hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.86k stars 9.2k forks source link

[Bug]: aws_elasticache_replication_group auth_token_update_strategy updated to default ROTATE despite being null/unspecified in config during import #38209

Open chris-okorodudu opened 4 months ago

chris-okorodudu commented 4 months ago

Terraform Core Version

1.8.5

AWS Provider Version

5.54.1

Affected Resource(s)

aws_elasticache_replication_group

Expected Behavior

When importing an aws_elasticache_replication_group with no current auth configuration (auth_token, auth_token_update_strategy), the auth_token_update_strategy should be optional and should not have its value updated to the default unless an auth_token is specified.

Actual Behavior

When trying to import an aws_elasticache_replication_group. It automatically sets the strategy to ROTATE in the plan. Ignoring the auth_token_update_strategy in a lifecycle rule caused the plan to behave as expected. However, even when ignoring via lifecycle rule, the auth_token_update_strategy was then updated to ROTATE in my tfstate after applying and I got this error:

modifying ElastiCache Replication Group (***) authentication: InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.

This is when I'm not setting auth_token or auth_token_update_strategy in my configuration.

Relevant Error/Panic Output Snippet

# terraform plan 
  # aws_elasticache_replication_group.staging-taskplanner will be updated in-place
  ~ resource "aws_elasticache_replication_group" "staging-taskplanner" {
      + auth_token_update_strategy = "ROTATE"
        id                         = "staging-taskplanner"
        tags                       = {}
      ~ tags_all                   = {
          + "project"            = "limebike/infra-terraform"
          + "project_maintainer" = "infra"
          + "terraform"          = "true"
        }
        # (33 unchanged attributes hidden)

      - timeouts {}

        # (2 unchanged blocks hidden)
    }

# terraform apply with lifecycle rule to ignore auth_token_update_strategy
modifying ElastiCache Replication Group (***) authentication: InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.

Terraform Configuration Files

case where auth_token_udpate_strategy shows as updated in plan:

resource "aws_elasticache_replication_group" "staging-taskplanner" {
  at_rest_encryption_enabled = "false"
  auto_minor_version_upgrade = "true"
  automatic_failover_enabled = "false"
  data_tiering_enabled       = "false"
  description                = " "
  engine                     = "redis"
  engine_version             = "7.0"
  ip_discovery               = "ipv4"
  auth_token_update_strategy = null
  auth_token                 = null

  log_delivery_configuration {
    destination      = "/aws/elasticache/redis"
    destination_type = "cloudwatch-logs"
    log_format       = "json"
    log_type         = "engine-log"
  }

  log_delivery_configuration {
    destination      = "/aws/elasticache/redis"
    destination_type = "cloudwatch-logs"
    log_format       = "json"
    log_type         = "slow-log"
  }

  maintenance_window         = "thu:07:00-thu:08:00"
  multi_az_enabled           = "false"
  network_type               = "ipv4"
  node_type                  = "cache.t3.micro"
  num_node_groups            = "1"
  parameter_group_name       = "default.redis7"
  port                       = "6379"
  replicas_per_node_group    = "0"
  replication_group_id       = "staging-taskplanner"
  security_group_ids         = ["sg-***", "sg-***"]
  snapshot_retention_limit   = "0"
  snapshot_window            = "00:00-01:00"
  subnet_group_name          = aws_elasticache_subnet_group.main-staging-redis-subnet-group.name
  transit_encryption_enabled = "false"

  lifecycle {
    ignore_changes = [security_group_names]
  }
}

Case when terraform apply changes auth_token_update_strategy despite no change in plan:

resource "aws_elasticache_replication_group" "staging-orchard" {
  at_rest_encryption_enabled = "false"
  auto_minor_version_upgrade = "true"
  automatic_failover_enabled = "false"
  data_tiering_enabled       = "false"
  description                = " "
  engine                     = "redis"
  engine_version             = "7.0"
  ip_discovery               = "ipv4"
  maintenance_window         = "fri:11:30-fri:12:30"
  multi_az_enabled           = "false"
  network_type               = "ipv4"
  node_type                  = "cache.t3.micro"
  num_node_groups            = "1"
  parameter_group_name       = "default.redis7"
  port                       = "6379"
  replicas_per_node_group    = "0"
  replication_group_id       = "staging-orchard"
  security_group_ids         = ["sg-***", "sg-***"]
  snapshot_retention_limit   = "0"
  snapshot_window            = "06:00-07:00"
  subnet_group_name          = aws_elasticache_subnet_group.main-staging-redis-subnet-group.name
  transit_encryption_enabled = "false"

  lifecycle {
    ignore_changes = [security_group_names, auth_token_update_strategy]
  }
}

Steps to Reproduce

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

github-actions[bot] commented 4 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue