awscc_neptune_db_cluster: state mismatch with defaults based on actual config

[quixoticmonk]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

• Terraform v1.7.4
• AWSCC provider version : v0.77.0

Affected Resource(s)

• awscc_neptune_db_cluster

Terraform Configuration Files

Terraform configuration file below. No subnet specified as there is no awscc resource for the subnet group. Once deployed, a default subnet is created and attached to the cluster.

resource "awscc_neptune_db_cluster" "default" {
  db_cluster_identifier          = "example"
  backup_retention_period        = 5
  preferred_backup_window        = "07:00-09:00"
  iam_auth_enabled               = true
  db_port                        = 8182
  copy_tags_to_snapshot          = true
  deletion_protection            = false
  enable_cloudwatch_logs_exports = ["audit"]
  engine_version                 = "1.3.1.0"
  preferred_maintenance_window   = "sun:10:00-sun:10:30"
  storage_encrypted              = true
  kms_key_id                     = awscc_kms_key.example.key_id

    tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

resource "awscc_kms_key" "example" {
  description = "KMS Key for root"
  key_policy = jsonencode({
    "Version" : "2012-10-17",
    "Id" : "KMS-Key-Policy-For-Root",
    "Statement" : [
      {
        "Sid" : "Enable IAM User Permissions",
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "arn:aws:iam::########:root"
        },
        "Action" : "kms:*",
        "Resource" : "*"
      },
    ],
    }
  )
}

Debug Output

Panic Output

Expected Behavior

The DB cluster should be created. On the second run, Terraform identifies a change on the configuration (when there is none) and destroys the existing cluster.

Actual Behavior

1. Cluster is created.
2. On second Terraform apply, Terraform identifies the change in the account ( associated subnet, vpc and other configurations) and destroys the existing resource and recreates it.

Logs from the run ..

Terraform will perform the following actions:

  # awscc_neptune_db_cluster.default must be replaced
-/+ resource "awscc_neptune_db_cluster" "default" {
      + associated_roles                 = (known after apply)
      ~ availability_zones               = [
          - "us-east-1f",
          - "us-east-1d",
          - "us-east-1b",
        ] -> (known after apply)
      ~ cluster_resource_id              = "cluster-BIZ5MJGTO7AP3KGJ2XKV6LEDEI" -> (known after apply)
      ~ db_cluster_parameter_group_name  = "default.neptune1.3" -> (known after apply)
      + db_instance_parameter_group_name = (known after apply)
      ~ db_subnet_group_name             = "default" -> (known after apply)
      ~ endpoint                         = "example.cluster-cmphb1zolqxk.us-east-1.neptune.amazonaws.com" -> (known after apply)
      ~ id                               = "example" -> (known after apply)
      ~ kms_key_id                       = "arn:aws:kms:us-east-1:############:key/e9946bf0-54fe-4fe0-aff9-7c5bcea7a009" -> "e9946bf0-54fe-4fe0-aff9-7c5bcea7a009" # forces replacement
      ~ port                             = "8182" -> (known after apply)
      ~ read_endpoint                    = "example.cluster-ro-cmphb1zolqxk.us-east-1.neptune.amazonaws.com" -> (known after apply)
      + restore_to_time                  = (known after apply)
      + serverless_scaling_configuration = (known after apply)
      + snapshot_identifier              = (known after apply)
      + source_db_cluster_identifier     = (known after apply)
        tags                             = [
            {
                key   = "Modified By"
                value = "AWSCC"
            },
        ]
      + use_latest_restorable_time       = (known after apply)
      ~ vpc_security_group_ids           = [
          - "sg-044b064d6706ce34f",
        ] -> (known after apply)
        # (12 unchanged attributes hidden)
    }

Steps to Reproduce

1. terraform apply
2. terraform apply

Important Factoids

The Terraform state does include the vpc and az details which are not provided per configuration. The absence of them in the config on a second attempt leads to destroy operation.

            "availability_zones": [
              "us-east-1c",
              "us-east-1a",
              "us-east-1b"
            ],
            "backup_retention_period": 5,
            "cluster_resource_id": "cluster-OFGWFHCRGJDEJ5UMIT36PGGCLU",
            "copy_tags_to_snapshot": true,
            "db_cluster_identifier": "example",
            "db_cluster_parameter_group_name": "default.neptune1.3",

References

[quixoticmonk]

• Additional context on debug logs

2024-06-29T23:12:04.509-0400 [DEBUG] provider.terraform-provider-awscc_v1.4.0_x5: Detected value change between proposed new state and prior state: tf_rpc=PlanResourceChange @module=sdk.framework tf_attribute_path=kms_key_id tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_req_id=40ac2f17-fe99-7aba-3414-4c32aca60ae0 @caller=github.com/hashicorp/terraform-plugin-framework@v1.9.0/internal/fwserver/server_planresourcechange.go:208 tf_resource_type=awscc_neptune_db_cluster timestamp=2024-06-29T23:12:04.509-0400

• PriorState

{
  "arn": "arn:aws:kms:us-east-1:############:key/c141edc2-732f-4633-b21d-9b116e206878",
  "bypass_policy_lockout_safety_check": false,
  "description": "KMS Key for root",
  "enable_key_rotation": false,
  "enabled": true,
  "id": "c141edc2-732f-4633-b21d-9b116e206878",
  "key_id": "c141edc2-732f-4633-b21d-9b116e206878",
  "key_policy": "{\"Id\":\"KMS-Key-Policy-For-Root\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::############:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"}],\"Version\":\"2012-10-17\"}",
  "key_spec": "SYMMETRIC_DEFAULT",
  "key_usage": "ENCRYPT_DECRYPT",
  "multi_region": false,
  "origin": "AWS_KMS",
  "pending_window_in_days": null,
  "rotation_period_in_days": 365,
  "tags": null
}

• ProposedState

{
  "associated_roles": null,
  "availability_zones": null,
  "backup_retention_period": 5,
  "cluster_resource_id": null,
  "copy_tags_to_snapshot": true,
  "db_cluster_identifier": "example",
  "db_cluster_parameter_group_name": null,
  "db_instance_parameter_group_name": null,
  "db_port": 8182,
  "db_subnet_group_name": null,
  "deletion_protection": false,
  "enable_cloudwatch_logs_exports": [
    "audit"
  ],
  "endpoint": null,
  "engine_version": "1.3.1.0",
  "iam_auth_enabled": true,
  "id": null,
  "kms_key_id": "c141edc2-732f-4633-b21d-9b116e206878",
  "port": null,
  "preferred_backup_window": "07:00-09:00",
  "preferred_maintenance_window": "sun:10:00-sun:10:30",
  "read_endpoint": null,
  "restore_to_time": null,
  "restore_type": null,
  "serverless_scaling_configuration": null,
  "snapshot_identifier": null,
  "source_db_cluster_identifier": null,
  "storage_encrypted": true,
  "tags": [
    {
      "key": "Modified By",
      "value": "AWSCC"
    }
  ],
  "use_latest_restorable_time": null,
  "vpc_security_group_ids": null
}

• ResponsePlannedState

{
  "associated_roles": "\u0000",
  "availability_zones": "\u0000",
  "backup_retention_period": 5,
  "cluster_resource_id": "\u0000",
  "copy_tags_to_snapshot": true,
  "db_cluster_identifier": "example",
  "db_cluster_parameter_group_name": "\u0000",
  "db_instance_parameter_group_name": "\u0000",
  "db_port": 8182,
  "db_subnet_group_name": "\u0000",
  "deletion_protection": false,
  "enable_cloudwatch_logs_exports": [
    "audit"
  ],
  "endpoint": "\u0000",
  "engine_version": "1.3.1.0",
  "iam_auth_enabled": true,
  "id": "\u0000",
  "kms_key_id": "c141edc2-732f-4633-b21d-9b116e206878",
  "port": "\u0000",
  "preferred_backup_window": "07:00-09:00",
  "preferred_maintenance_window": "sun:10:00-sun:10:30",
  "read_endpoint": "\u0000",
  "restore_to_time": "\u0000",
  "restore_type": "full-copy",
  "serverless_scaling_configuration": "\u0000",
  "snapshot_identifier": "\u0000",
  "source_db_cluster_identifier": "\u0000",
  "storage_encrypted": true,
  "tags": [
    {
      "key": "Modified By",
      "value": "AWSCC"
    }
  ],
  "use_latest_restorable_time": "\u0000",
  "vpc_security_group_ids": "\u0000"
}

[wellsiau-aws]

Since awscc_kms_key.example.key_id will return the short ID instead of the full ARN, this causing a drift because the awscc_neptune_db_cluster.kms_key_id will differ from CCAPI GetResource as shown below.

Terraform State (redacted)

    {
      "mode": "managed",
      "type": "awscc_neptune_db_cluster",
      "name": "default",
      "provider": "provider[\"registry.terraform.io/hashicorp/awscc\"]",
      "instances": [
        {
          "schema_version": 1,
          "attributes": {
            . . .
            "id": "example",
            "kms_key_id": "1d622a64-30db-43a0-9b34-43b76c33ea15",
            . . .
        }
      ]
    }

CCAPI GetResource (redacted)

{
  "KmsKeyId": "arn:aws:kms:us-east-1:204034886740:key/1d622a64-30db-43a0-9b34-43b76c33ea15",
  . . .
  "DBClusterIdentifier": "example",
  . . .
}

[wellsiau-aws]

By changing the kms_key_id reference to use ARN, I was able to avoid the drift:

resource "awscc_neptune_db_cluster" "default" {
  db_cluster_identifier          = "example"
  backup_retention_period        = 5
  preferred_backup_window        = "07:00-09:00"
  iam_auth_enabled               = true
  db_port                        = 8182
  copy_tags_to_snapshot          = true
  deletion_protection            = false
  enable_cloudwatch_logs_exports = ["audit"]
  engine_version                 = "1.3.1.0"
  preferred_maintenance_window   = "sun:10:00-sun:10:30"
  storage_encrypted              = true
  kms_key_id                     = awscc_kms_key.example.arn

    tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

Plan output:

3c06301d1719:awscc_neptune_db_cluster wellsiau$ terraform plan
awscc_kms_key.example: Refreshing state... [id=1d622a64-30db-43a0-9b34-43b76c33ea15]
awscc_neptune_db_cluster.default: Refreshing state... [id=example]

No changes. Your infrastructure matches the configuration.

This may require another call out in the documentation to recommend using attribute arn instead of key_id

[quixoticmonk]

Updated the examples to use ARN, flipped the PR Ready for review. https://github.com/hashicorp/terraform-provider-awscc/pull/1736

[wellsiau-aws]

with the updated doc as noted in #1736 , I am going to go ahead and close this issue.