Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: in 5.27.0 aws_elasticache_replication_group forces auth_token to be enabled on all redis clusters #34589

Closed
mkkot-onegini opened this issue Nov 28, 2023 · 8 comments · Fixed by #34600
Assignees
Labels
bug Addresses a defect in current functionality. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/elasticache Issues and PRs that pertain to the elasticache service.
Milestone

Comments

@mkkot-onegini
Copy link

Terraform Core Version

1.6.4

AWS Provider Version

5.27.0

Affected Resource(s)

aws_elasticache_replication_group

Expected Behavior

The provider doesn't want to force enable auth_token on aws_elasticache_replication_group that was created without this setting.

Actual Behavior

We are using RBAC authentication with aws_security_group, aws_elasticache_user and aws_elasticache_user_group:

This is the module we use:

resource "aws_elasticache_replication_group" "redis" {
  description          = local.name
  replication_group_id = local.name
  num_cache_clusters = var.num_replicas + 1
  node_type = var.node_type
  at_rest_encryption_enabled = true
  transit_encryption_enabled = true
  multi_az_enabled           = true
  automatic_failover_enabled = true
  engine_version       = var.engine_version
  parameter_group_name = aws_elasticache_parameter_group.redis.name
  port               = var.port
  security_group_ids = [aws_security_group.redis.id]
  subnet_group_name  = aws_elasticache_subnet_group.redis.name
  user_group_ids = [aws_elasticache_user_group.group.id]
  apply_immediately = true
  tags = local.tags
}

We also have a development variation of this module which doesn't require authentication: user_group_ids parameter is missing and transit_encryption_enabled = false.

When we upgraded to 5.27.0 the RBAC-authenticated one showed:
plan:

 # module.redis.aws_elasticache_replication_group.redis will be updated in-place
  ~ resource "aws_elasticache_replication_group" "redis" {
      + auth_token_update_strategy = "ROTATE"
        id                         = "xxx"
        tags                       = {
            "Environment" = "xxx"
            "Name"        = "xxx"
        }

apply:

 Error: changing auth_token for ElastiCache Replication Group (xxx): InvalidParameterCombination: Auth tokens can't be enabled with a user group already associated. Pass RemoveUserGroups to proceed.
│       status code: 400

Unauthenticated:
plan: the same as for authenticated

apply:

changing auth_token for ElastiCache Replication Group (xxx): InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.
│       status code: 400

So it seems that sending to AWS API the supposedly default auth_token_update_strategy force-enables also auth_token on clusters where this is not desired.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

N/A

Steps to Reproduce

Create aws_elasticache_replication_group without auth_token with older version of aws provider and try to upgrade to 5.27.0

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

@mkkot-onegini mkkot-onegini added the bug Addresses a defect in current functionality. label Nov 28, 2023
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/elasticache Issues and PRs that pertain to the elasticache service. label Nov 28, 2023
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Nov 28, 2023
@mkkot-onegini
Copy link
Author

Also, it's worth mentioning that downgrade path is not possible due to:
Error: Resource instance managed by newer provider version
for other resources managed by the same tf plan.

@mkkot-onegini
Copy link
Author

We run the plan for the second time and now it says No changes. Your infrastructure matches the configuration.. So I'd say it's fixed but will leave the bug report here as a reference in case you would like to investigate it.

@sandhya2487
Copy link

Thanks for raising this issue. I also encountered the same issue and observed the same behaviour where running first time gave the above error and in the next run it worked fine with No changes. Your infrastructure matches the configuration.

Wondering if any change it did to the state file or is there any fix delivered?

@TechCarter
Copy link

We've encountered the same issue as described above. Having failed on the first apply, a replan also showed no updates.

@jar-b jar-b added regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. and removed needs-triage Waiting for first response or review from a maintainer. labels Nov 28, 2023
@jar-b jar-b self-assigned this Nov 28, 2023
@terraform-aws-provider terraform-aws-provider bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Nov 28, 2023
@jar-b
Copy link
Member

jar-b commented Nov 28, 2023

Relates #34460

@github-actions github-actions bot added this to the v5.28.0 milestone Nov 28, 2023
@github-actions github-actions bot removed the bug Addresses a defect in current functionality. label Nov 29, 2023
Copy link

This functionality has been released in v5.28.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 29, 2023
@justinretzolk justinretzolk added the bug Addresses a defect in current functionality. label Feb 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/elasticache Issues and PRs that pertain to the elasticache service.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants