RDS oracle with read replica is not working with custom parameter groups and ca_cert_identifier

[pragya-nayak]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform Version: 0.12.29/0.12.31
AWS Provider Version: 3.47.0

Affected Resource(s)

• aws_db_instance

aws_db_instance now support creation of rds oracle read replica but this does not work with custom parameter groups

Steps to Reproduce

To reproduce this error create tf file with below requirement:

1. Create primary rds oracle db in AWS region with custom parameter group and ca_cert_identifier attribute
2. ca_cert_identifier value should be "rds-ca-2019"
3. Create oracle replica db in different AWS region with primary db created in 1. as source
4. replica db should also have custom parameter group and ca_cert_identifier attribute
5. Parameter for parameter group:
   rds_parameter_pgparameters = [
   {
   name = "streams_pool_size"
   value = "536870912"
   apply_method = "pending-reboot"
   },
   {
   name = "java_pool_size"
   value = "52428800"
   apply_method = "pending-reboot"
   }
   ]

This will also fail when apply_method is immediate

The code will work if default parameter group is used in place of custom parameters

The workaround to use custom parameter in read replica is to remove ca_cert_identifier attribute from resource and this will work because it takes default value as "rds-ca-2019" but when there is a requirement for different certificate we will need to provide ca_cert_identifier attribute and this will fail.

Below is the resource configuration for primary db and read replica which with ca_cert_identifier

resource "aws_db_instance" "rdsinstance" {
count = 1
identifier = "test-oracle-rds"
engine = "oracle-ee"
engine_version ="12.2.0.1.ru-2021-04.rur-2021-04.r1"
instance_class = "db.m5.xlarge"
username = "${var.dbusername}"
password = "${var.dbpassword}"
db_subnet_group_name = "${local.db_subnet_group_name}"
storage_type = "gp2"
allocated_storage = "${var.allocated_storage}"
apply_immediately = "${var.applyimmediately}"
iops = "${var.storage_type == "gp2" ? 0 : var.iops}"
auto_minor_version_upgrade = true
publicly_accessible = false
monitoring_interval = 60
monitoring_role_arn = "${var.monitoringrole_arn}"
backup_retention_period = "${var.backup_retention_period}"
copy_tags_to_snapshot = true
skip_final_snapshot = "${var.skipfinalsnap}"
final_snapshot_identifier = "${var.skipfinalsnap == false ? "test-oracle-rds-${md5(timestamp())}" : null}"
backup_window = "${var.backupwindow}"
maintenance_window = "${var.maintenancewindow}"
storage_encrypted = true
kms_key_id = "${var.rdskmskeyid}"
license_model = "${var.license_model}"
name = "${var.dbname}"
port = "${var.db_port}"
vpc_security_group_ids = "${var.vpcsecgrp}"
parameter_group_name = "${var.parameter_group_name}"
enabled_cloudwatch_logs_exports = ["alert", "audit", "listener", "trace"]
multi_az = "${var.multiaz}"
allow_major_version_upgrade = true
option_group_name = "${var.option_group_name}"
max_allocated_storage = "${var.max_allocated_storage}"
performance_insights_enabled = "${lookup(var.common, "sdlcenv") == "dev" ? var.performance_insights_enabled : true}"
performance_insights_retention_period = "${var.performance_insights_enabled == true ? var.performance_insights_retention_period : null}"
performance_insights_kms_key_id = "${var.performance_insights_enabled == true ? var.rdskmskeyid : null}"
ca_cert_identifier = "${var.ca_cert}"
snapshot_identifier = "${var.create_from_snapshot ? var.snapshot_identifier : ""}"
character_set_name = "${var.character_set_name}"
replicate_source_db = "${var.replicate_source_db}"
lifecycle {
ignore_changes = ["final_snapshot_identifier"]
}
timeouts {
create = "${var.create_timeout}"
}
}

Reference Code:
rds-oracle.zip

Debug Output

Expected Behavior

Read replica db and primary db both should successfully get created with custom paramter

Actual Behavior

Only primary db is getting creating and replica db is failing with error
Instance cannot currently reboot due to an in-progress management operation

When again doing terraform plan the replica db is showing as tainted so it will destroy and create it again and this is never ending until ca_cert_identifier is removed

[github-actions]

This functionality has been released in v4.0.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.