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @tayyabgilani 👋 Thank you for taking the time to raise this! Assuming that nothing else is changing with the resources that you specified in your example configuration, I suspect this is related to the note on the availability_zones argument in the aws_rds_cluster resource's documentation. It mentions:

RDS automatically assigns 3 AZs if less than 3 AZs are configured, which will show as a difference requiring resource recreation next Terraform apply. We recommend specifying 3 AZs or using the lifecycle configuration block ignore_changes argument if necessary.

Since you're only specifying 2 AZs, you're hitting the recreation requirement described here. This then changes the value of the cluster_identifier for the aws_rds_cluster_instance resources, which is also a force new operation.

To get around this, you can ignore changes to the aws_rds_cluster.availability_zones argument, as described in that resources documentation, or supply a third AZ to get around that resource's recreation altogether.

[tayyabgilani]

Awesome, Thanks @justinretzolk 🥇

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.