search

terraform-aws-modules / terraform-aws-msk-kafka-cluster

Terraform module to create AWS MSK (Managed Streaming for Kafka) resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/msk-kafka-cluster/aws
Apache License 2.0
55 stars 53 forks source link

MSK cluster TLS config getting updated despite no changes #19

Closed vadim-kubasov closed 5 months ago

vadim-kubasov commented 6 months ago

Description

When I try to run terraform apply where TF code wasn't changed. Terraform run is failing

Open issue: https://github.com/hashicorp/terraform-provider-aws/issues/24914

Versions

Reproduction Code [Required]

module "msk_kafka_cluster" {
  source  = "terraform-aws-modules/msk-kafka-cluster/aws"
  version = "2.1.0"

  name                   = local.cluster_name
  kafka_version          = var.kafka_version
  number_of_broker_nodes = length(tolist(data.aws_subnets.msk_enabled.ids))
  enhanced_monitoring    = "PER_BROKER"

  broker_node_client_subnets = tolist(data.aws_subnets.msk_enabled.ids)
  broker_node_instance_type   = "kafka.m5.large"
  broker_node_security_groups = [aws_security_group.kafka-clients.id]

  encryption_in_transit_client_broker = "TLS"
  encryption_in_transit_in_cluster    = true

  create_configuration   = false
  configuration_arn      = aws_msk_configuration.msk-cluster.arn
  configuration_revision = aws_msk_configuration.msk-cluster.latest_revision

  jmx_exporter_enabled    = true
  node_exporter_enabled   = true
  cloudwatch_logs_enabled = true
  s3_logs_enabled         = false

  scaling_max_capacity = 1000
  scaling_target_value = 80

  cloudwatch_log_group_retention_in_days = 90

  client_authentication           = var.client_authentication
  create_scram_secret_association = true
  scram_secret_association_secret_arn_list = [
    data.aws_secretsmanager_secret.this.arn
  ]

  tags = local.tags
  timeouts = {
    create = "120m"
  }

}

Steps to reproduce the behavior:

Expected behavior

Terraform has to run and successfully finished with message No infrastructure changes

Actual behavior

Terraform tries to update security settings where security settings weren't changed

Terminal Output Screenshot(s)

Error: updating MSK Cluster (arn:aws:kafka:us-west-2:***********:cluster/msk-kafka-cluster/*******) security: operation error Kafka: UpdateSecurity, https response error StatusCode: 400, RequestID: ************, BadRequestException: The request does not include any updates to the security setting of the cluster. Verify the request, then try again. with module.msk_kafka_cluster.aws_msk_cluster.this[0] on .terraform/modules/msk_kafka_cluster/main.tf line 5, in resource "aws_msk_cluster" "this":

Additional context

If you set the client_authentication[0].tls in module like below. Terraform will complete successfully

resource "aws_msk_cluster" "this {
lifecycle {
    ignore_changes = [
      broker_node_group_info[0].storage_info[0].ebs_storage_info[0].volume_size,
      client_authentication[0].tls
    ]
  }

}
github-actions[bot] commented 5 months ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] commented 5 months ago

This issue was automatically closed because of stale in 10 days

github-actions[bot] commented 4 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.