-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Incorrectly recreating DynamoDB replicas #35629
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
This is addressed in #35630 |
This functionality has been released in v5.36.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Core Version
1.4.4
AWS Provider Version
5.34.0
Affected Resource(s)
Expected Behavior
Running a plan with no changes to dynamodb replicas should result in a nop.
Actual Behavior
Due to issues with the DynamoDB API inconsistently returning the
kms_key_arn
the provider thinks that the existing replica does not have thekms_key_arn
which in fact it does. This results in the provider thinking it needs to recreate the replica using the configuredkms_key_arn
.Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Steps to Reproduce
A normal terraform plan on an existing table with 5+ replicas can normally reproduce this. It's important to note that the root cause is the DynamoDB API inconsistently not returning replica details. That means that the issue is not always reproducible. See the "Important Factoids" section for more details.
Debug Output
No response
Panic Output
No response
Important Factoids
It's important to note that the root cause of the issue is that the DynamoDB API only takes a best effort approach to returning replica information in a call to describe the table. A small table with a few replicas may not experience this issue at all. I did not see it until a table started using 5 replicas. Some regions also fail to return the replica details more often than others.
I wrote a script to capture the percentage of DescribeTable requests that fail to contain replica
kms_key_arn
settings for an AWS support ticket I was opening. Here's my comment from the support ticket:So from this data we can see that if the DescribeTable call is made using us-west-2 region then 100% of the time the
kms_key_arn
will be populated for replicas. In other regions like us-east-2 this can frequently result in nokms_key_arn
being returned and as a result the provider attempts to recreate a replica using thekms_key_arn
even though the replica is actually correctly configured.The support ticket was escalated to the DynamoDB service team and I eventually received the following response
The solution is to make a DescribeTable call per replica instead of relying on a single call's replicas details which may or may not be populated.
References
No response
Would you like to implement a fix?
Yes
The text was updated successfully, but these errors were encountered: