search

terraform-aws-modules / terraform-aws-dms

Terraform module to create AWS DMS (Database Migration Service) resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/dms/aws
Apache License 2.0
60 stars 93 forks source link

create_access_iam_role = false causes plan to fail #47

Closed mrobinson1022 closed 8 months ago

mrobinson1022 commented 10 months ago

Description

Version 2.0.0 of the module defaults to creating an access iam role which is used in lookups() within the aws_dms_endpoints.this resource. However, with create_access_iam_role = false and create_access_policy = false plans fail due to aws_iam_role.access[0].arn is an empty tuple. As this attribute is an optional value in the resource, setting these to false should not cause the plan to fail (except in the case of elasticsearch where it is required)

Versions

Reproduction Code [Required]

module "database_updates" {
  source  = "terraform-aws-modules/dms/aws"
  version = "~> 2.0"

  # Roles and Policies
  create_iam_roles                = false
  create_access_iam_role          = false
  access_iam_role_use_name_prefix = false
  create_access_policy            = false

  # Subnet group
  create_repl_subnet_group      = false
  repl_instance_subnet_group_id = aws_dms_replication_subnet_group.database_dms_updates.replication_subnet_group_id

  # Instance
  repl_instance_allocated_storage            = 50
  repl_instance_auto_minor_version_upgrade   = true
  repl_instance_allow_major_version_upgrade  = true
  repl_instance_apply_immediately            = true
  repl_instance_engine_version               = "3.4.7"
  repl_instance_multi_az                     = false
  repl_instance_preferred_maintenance_window = "sun:10:30-sun:14:30"
  repl_instance_publicly_accessible          = false
  repl_instance_class                        = "dms.t3.large"
  repl_instance_id                           = "${terraform.workspace}-dms-updates"
  repl_instance_vpc_security_group_ids       = [module.database_dms_updates_security_group.security_group_id]

  endpoints = {
    source-database = {
      database_name                      = "database-name"
      endpoint_id                             = "${terraform.workspace}-database-cluster-1"
      endpoint_type                         = "source"
      engine_name                           = "aurora-postgresql"
      secrets_manager_arn             = aws_secretsmanager_secret_version.database_cluster_1_postgres.arn
      secrets_manager_access_role_arn = aws_iam_role.database_migration_secrets_manager_postgres.arn
      extra_connection_attributes     = "heartbeatFrequency=1"
      ssl_mode                        = "require"
      tags                            = { EndpointType = "source-postgresql" }
      # extra_connection_attributes     = "heartbeatFrequency=1;secretsManagerEndpointOverride=${module.vpc_endpoints.endpoints["secretsmanager"]["dns_entry"][0]["dns_name"]}"
    }

    destination-kinesis-change = {
      endpoint_id   = "${terraform.workspace}-updates"
      endpoint_type = "target"
      engine_name   = "kinesis"
      kinesis_settings = {
        service_access_role_arn = aws_iam_role.dms_to_kinesis_updates.arn
        stream_arn              = aws_kinesis_stream.kinesis_data_streams["updates"].arn
      }
      tags = { EndpointType = "destination-kinesis" }
    }
  }

  replication_tasks = {
    task-1 = {
      start_replication_task    = true
      replication_task_id       = "${terraform.workspace}-task-id"
      migration_type            = "cdc"
      replication_task_settings = file("data/dms_updates_to_kinesis_change_replication.json")
      table_mappings            = file("data/dms_kinesis_change_mappings.json")
      source_endpoint_key       = "source-database"
      target_endpoint_key       = "destination-kinesis-change"
      tags                      = { Task = "change-to-kinesis" }
    }
  }
}

module "database_dms_updates_security_group" {
  version             = "~> 4.0"
  source              = "terraform-aws-modules/security-group/aws"
  name                = "${terraform.workspace}-dms-updates"
  description         = "Security group for ${terraform.workspace}-dms-updates"
  vpc_id              = var.vpc_id
  ingress_cidr_blocks = var.database_subnet_cidrs
  ingress_rules       = ["all-all"]
  egress_rules        = ["all-all"]
}

Steps to reproduce the behavior:

Execute a plan with:

  create_access_iam_role          = false
  access_iam_role_use_name_prefix = false
  create_access_policy            = false

Expected behavior

Plan should succeed as no requirements are missing.

Actual behavior

Plan fails for aws_iam_role.access[0].arn is an empty tuple

mrobinson1022 commented 10 months ago

@bryantbiggs Please let me know if you need any further info, thanks!

ThaDanus commented 10 months ago

Chiming in to say I've encountered this issue as well, all required roles are already created in our account and our IAM policies do not allow recreation or modification, so we want to skip the creation, however we are unable to proceed because of this error.

Would it perhaps be an option to change the module to accept already existing resources, so we can specify them as variables? I've searched on how to do this but can only find terraform import, which is not an option for us since company policy prohibits us from managing default IAM roles.

mrobinson1022 commented 10 months ago

Feel free to pull and host my fork until this gets some attention @ThaDanus

Just use 

create_iam_roles                = false
  create_access_iam_role          = false
  access_iam_role_use_name_prefix = false
  create_access_policy            = false
ThaDanus commented 9 months ago

Yip after some discussion our way forward is to use your bugfixes, works perfectly! Hopefully it will be officially updated soon so we can remove the local clone again.

github-actions[bot] commented 8 months ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

ThaDanus commented 8 months ago

Still waiting for an official fix for this

antonbabenko commented 8 months ago

This issue has been resolved in version 2.0.1 :tada:

github-actions[bot] commented 7 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.