[Bug]: Fail to change OpenSearch Instance types from i3 to r6g

[andremachado94]

Terraform Core Version

1.1.3

AWS Provider Version

5.11.0

Affected Resource(s)

• aws_opensearch_domain

Expected Behavior

Changing instance type from instance type i3.large.search to r6g.large.search should work.

When the apply is executed it would be expected the domain status to change to Processing.

Actual Behavior

Apply executes for a while and eventually fails with status code: 500

Domain status doesn't change to Processing. Stays Active

Relevant Error/Panic Output Snippet

...
aws_opensearch_domain.domain: Still modifying... [id=arn:aws:es:eu-central-1:xxx:domain/test-domain, 48m11s elapsed]
aws_opensearch_domain.domain: Still modifying... [id=arn:aws:es:eu-central-1:xxx:domain/test-domain, 48m21s elapsed]
╷
│ Error: updating OpenSearch Domain (arn:aws:es:eu-central-1:xxx:domain/test-domain): InternalFailure: 
│       status code: 500, request id: xxxxx-xxxx-xxxx-xxx-xxxxx
│ 
│   with aws_opensearch_domain.domain,
│   on main.tf line 51, in resource "aws_opensearch_domain" "domain":
│   51: resource "aws_opensearch_domain" "domain" {
│ 
╵

Terraform Configuration Files

variable "vpc_id" {
  type = string
}

variable "subnet_ids" {
  type = list(string)
}

variable "domain" {
  type = string
}

data "aws_vpc" "vpc" {
  id = var.vpc_id
}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}

resource "aws_security_group" "os_sg" {
  name        = "opensearch-${var.domain}"
  description = "Managed by Terraform"
  vpc_id      = var.vpc_id

  ingress {
    from_port = 443
    to_port   = 443
    protocol  = "tcp"

    cidr_blocks = [
      data.aws_vpc.vpc.cidr_block,
    ]
  }
}

data "aws_iam_policy_document" "domain_pd" {
  statement {
    effect = "Allow"

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    actions   = ["es:*"]
    resources = [
      "arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.domain}/*"
    ]
  }
}

resource "aws_iam_service_linked_role" "slr" {
  aws_service_name = "opensearchservice.amazonaws.com"
}

resource "aws_opensearch_domain" "domain" {
  domain_name    = var.domain
  engine_version = "OpenSearch_2.5"

  cluster_config {
    instance_type          = "r6g.large.search"
    instance_count         = length(var.subnet_ids) * 1
    zone_awareness_enabled = true
    zone_awareness_config {
      availability_zone_count = length(var.subnet_ids)
    }
  }

  vpc_options {
    subnet_ids         = var.subnet_ids
    security_group_ids = [aws_security_group.os_sg.id]
  }

  ebs_options {
    ebs_enabled = true
    volume_size = 20
    volume_type = "gp3"
  }

  access_policies = data.aws_iam_policy_document.domain_pd.json

  depends_on = [aws_iam_service_linked_role.slr]
}

Steps to Reproduce

1. Deploy OpenSearch domain with i3.large.search instance types on a VPC (with ebs_enabled=false)
2. Update the domain to use r6g.large.search instance types

Debug Output

No response

Panic Output

No response

Important Factoids

• Changing instance type from instance type i3.large.search to r6g.large.search, however from r6g.large.search to i3.large.search doesn't

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.