Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_rds_cluster from snapshot doesn't set new master password #9492

Closed
valentinbud opened this issue Jul 25, 2019 · 6 comments · Fixed by #9505
Closed

aws_rds_cluster from snapshot doesn't set new master password #9492

valentinbud opened this issue Jul 25, 2019 · 6 comments · Fixed by #9505
Labels
bug Addresses a defect in current functionality. service/rds Issues and PRs that pertain to the rds service.
Milestone
v2.21.0

Comments

@valentinbud
Copy link

valentinbud commented Jul 25, 2019
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform version
Terraform v0.12.5
+ provider.aws v2.20.0
+ provider.mysql v1.7.0

Affected Resource(s)

  • aws_rds_cluster

Terraform Configuration Files

data "aws_db_cluster_snapshot" "latest" {
  db_cluster_identifier = "main-cluster"
  most_recent           = true
}

resource "aws_rds_cluster" "qa" {
  cluster_identifier              = "qa-cluster"
  engine                          = "aurora-mysql"
  engine_version                  = "5.7.12"
  skip_final_snapshot             = true
  apply_immediately               = true
  snapshot_identifier             = data.aws_db_cluster_snapshot.latest.id
  db_cluster_parameter_group_name = "main-aurora57-cluster"
  db_subnet_group_name            = "db-subnet"
  master_username                 = "root"
  master_password                 = "cbMTnFjpnVJL5DrCtk4pdqQxgyCgUQrV123"
  vpc_security_group_ids = [
    "sg-fd05b285",
    "sg-d91caba1",
    "sg-5ee68e2f"
  ]
}

resource "aws_rds_cluster_instance" "qa" {
  identifier              = "qa-cluster"
  cluster_identifier      = aws_rds_cluster.qa.id
  engine                  = "aurora-mysql"
  engine_version          = "5.7.12"
  instance_class          = "db.t3.medium"
  publicly_accessible     = true
  db_subnet_group_name    = "db-subnet"
  db_parameter_group_name = "db-aurora57"
  apply_immediately       = true
}

Debug Output

I don't think it would help in this case. terraform apply successfully creates the resources.

Panic Output

There's no panic output.

Expected Behavior

I expect the new RDS cluster to have the root password set up to cbMTnFjpnVJL5DrCtk4pdqQxgyCgUQrV123.

Actual Behavior

I have tried to connect to the cluster using root with password cbMTnFjpnVJL5DrCtk4pdqQxgyCgUQrV123 and receive the following error:

$ mysql -h rds-qa-cluster.domain.com -u root -pcbMTnFjpnVJL5DrCtk4pdqQxgyCgUQrV123
ERROR 1045 (28000): Access denied for user 'root'@'10.20.2.223' (using password: YES)

Steps to Reproduce

Create an Aurora RDS cluster from a snapshot of an existing Aurora cluster with a different master_password setup and try to connect to the cluster endpoint with the new master_password.

Important Factoids

Changing the master password of the qa-cluster using AWS CLI or AWS Console allows me to login to the cluster.

References

I have searched the open issues but couldn't find one that matches my use case exactly.
It might relate to #3220 though

Thank you for looking into this 😃.
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jul 25, 2019
@bflad bflad added bug Addresses a defect in current functionality. service/rds Issues and PRs that pertain to the rds service. and removed needs-triage Waiting for first response or review from a maintainer. labels Jul 25, 2019
@bflad
Copy link
Contributor

bflad commented Jul 25, 2019

Hi @valentinbud 👋 Thank you for reporting this and sorry for the unexpected behavior.

It does appear the resource is not properly handling master_password when RestoreDBClusterFromSnapshot is called during the resource Create function. The API call itself does not accept MasterUserPassword as a parameter, so we should be resetting the password via ModifyDBCluster after the database is restored when the argument is declared in Terraform.

@valentinbud
Copy link
Author

Hi @bflad 👋,

Thank you for your prompt response. For what is worth at the moment I do it in two
terraform apply stages with master_password set through TF_VAR_master_password.
In the second stage I set the master_password I desire and use in other, subsequent, states.
Works like a charm. I'll keep an eye on this, test and modify my states when it gets fixed.

Have a wonderful day 😃.

bflad added a commit that referenced this issue Jul 25, 2019
@bflad
resource/aws_rds_cluster: Properly update master_password during snap…
e1aeab9 
…shot restore

Reference: #9492

Since we cannot read the master password from the API during `Read`, it would silently be saved with the configuration value in the Terraform state and never trigger an update. This cannot be found via the acceptance testing framework without attempting to connect to the RDS Cluster (e.g. via the mysql provider), but relatedly added a test for master_username since that was also missing during snapshot restore, which highlighted a related missing test.

```
--- FAIL: TestAccAWSRDSCluster_SnapshotIdentifier_MasterUsername (377.68s)
    testing.go:568: Step 0 error: Check failed: Check 4/4 error: aws_rds_cluster.test: Attribute 'master_username' expected "username1", got "foo"
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_MasterPassword (378.00s)
```

Output from acceptance testing:

```
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_MasterPassword (364.62s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_MasterUsername (387.26s)
```
@bflad bflad mentioned this issue Jul 25, 2019
Merged
@bflad bflad added this to the v2.21.0 milestone Jul 25, 2019
@bflad
Copy link
Contributor

bflad commented Jul 25, 2019

The fix for this has been merged and will release later today with version 2.21.0 of the Terraform AWS Provider. 👍

@bflad
Copy link
Contributor

bflad commented Jul 26, 2019

This has been released in version 2.21.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests, documentation updates, or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@valentinbud
Copy link
Author

Hi @bflad 👋

I have tried it today with latest release of aws provider. It works like a charm. Thank you for fixing this.

Have a wonderful day 😃

@ghost
Copy link

ghost commented Nov 2, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Nov 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/rds Issues and PRs that pertain to the rds service.
Projects
None yet
Milestone
v2.21.0
2 participants
@bflad @valentinbud