[Bug]: Provider produced inconsistent result after apply

gkritsot commented 2 weeks ago

Is there an existing issue for this?

[X] I have searched the existing issues

Provider Version

v1.17.1

Terraform Version

v1.6.6

Terraform Edition

Terraform Open Source (OSS)

Current Behavior

After trying to enable encryption at rest for AWS KMS, the apply fails with the following message:

Terraform plan:
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # mongodbatlas_encryption_at_rest.this is tainted, so must be replaced
-/+ resource "mongodbatlas_encryption_at_rest" "this" {
      ~ id         = "<reducted>" -> (known after apply)
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Result:

mongodbatlas_encryption_at_rest.this: Destroying... [id=<reducted>]
mongodbatlas_encryption_at_rest.this: Destruction complete after 1s
mongodbatlas_encryption_at_rest.this: Creating...
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to mongodbatlas_encryption_at_rest.this, provider
│ "provider[\"registry.terraform.io/mongodb/mongodbatlas\"]" produced an
│ unexpected new value: .aws_kms_config[0].customer_master_key_id:
│ inconsistent values for sensitive attribute.
│
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to mongodbatlas_encryption_at_rest.this, provider
│ "provider[\"registry.terraform.io/mongodb/mongodbatlas\"]" produced an
│ unexpected new value: .aws_kms_config[0].role_id: was
│ cty.StringVal("<reducted>"), but now null.
│
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
ERRO[0019] terraform invocation failed in <path> prefix=[<path>]
ERRO[0019] 1 error occurred:
    * [<path>] exit status 1

Terraform configuration to reproduce the issue

resource "mongodbatlas_project" "this" {
  name   = "name"
  org_id = var.mongodb_atlas_org_id
}

resource "mongodbatlas_cloud_provider_access_setup" "this" {
   project_id = mongodbatlas_project.this.id
   provider_name = "AWS"
}

resource "mongodbatlas_cloud_provider_access_authorization" "this" {
   project_id =  mongodbatlas_cloud_provider_access_setup.this.project_id
   role_id    =  mongodbatlas_cloud_provider_access_setup.this.role_id

   aws {
      iam_assumed_role_arn = aws_iam_role.this.arn
   }
}

resource "aws_kms_key" "this" {
  description             = "KMS key for MongoDB Atlas backups"
  enable_key_rotation     = true
  rotation_period_in_days = 90
  deletion_window_in_days = 7
}

resource "mongodbatlas_encryption_at_rest" "this" {
  project_id = mongodbatlas_project.this.id

  aws_kms_config {
    enabled                = true
    customer_master_key_id = aws_kms_key.this.id
    region                 = upper(replace(var.region, "-", "_")) # eu-west-1 -> EU_WEST_1
    role_id                = mongodbatlas_cloud_provider_access_setup.this.role_id
  }

  depends_on = [
    mongodbatlas_cloud_provider_access_setup.this,
    mongodbatlas_cloud_provider_access_authorization.this
  ]
}

resource "aws_iam_role" "this" {
  name               = "name"
  assume_role_policy = data.aws_iam_policy_document.trust.json
}

resource "aws_iam_role_policy" "this" {
  name = "name"
  role = aws_iam_role.this.name
  policy = data.aws_iam_policy_document.this.json
}

data "aws_iam_policy_document" "trust" {
  statement {
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
    }
    actions = ["sts:AssumeRole"]
  }
  statement {
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = [mongodbatlas_cloud_provider_access_setup.this.aws_config[0].atlas_aws_account_arn]
    }
    actions = ["sts:AssumeRole"]
    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"
      values   = [mongodbatlas_cloud_provider_access_setup.this.aws_config[0].atlas_assumed_role_external_id]
    }
  }
}

data "aws_iam_policy_document" "this" {
  statement {
    sid    = "EncryptionAtRest"
    effect = "Allow"
    actions = [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:DescribeKey"
    ]
    resources = [aws_kms_key.this.arn]
  }
}

variable "mongodb_atlas_org_id" {
  type            = string
  description = "MongoDB Atlas Organization ID"
}

variable "region" {
  type            = string
  description = "Your region"
  default        = "eu-west-1"
}

Steps To Reproduce

Use the above configuration to apply terraform by providing your test MongoDB Atlas Organization ID. It should fail in the same way as it does on mine.

Logs

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

github-actions[bot] commented 2 weeks ago

Thanks for opening this issue! Please make sure you've followed our guidelines when opening the issue. In short, to help us reproduce the issue we need:

Terraform configuration file used to reproduce the issue
Terraform log files from the run where the issue occurred
Terraform Atlas provider version used to reproduce the issue
Terraform version used to reproduce the issue
Confirmation if Terraform OSS, Terraform Cloud, or Terraform Enterprise deployment

The ticket CLOUDP-254223 was created for internal tracking.

github-actions[bot] commented 1 week ago

This issue has gone 7 days without any activity and meets the project’s definition of "stale". This will be auto-closed if there is no new activity over the next 7 days. If the issue is still relevant and active, you can simply comment with a "bump" to keep it open, or add the label "not_stale". Thanks for keeping our repository healthy!

gkritsot commented 1 week ago

Seems to have been fixed with the release of provider v1.17.2

mongodb / terraform-provider-mongodbatlas