[Bug]: Updating OpenSearch cluster version leaves aws_opensearch_package_association resources out of sync with AWS environment

[ducka]

Terraform Core Version

1.1.9

AWS Provider Version

5.60.0

Affected Resource(s)

aws_opensearch_domain, aws_opensearch_package_association

Expected Behavior

I should be able to upgrade my OpenSearch cluster to a new version (in my case from version 2.13 to 2.15) without the package_ids of my aws_opensearch_package_association resources falling out of sync with the AWS environment.

Actual Behavior

When i upgrade my OpenSearch cluster via aws_opensearch_domain then all associated OpenSearch packages will automatically upgrade. This unfortunately changes the package ids of all of my OpenSearch packages in AWS, and as a result the terraform state file (and my terraform code) fall out of sync with the AWS environment (aws_opensearch_package_association resources directly reference the package id). Any subsequent attempt to apply terraform changes to AWS will fail because terraform will attempt to install now incompatible versions of the OpenSearch packages to the cluster.

Furthermore, updating the terraform code with the new package ids and reapplying will not fix the problem. Terraform complains that a package with the same name is already installed on the cluster.

In fact, it seems the only solution is to a) either don't track packages in terraform, or b) remove the old package from the terraform state file, and reimport it from AWS.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

Provided on request.

Steps to Reproduce

1. deploy version 2.13 of OpenSearch using the aws_opensearch_domain resource
2. associate package_id G263530972 (analysis-stconvert) package with the domain
3. apply terraform changes to aws
4. upgrade the opensearch domain to v 2.15 via aws_opensearch_domain
5. apply terraform changes to aws. At this point you will notice the package id of the analysis-stconvert package will update to G39275358
6. apply terraform changes to aws again. This time the process will fail because the package_id your aws_opensearch_package_association resource reference will no longer be compatible with the domain.
7. update the package_id of your aws_opensearch_package_association resource to G39275358
8. appy terraform changes to aws again. This time the process will fail because a package with the same name is already installed on the cluster.

Debug Output

This error occurs when applying any terraform changes after an OpenSearch upgrade

• Error: creating OpenSearch Package Association (redacted): ValidationException: Operation not allowed. Plugin version is not compatible with the engine version running on the domain.

This error occurs when updating your aws_opensearch_package_association resources to the package_id installed on the cluster

• Error: creating OpenSearch Package Association (redacted): ValidationException: Operation not allowed. The domain has a plugin installed with the same name.

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Related #38381