[Bug]: aws_rds_cluster & aws_db_instance: backup_retention_period cannot be set to a blank value

[morremeyer]

Terraform Core Version

1.5.7

AWS Provider Version

5.16.2

Affected Resource(s)

• aws_rds_cluster
• aws_db_instance

Expected Behavior

The backup_retention_period can not be set to a blank value since defaults to

• 0 for aws_db_instance
• 1 for aws_rds_cluster

However, a blank value is needed when using AWS Backup and not wanting to duplicate configuration. When AWS Backup is used, it manages the backup configuration for the cluster/instance and it is enforced that the values, if set, match up or are blank.

To have a single source of truth and not copy settings around, a blank value has to be set here.

The potential workaround of matching the values exactly also does not work without breaking the configuration temporarily, since changing the AWS Backup configuration that is responsible for the specific instance/cluster does not instantly apply this change back to the instance/cluster's backup configuration, but only when the AWS Backup plan runs the next time, leading to the terraform apply to fail until that has happened.

An example of that is using AWS Backup with a plan that has a resource assignment based on tags. There are two plans, continuous, which does continuous backups with 35 days retention and continuous-short, which does continuous backups with 4 days retention. Both are triggered at 07:00 UTC each day.

When an RDS cluster being tagged for the continuous plan is switched to the continous-short plan, we would update both the tag for the selection and the backup_retention_period at the same time with a conditional:

  backup_retention_period = var.is_prod ? 35 : 4
  tags = {
    "Backup" = var.is_prod ? "continuous" : "continuous-short"
  }

This plan will apply the tag change, but will fail for the backup_retention_period until the next triggered run of the continuous-short AWS Backup plan at 07:00 UTC since only that updates the RDS cluster configuration.

Actual Behavior

backup_retention_period can be set to a blank value for both aws_rds_cluster and aws_db_instance resources.

Relevant Error/Panic Output Snippet

Error: updating RDS Cluster ($redacted_name): InvalidParameterValue: RDS cluster $redacted_name is associated with the following AwsBackupRecoveryPointArn: arn:aws:backup:us-east-1:$account:recovery-point:continuous:cluster-$id. The BackupRetentionPeriod can be blank, or you can use the current value, 35. For more details, see the AWS Backup documentation. status code: 400, request id: $request_id

Terraform Configuration Files

provider "aws" {
  region = "eu-central-1"
}

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.16.2"
    }
  }
  required_version = "1.5.7"
}

resource "aws_rds_cluster" "postgresql" {
  cluster_identifier      = "aurora-cluster-demo"
  engine                  = "aurora-postgresql"
  availability_zones      = ["eu-central-1a", "eu-central-1b", "eu-central-1c"]
  master_username         = "shaiThiechueYeet4baePhahm3ahfela"
  master_password         = "que2chaizaez3jaelohkees7Yai5zaiw"
  skip_final_snapshot = true

  # If this is "null", it defaults to "1"
  # Any non-number fails with "Inappropriate value for attribute "backup_retention_period": a number is required."
  backup_retention_period = ""
}

Can also be found in https://github.com/morremeyer/tf-aws-backup-retention

Steps to Reproduce

Using the configuration file pasted above, authenticate against AWS, then run:

terraform init
terraform apply

try to configure backup_retention_period in a way that results in a blank value - you'll find it's not possible.

Debug Output

2023-09-14T14:17:59.847+0200 [INFO]  Terraform version: 1.5.7
2023-09-14T14:17:59.847+0200 [DEBUG] using github.com/hashicorp/go-tfe v1.26.0
2023-09-14T14:17:59.847+0200 [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2
2023-09-14T14:17:59.847+0200 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.0
2023-09-14T14:17:59.847+0200 [DEBUG] using github.com/zclconf/go-cty v1.12.2
2023-09-14T14:17:59.847+0200 [INFO]  Go runtime version: go1.20.7
2023-09-14T14:17:59.847+0200 [INFO]  CLI args: []string{"/opt/homebrew/Cellar/tfenv/3.0.0/versions/1.5.7/terraform", "plan"}
2023-09-14T14:17:59.847+0200 [DEBUG] Attempting to open CLI config file: /Users/mmeyer/.terraformrc
2023-09-14T14:17:59.847+0200 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2023-09-14T14:17:59.847+0200 [INFO]  Loading CLI configuration from /Users/mmeyer/.terraform.d/credentials.tfrc.json
2023-09-14T14:17:59.847+0200 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2023-09-14T14:17:59.847+0200 [DEBUG] ignoring non-existing provider search directory /Users/mmeyer/.terraform.d/plugins
2023-09-14T14:17:59.847+0200 [DEBUG] ignoring non-existing provider search directory /Users/mmeyer/Library/Application Support/io.terraform/plugins
2023-09-14T14:17:59.847+0200 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2023-09-14T14:17:59.847+0200 [INFO]  CLI command args: []string{"plan"}
2023-09-14T14:17:59.848+0200 [DEBUG] New state was assigned lineage "dde6c8d0-09e4-590d-2612-279bcf505582"
2023-09-14T14:18:00.042+0200 [DEBUG] checking for provisioner in "."
2023-09-14T14:18:00.042+0200 [DEBUG] checking for provisioner in "/opt/homebrew/Cellar/tfenv/3.0.0/versions/1.5.7"
2023-09-14T14:18:00.042+0200 [INFO]  backend/local: starting Plan operation
2023-09-14T14:18:00.045+0200 [DEBUG] created provider logger: level=debug
2023-09-14T14:18:00.045+0200 [INFO]  provider: configuring client automatic mTLS
2023-09-14T14:18:00.049+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.2/darwin_arm64/terraform-provider-aws_v5.16.2_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.2/darwin_arm64/terraform-provider-aws_v5.16.2_x5]
2023-09-14T14:18:00.059+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.2/darwin_arm64/terraform-provider-aws_v5.16.2_x5 pid=34408
2023-09-14T14:18:00.059+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.2/darwin_arm64/terraform-provider-aws_v5.16.2_x5
2023-09-14T14:18:00.131+0200 [INFO]  provider.terraform-provider-aws_v5.16.2_x5: configuring server automatic mTLS: timestamp=2023-09-14T14:18:00.131+0200
2023-09-14T14:18:00.136+0200 [DEBUG] provider: using plugin: version=5
2023-09-14T14:18:00.136+0200 [DEBUG] provider.terraform-provider-aws_v5.16.2_x5: plugin address: address=/var/folders/fg/hr6jsjhj4h78c9cg9grkk_4c0000gp/T/plugin3318880106 network=unix timestamp=2023-09-14T14:18:00.136+0200
2023-09-14T14:18:00.454+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-09-14T14:18:00.457+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.2/darwin_arm64/terraform-provider-aws_v5.16.2_x5 pid=34408
2023-09-14T14:18:00.457+0200 [DEBUG] provider: plugin exited
2023-09-14T14:18:00.457+0200 [DEBUG] Building and walking validate graph
2023-09-14T14:18:00.457+0200 [DEBUG] ProviderTransformer: "aws_rds_cluster.postgresql" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-09-14T14:18:00.457+0200 [DEBUG] ReferenceTransformer: "aws_rds_cluster.postgresql" references: []
2023-09-14T14:18:00.457+0200 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2023-09-14T14:18:00.457+0200 [DEBUG] Starting graph walk: walkValidate
2023-09-14T14:18:00.458+0200 [DEBUG] created provider logger: level=debug
2023-09-14T14:18:00.458+0200 [INFO]  provider: configuring client automatic mTLS
2023-09-14T14:18:00.459+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.2/darwin_arm64/terraform-provider-aws_v5.16.2_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.2/darwin_arm64/terraform-provider-aws_v5.16.2_x5]
2023-09-14T14:18:00.469+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.2/darwin_arm64/terraform-provider-aws_v5.16.2_x5 pid=34409
2023-09-14T14:18:00.469+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.2/darwin_arm64/terraform-provider-aws_v5.16.2_x5
2023-09-14T14:18:00.536+0200 [INFO]  provider.terraform-provider-aws_v5.16.2_x5: configuring server automatic mTLS: timestamp=2023-09-14T14:18:00.535+0200
2023-09-14T14:18:00.540+0200 [DEBUG] provider: using plugin: version=5
2023-09-14T14:18:00.540+0200 [DEBUG] provider.terraform-provider-aws_v5.16.2_x5: plugin address: address=/var/folders/fg/hr6jsjhj4h78c9cg9grkk_4c0000gp/T/plugin3130613825 network=unix timestamp=2023-09-14T14:18:00.540+0200
2023-09-14T14:18:00.840+0200 [ERROR] vertex "aws_rds_cluster.postgresql" error: Incorrect attribute value type
╷
│ Error: Incorrect attribute value type
│ 
│   on main.tf line 25, in resource "aws_rds_cluster" "postgresql":
│   25:   backup_retention_period = ""
│ 
│ Inappropriate value for attribute "backup_retention_period": a number is required.
╵
2023-09-14T14:18:00.841+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-09-14T14:18:00.844+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.2/darwin_arm64/terraform-provider-aws_v5.16.2_x5 pid=34409
2023-09-14T14:18:00.844+0200 [DEBUG] provider: plugin exited

Panic Output

No response

Important Factoids

No additional info

References

• AWS documentation stating that automated backups can't be enabled when using AWS Backup
  

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[morremeyer]

I checked the provider code to find out how we could set a blank value, but the provider enforces that the value is an int.

On the lower level, the provider is using the go sdk, which also enforces a number. As far as I can see, to not set a value/set a "blank" value as the error message suggests, both the SDK and the provider would need to be updated. Edit: This looks to be wrong, I misread the code.

[morremeyer]

Quick update for everyone: I have an open support case with Hashicorp fort this, they are investigating this internally.

I'll report back with any significant updates if necessary.

[grimm26]

@morremeyer I'm guessing they can't do a lot unless the AWS API is changed.

[morremeyer]

@grimm26 I misspoke when I said the SDK does not support not setting it because I misread the code.

It does support that, it's just the Terraform provider/the specific resources that don't.

[github-actions]

This functionality has been released in v5.24.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.