Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Force replacement on snapshot_identifier change for DB cluster resources #29409

Merged
merged 10 commits into from
May 1, 2023

Conversation

jar-b
Copy link
Member

@jar-b jar-b commented Feb 14, 2023

Description

Changes to the snapshot_identifier attribute of the aws_rds_cluster, aws_docdb_cluster, and aws_neptune_cluster resources will now trigger a replacement. Previously, changing this attribute would result in a successful apply, but without the cluster actually being restored (only the resource state was changed).

Relations

Closes #15563

References

The aws_db_instance already forces re-creation on changes to this attribute:

"snapshot_identifier": {
Type: schema.TypeString,
Computed: true,
Optional: true,
ForceNew: true,
},

Output from Acceptance Testing

$ make testacc PKG=rds TESTS="TestAccRDSCluster_snapshotIdentifier|TestAccRDSCluster_SnapshotIdentifier_"
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/rds/... -v -count 1 -parallel 20 -run='TestAccRDSCluster_snapshotIdentifier|TestAccRDSCluster_SnapshotIdentifier_'  -timeout 180m
--- PASS: TestAccRDSCluster_SnapshotIdentifier_kmsKeyID (387.21s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_masterUsername (387.64s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_masterPassword (406.97s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_tags (407.33s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_preferredMaintenanceWindow (412.53s)
--- PASS: TestAccRDSCluster_snapshotIdentifier (427.10s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_encryptedRestore (427.47s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_preferredBackupWindow (447.51s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_vpcSecurityGroupIDs (471.06s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_deletionProtection (488.49s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/rds        491.514s
$ make testacc PKG=docdb TESTS=TestAccDocDBCluster_
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/docdb/... -v -count 1 -parallel 20 -run='TestAccDocDBCluster_'  -timeout 180m
--- PASS: TestAccDocDBCluster_missingUserNameCausesError (11.19s)
--- PASS: TestAccDocDBCluster_kmsKey (148.65s)
--- PASS: TestAccDocDBCluster_generatedName (163.32s)
--- PASS: TestAccDocDBCluster_namePrefix (163.42s)
--- PASS: TestAccDocDBCluster_basic (163.52s)
--- PASS: TestAccDocDBCluster_encrypted (165.76s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_Add (170.45s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_Remove (175.05s)
--- PASS: TestAccDocDBCluster_backupsUpdate (186.64s)
--- PASS: TestAccDocDBCluster_updateCloudWatchLogsExports (186.82s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_Update (192.92s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier (205.86s)
--- PASS: TestAccDocDBCluster_updateTags (206.89s)
--- PASS: TestAccDocDBCluster_deleteProtection (251.82s)
--- PASS: TestAccDocDBCluster_takeFinalSnapshot (286.18s)
--- PASS: TestAccDocDBCluster_port (309.54s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_PrimarySecondaryClusters (2489.61s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/docdb      2494.494s
$ make testacc PKG=neptune TESTS=TestAccNeptuneCluster_
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/neptune/... -v -count 1 -parallel 20 -run='TestAccNeptuneCluster_'  -timeout 180m
--- PASS: TestAccNeptuneCluster_kmsKey (130.25s)
--- PASS: TestAccNeptuneCluster_serverlessConfiguration (132.60s)
--- PASS: TestAccNeptuneCluster_namePrefix (132.66s)
--- PASS: TestAccNeptuneCluster_basic (135.38s)
--- PASS: TestAccNeptuneCluster_disappears (140.03s)
--- PASS: TestAccNeptuneCluster_iamAuth (154.69s)
--- PASS: TestAccNeptuneCluster_backupsUpdate (176.37s)
--- PASS: TestAccNeptuneCluster_tags (176.93s)
--- PASS: TestAccNeptuneCluster_encrypted (195.02s)
--- PASS: TestAccNeptuneCluster_updateIAMRoles (208.46s)
--- PASS: TestAccNeptuneCluster_updateCloudWatchLogsExports (208.55s)
--- PASS: TestAccNeptuneCluster_deleteProtection (216.99s)
--- PASS: TestAccNeptuneCluster_copyTagsToSnapshot (237.41s)
--- PASS: TestAccNeptuneCluster_takeFinalSnapshot (297.45s)
--- PASS: TestAccNeptuneCluster_restoreFromSnapshot (443.41s)
--- PASS: TestAccNeptuneCluster_updateEngineVersion (1611.70s)
--- PASS: TestAccNeptuneCluster_updateEngineMajorVersion (2122.90s)
--- PASS: TestAccNeptuneCluster_GlobalClusterIdentifier_PrimarySecondaryClusters (2651.09s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/neptune    2654.582s

@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added service/rds Issues and PRs that pertain to the rds service. size/XS Managed by automation to categorize the size of a PR. labels Feb 14, 2023
@ewbankkit
Copy link
Contributor

We should also ensure consistency for the AWS services that are veneers on top of RDS:

@jar-b jar-b force-pushed the td-rds_cluster-snapshot-force-new branch from 2c49b38 to 0a2bc65 Compare February 15, 2023 14:58
@jar-b jar-b changed the title r/aws_rds_cluster: Force replacement on snapshot_identifier change Force replacement on snapshot_identifier change for DB cluster resources Feb 15, 2023
@github-actions github-actions bot added service/docdb Issues and PRs that pertain to the docdb service. service/neptune Issues and PRs that pertain to the neptune service. labels Feb 15, 2023
@jar-b jar-b marked this pull request as ready for review February 15, 2023 15:41
@johnsonaj johnsonaj self-requested a review February 17, 2023 15:40
Copy link
Contributor

@johnsonaj johnsonaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

$ make testacc PKG=rds TESTS="TestAccRDSCluster_snapshotIdentifier|TestAccRDSCluster_SnapshotIdentifier_" 

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/rds/... -v -count 1 -parallel 20 -run='TestAccRDSCluster_snapshotIdentifier|TestAccRDSCluster_SnapshotIdentifier_'  -timeout 180m
--- PASS: TestAccRDSCluster_SnapshotIdentifier_tags (363.02s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_kmsKeyID (363.02s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_preferredBackupWindow (363.34s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_encryptedRestore (363.34s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_vpcSecurityGroupIDs (377.49s)
--- PASS: TestAccRDSCluster_snapshotIdentifier (383.46s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_preferredMaintenanceWindow (402.28s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_deletionProtection (406.54s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_masterUsername (463.95s)
--- PASS: TestAccRDSCluster_SnapshotIdentifier_masterPassword (689.70s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/rds	692.918s
$ make testacc PKG=docdb TESTS=TestAccDocDBCluster_

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/docdb/... -v -count 1 -parallel 20 -run='TestAccDocDBCluster_'  -timeout 180m
--- PASS: TestAccDocDBCluster_missingUserNameCausesError (11.53s)
--- PASS: TestAccDocDBCluster_generatedName (144.14s)
--- PASS: TestAccDocDBCluster_basic (146.76s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_Remove (149.57s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_Add (152.85s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier (166.68s)
--- PASS: TestAccDocDBCluster_encrypted (167.44s)
--- PASS: TestAccDocDBCluster_updateCloudWatchLogsExports (170.11s)
--- PASS: TestAccDocDBCluster_kmsKey (173.10s)
--- PASS: TestAccDocDBCluster_backupsUpdate (190.27s)
--- PASS: TestAccDocDBCluster_updateTags (190.38s)
--- PASS: TestAccDocDBCluster_namePrefix (193.25s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_Update (205.53s)
--- PASS: TestAccDocDBCluster_deleteProtection (268.14s)
--- PASS: TestAccDocDBCluster_port (272.94s)
--- PASS: TestAccDocDBCluster_takeFinalSnapshot (350.44s)
--- PASS: TestAccDocDBCluster_GlobalClusterIdentifier_PrimarySecondaryClusters (2305.32s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/docdb	2308.473s
$ make testacc PKG=neptune TESTS=TestAccNeptuneCluster_

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/neptune/... -v -count 1 -parallel 20 -run='TestAccNeptuneCluster_'  -timeout 180m
--- PASS: TestAccNeptuneCluster_serverlessConfiguration (166.40s)
--- PASS: TestAccNeptuneCluster_namePrefix (167.06s)
--- PASS: TestAccNeptuneCluster_iamAuth (199.83s)
--- PASS: TestAccNeptuneCluster_encrypted (199.89s)
--- PASS: TestAccNeptuneCluster_basic (199.93s)
--- PASS: TestAccNeptuneCluster_kmsKey (205.97s)
--- PASS: TestAccNeptuneCluster_updateIAMRoles (206.61s)
--- PASS: TestAccNeptuneCluster_disappears (215.52s)
--- PASS: TestAccNeptuneCluster_tags (235.34s)
--- PASS: TestAccNeptuneCluster_backupsUpdate (262.44s)
--- PASS: TestAccNeptuneCluster_deleteProtection (310.26s)
--- PASS: TestAccNeptuneCluster_copyTagsToSnapshot (311.72s)
--- PASS: TestAccNeptuneCluster_takeFinalSnapshot (332.98s)
--- PASS: TestAccNeptuneCluster_updateCloudWatchLogsExports (333.99s)
--- PASS: TestAccNeptuneCluster_restoreFromSnapshot (457.47s)
--- PASS: TestAccNeptuneCluster_updateEngineVersion (1835.02s)
--- PASS: TestAccNeptuneCluster_updateEngineMajorVersion (2018.32s)
--- PASS: TestAccNeptuneCluster_GlobalClusterIdentifier_PrimarySecondaryClusters (2937.84s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/neptune	2941.269s

@TechIsCool
Copy link

TechIsCool commented Feb 18, 2023

I want to add caution that there are dragons lurking inside of this change that will catch users off guard.

  1. If your restoring an automated back from the same cluster. The ForceNew will in essence taint the cluster and destroy it before creating a new one from the snapshot_identifier. As part of the cluster destroy all automated snapshots are are pruned and lost all your data. The new cluster says it can't find the snapshot_identifier. I filed a support ticket (12024155471) with AWS today to confirm this. At this time, retaining Automated-Snapshots for Aurora is not possible, as it is currently not a flag or marker in the CLI or API call. [1]
  2. With the current code we define snapshot_identifier only long enough to get the cluster created and then remove the extra code in terraform. This new ForceNew doesn't have any validation to check to see if the goal is just someone cleaning up the dead reference that no longer is relevant. It might be acceptable to change from an arn:.. to an empty string but not the other way around.

@github-actions github-actions bot added size/S Managed by automation to categorize the size of a PR. and removed size/XS Managed by automation to categorize the size of a PR. labels Feb 21, 2023
@jar-b
Copy link
Member Author

jar-b commented Feb 21, 2023

Hi @TechIsCool 👋 - Thanks for your comment! I've added DiffSuppressFunc's which should address your second point by allowing removal of the snapshot_idenfitier without a forced replacement.

The automated snapshot scenario is a more difficult one to account for as the snapshot deletion occurs outside the provider workflow. To my knowledge we can't (reliably) distinguish between automated and manual snapshots from identifier alone, which rules out a validation step that could error or warn at plan time. At a minimum we should include some documentation that calls attention to this possibility in each of the impacted resources. I'll also bring this point back to discuss internally and decide if we should consider holding this change for a major release, or pursuing other options.

Thanks again!

@github-actions github-actions bot added the documentation Introduces or discusses updates to documentation. label Feb 21, 2023
@jar-b jar-b added this to the v5.0.0 milestone Feb 22, 2023
@jar-b
Copy link
Member Author

jar-b commented Feb 22, 2023

After discussing internally, we are going to hold this until v5.0.0 in order to make these changes as visible as possible.

@jar-b jar-b force-pushed the td-rds_cluster-snapshot-force-new branch from 23e2ed1 to e7c2818 Compare May 1, 2023 14:11
@jar-b jar-b changed the base branch from main to prerelease/5.x May 1, 2023 14:11
@jar-b jar-b marked this pull request as ready for review May 1, 2023 14:13
@jar-b jar-b added the breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. label May 1, 2023
@jar-b jar-b force-pushed the td-rds_cluster-snapshot-force-new branch from e7c2818 to 296fa82 Compare May 1, 2023 17:28
@jar-b jar-b merged commit 21e9bdb into prerelease/5.x May 1, 2023
@jar-b jar-b deleted the td-rds_cluster-snapshot-force-new branch May 1, 2023 18:52
github-actions bot pushed a commit that referenced this pull request May 1, 2023
@github-actions
Copy link

This functionality has been released in v5.0.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. documentation Introduces or discusses updates to documentation. service/docdb Issues and PRs that pertain to the docdb service. service/neptune Issues and PRs that pertain to the neptune service. service/rds Issues and PRs that pertain to the rds service. size/S Managed by automation to categorize the size of a PR.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws rds cluster is not recreated when snapshot identifier is updated
4 participants