Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Terraform wants to make a change to aws_db_proxy if auth information returned by AWS is in a different order than in terraform (regression in 4.55.0) #34142

Closed
LHCGreg opened this issue Oct 27, 2023 · 5 comments · Fixed by #35819
Closed

[Bug]: Terraform wants to make a change to aws_db_proxy if auth information returned by AWS is in a different order than in terraform (regression in 4.55.0) #34142

LHCGreg opened this issue Oct 27, 2023 · 5 comments · Fixed by #35819
Assignees
@ewbankkit
Labels
bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/rds Issues and PRs that pertain to the rds service.
Milestone
v5.37.0

Comments

@LHCGreg
Copy link

LHCGreg commented Oct 27, 2023
edited by justinretzolk
Loading

Terraform Core Version

1.3.3

AWS Provider Version

5.22.0,4.55.0

Affected Resource(s)

  • aws_db_proxy

Expected Behavior

When upgrading from an AWS provider version before 4.55.0 with an aws_db_proxy resource with multiple auth blocks, I expect a plan to show no changes no matter what order the auth blocks are in.

Actual Behavior

A plan shows changes if the order of auth blocks in terraform code is not in the same order they are shown in the AWS web console. With multiple environments or regions, the order may be different between them.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

This is not 100% self-contained. Some things like VPC, subnets, and target DB identifier need to be filled in.

data "aws_iam_policy_document" "rds_proxy_secrets_access_document" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["rds.amazonaws.com"]
    }
  }
}

data "aws_iam_policy_document" "rds_proxy_inline_policy_document" {
  statement {
    actions = [
      "secretsmanager:GetSecretValue",
    ]
    resources = ["*"]
  }
  statement {
    actions = [
      "kms:Decrypt",
    ]
    resources = ["*"]
    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"
      values = [
        "secretsmanager.us-east-1.amazonaws.com",
      ]
    }
  }
}

resource "aws_iam_role" "rds_proxy_secrets_access" {
  name               = "rds-proxy-secrets-access"
  assume_role_policy = data.aws_iam_policy_document.rds_proxy_secrets_access_document.json
}

resource "aws_iam_role_policy" "permissions_policy_for_rds_proxy" {
  name   = "permissions-policy-for-rds-proxy"
  role   = aws_iam_role.rds_proxy_secrets_access.id
  policy = data.aws_iam_policy_document.rds_proxy_inline_policy_document.json
}

resource "aws_security_group" "db_sg" {
  name        = "db-sg"
  vpc_id      = "VPC-ID-GOES-HERE"
  description = "Security group for RDS instances."
}

#Add rule to Security Group
resource "aws_security_group_rule" "db_sg-rule-outbound" {
  type              = "egress"
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.db_sg.id
}

#Add rule to Security Group
resource "aws_security_group_rule" "db_sg-rule-postgres" {
  type              = "ingress"
  from_port         = 5432
  to_port           = 5432
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/8"]
  security_group_id = aws_security_group.db_sg.id
}

resource "aws_db_proxy" "rds_proxy" {
  name                   = "terraform-rds-proxy-repro"
  debug_logging          = false
  engine_family          = "POSTGRESQL"
  idle_client_timeout    = 300
  require_tls            = true
  role_arn               = aws_iam_role.rds_proxy_secrets_access.arn
  vpc_security_group_ids = [aws_security_group.db_sg.id]
  vpc_subnet_ids         = ["SUBNET-ID-1-GOES-HERE", "SUBNET-ID-2-GOES-HERE", "SUBNET-ID-3-GOES-HERE"]

  auth {
    auth_scheme               = "SECRETS"
    client_password_auth_type = "POSTGRES_SCRAM_SHA_256"
    description               = "user with read/write access to the database."
    iam_auth                  = "REQUIRED"
    secret_arn                = "READ-WRITE-SECRET-ARN-GOES-HERE"
  }

  auth {
    auth_scheme               = "SECRETS"
    client_password_auth_type = "POSTGRES_SCRAM_SHA_256"
    description               = "user with read only access to the database."
    iam_auth                  = "REQUIRED"
    secret_arn                = "READ-ONLY-SECRET-ARN-GOES-HERE"
  }
}

resource "aws_db_proxy_default_target_group" "rds_proxy_target_group" {
  db_proxy_name = aws_db_proxy.rds_proxy.name

  connection_pool_config {
    connection_borrow_timeout    = 120
    max_connections_percent      = 90
    max_idle_connections_percent = 50
  }
}

resource "aws_db_proxy_target" "rds_proxy_target" {
  db_instance_identifier = "IDENTIFIER-OF-TARGET-DB-GOES-HERE"
  db_proxy_name          = aws_db_proxy.rds_proxy.name
  target_group_name      = aws_db_proxy_default_target_group.rds_proxy_target_group.name
}

Steps to Reproduce

  • Create an aws_db_proxy resource with multiple auth blocks like in the configuration I gave and do a plan and apply.
  • Do a terraform plan.
  • If the plan shows changes to the auth blocks, the bug is demonstrated. Otherwise, change the order of the auth blocks in the terraform code and do another plan. The plan will show a change to the auth blocks.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

This is likely related to #28432. auth on aws_db_proxy changed from Type: schema.TypeSet to Type: schema.TypeList. I'm not familiar with Terraform internals so I don't know the full implications of that change or the implications of changing it back. That change was released in provider version 4.55.0. I've confirmed the buggy behavior is in 4.55.0 but not 4.54.0.

Would you like to implement a fix?

No
@LHCGreg LHCGreg added the bug Addresses a defect in current functionality. label Oct 27, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/iam Issues and PRs that pertain to the iam service. service/rds Issues and PRs that pertain to the rds service. service/vpc Issues and PRs that pertain to the vpc service. labels Oct 27, 2023
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Oct 27, 2023
@justinretzolk justinretzolk added regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. and removed service/iam Issues and PRs that pertain to the iam service. needs-triage Waiting for first response or review from a maintainer. service/vpc Issues and PRs that pertain to the vpc service. labels Nov 7, 2023
@terraform-aws-provider terraform-aws-provider bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Nov 7, 2023
@trevorrea
Copy link
Contributor

Adding a comment to say I have also seen this bug.

@ewbankkit
Copy link
Contributor

Relates #28432.

@ewbankkit ewbankkit self-assigned this Feb 13, 2024
@ewbankkit ewbankkit mentioned this issue Feb 14, 2024
Merged
@github-actions github-actions bot added this to the v5.37.0 milestone Feb 15, 2024
@github-actions github-actions bot removed the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Feb 15, 2024
@github-actions GitHub Actions
Copy link

This functionality has been released in v5.37.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 17, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ewbankkit ewbankkit

Labels
bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/rds Issues and PRs that pertain to the rds service.
Projects
None yet
Milestone
v5.37.0
Development

Successfully merging a pull request may close this issue.

r/aws_db_proxy: Change auth from TypeList to TypeSet hashicorp/terraform-provider-aws
4 participants
@ewbankkit @trevorrea @LHCGreg @justinretzolk