hashicorp · jar-b · May 25, 2023 · May 24, 2023 · May 24, 2023 · May 24, 2023
@@ -0,0 +1,8 @@
+
+```release-note:enhancement
+resource/aws_opensearch_domain: Removed `engine_version` default value
+```
+
+```release-note:note
+resource/aws_opensearch_domain: The `engine_version` attribute no longer has a default value. When omitted, the underlying AWS API will use the latest OpenSearch engine version.
+```
@@ -1045,8 +1045,6 @@ resource "aws_cognito_identity_pool" "test" {
 resource "aws_opensearch_domain" "test" {
   domain_name = %[1]q
 
-  engine_version = "OpenSearch_1.1"
-
   cognito_options {
     enabled          = true
     user_pool_id     = aws_cognito_user_pool.test.id

@@ -453,7 +453,7 @@ func ResourceDomain() *schema.Resource {
 			"engine_version": {
 				Type:     schema.TypeString,
 				Optional: true,
-				Default:  "OpenSearch_1.1",
+				Computed: true,
 			},
 			"kibana_endpoint": {
 				Type:       schema.TypeString,
@@ -568,9 +568,12 @@ func resourceDomainCreate(ctx context.Context, d *schema.ResourceData, meta inte
 	}
 
 	inputCreateDomain := opensearchservice.CreateDomainInput{
-		DomainName:    aws.String(d.Get("domain_name").(string)),
-		EngineVersion: aws.String(d.Get("engine_version").(string)),
-		TagList:       GetTagsIn(ctx),
+		DomainName: aws.String(d.Get("domain_name").(string)),
+		TagList:    GetTagsIn(ctx),
+	}
+
+	if v, ok := d.GetOk("engine_version"); ok {
+		inputCreateDomain.EngineVersion = aws.String(v.(string))
 	}
 
 	if v, ok := d.GetOk("access_policies"); ok {

@@ -57,7 +57,6 @@ func TestAccOpenSearchDomainPolicy_basic(t *testing.T) {
 				Config: testAccDomainPolicyConfig_basic(ri, policy),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, "aws_opensearch_domain.test", &domain),
-					resource.TestCheckResourceAttr("aws_opensearch_domain.test", "engine_version", "OpenSearch_1.1"),
 					func(s *terraform.State) error {
 						awsClient := acctest.Provider.Meta().(*conns.AWSClient)
 						expectedArn, err := buildDomainARN(name, awsClient.Partition, awsClient.AccountID, awsClient.Region)
@@ -117,8 +116,7 @@ func buildDomainARN(name, partition, accId, region string) (string, error) {
 func testAccDomainPolicyConfig_basic(randInt int, policy string) string {
 	return fmt.Sprintf(`
 resource "aws_opensearch_domain" "test" {
-  domain_name    = "tf-test-%d"
-  engine_version = "OpenSearch_1.1"
+  domain_name = "tf-test-%d"
 
   cluster_config {
     instance_type = "t2.small.search" # supported in both aws and aws-us-gov

@@ -150,7 +150,7 @@ func TestAccOpenSearchDomain_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, resourceName, &domain),
 					resource.TestMatchResourceAttr(resourceName, "dashboard_endpoint", regexp.MustCompile(`.*(opensearch|es)\..*/_dashboards`)),
-					resource.TestCheckResourceAttr(resourceName, "engine_version", "OpenSearch_1.1"),
+					resource.TestCheckResourceAttrSet(resourceName, "engine_version"),
 					resource.TestMatchResourceAttr(resourceName, "kibana_endpoint", regexp.MustCompile(`.*(opensearch|es)\..*/_plugin/kibana/`)),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 					resource.TestCheckResourceAttr(resourceName, "vpc_options.#", "0"),
@@ -543,7 +543,8 @@ func TestAccOpenSearchDomain_duplicate(t *testing.T) {
 				Config: testAccDomainConfig_basic(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, resourceName, &domain),
-					resource.TestCheckResourceAttr(resourceName, "engine_version", "OpenSearch_1.1")),
+					resource.TestCheckResourceAttrSet(resourceName, "engine_version"),
+				),
 				ExpectError: regexp.MustCompile(`OpenSearch Domain ".+" already exists`),
 			},
 		},
@@ -1303,22 +1304,22 @@ func TestAccOpenSearchDomain_Encryption_atRestEnable(t *testing.T) {
 		CheckDestroy:             testAccCheckDomainDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDomainConfig_encryptAtRestDefaultKey(rName, "OpenSearch_1.1", false),
+				Config: testAccDomainConfig_encryptAtRestDefaultKey(rName, "OpenSearch_2.5", false),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, resourceName, &domain1),
 					testAccCheckDomainEncrypted(false, &domain1),
 				),
 			},
 			{
-				Config: testAccDomainConfig_encryptAtRestDefaultKey(rName, "OpenSearch_1.1", true),
+				Config: testAccDomainConfig_encryptAtRestDefaultKey(rName, "OpenSearch_2.5", true),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, resourceName, &domain2),
 					testAccCheckDomainEncrypted(true, &domain2),
 					testAccCheckDomainNotRecreated(&domain1, &domain2), // note: this check does not work and always passes
 				),
 			},
 			{
-				Config: testAccDomainConfig_encryptAtRestDefaultKey(rName, "OpenSearch_1.1", false),
+				Config: testAccDomainConfig_encryptAtRestDefaultKey(rName, "OpenSearch_2.5", false),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, resourceName, &domain1),
 					testAccCheckDomainEncrypted(false, &domain1),
@@ -1412,22 +1413,22 @@ func TestAccOpenSearchDomain_Encryption_nodeToNodeEnable(t *testing.T) {
 		CheckDestroy:             testAccCheckDomainDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDomainConfig_nodeToNodeEncryption(rName, "OpenSearch_1.1", false),
+				Config: testAccDomainConfig_nodeToNodeEncryption(rName, "OpenSearch_2.5", false),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, resourceName, &domain1),
 					testAccCheckNodeToNodeEncrypted(false, &domain1),
 				),
 			},
 			{
-				Config: testAccDomainConfig_nodeToNodeEncryption(rName, "OpenSearch_1.1", true),
+				Config: testAccDomainConfig_nodeToNodeEncryption(rName, "OpenSearch_2.5", true),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, resourceName, &domain2),
 					testAccCheckNodeToNodeEncrypted(true, &domain2),
 					testAccCheckDomainNotRecreated(&domain1, &domain2), // note: this check does not work and always passes
 				),
 			},
 			{
-				Config: testAccDomainConfig_nodeToNodeEncryption(rName, "OpenSearch_1.1", false),
+				Config: testAccDomainConfig_nodeToNodeEncryption(rName, "OpenSearch_2.5", false),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, resourceName, &domain1),
 					testAccCheckNodeToNodeEncrypted(false, &domain1),
@@ -3324,8 +3325,6 @@ resource "aws_iam_role_policy_attachment" "test" {
 resource "aws_opensearch_domain" "test" {
   domain_name = %[1]q
 
-  engine_version = "OpenSearch_1.1"
-
   %[2]s
 
   ebs_options {

@@ -72,8 +72,7 @@ func testAccInboundConnectionAccepterConfig(name string) string {
 	pw := fmt.Sprintf("Aa1-%s", sdkacctest.RandString(10))
 	return fmt.Sprintf(`
 resource "aws_opensearch_domain" "domain_1" {
-  domain_name    = "%s-1"
-  engine_version = "OpenSearch_1.1"
+  domain_name = "%s-1"
 
   cluster_config {
     instance_type = "t3.small.search" # supported in both aws and aws-us-gov
@@ -109,8 +108,7 @@ resource "aws_opensearch_domain" "domain_1" {
 }
 
 resource "aws_opensearch_domain" "domain_2" {
-  domain_name    = "%s-2"
-  engine_version = "OpenSearch_1.1"
+  domain_name = "%s-2"
 
   cluster_config {
     instance_type = "t3.small.search" # supported in both aws and aws-us-gov

@@ -72,8 +72,7 @@ func testAccOutboundConnectionConfig(name string) string {
 	pw := fmt.Sprintf("Aa1-%s", sdkacctest.RandString(10))
 	return fmt.Sprintf(`
 resource "aws_opensearch_domain" "domain_1" {
-  domain_name    = "%s-1"
-  engine_version = "OpenSearch_1.1"
+  domain_name = "%s-1"
 
   cluster_config {
     instance_type = "t3.small.search" # supported in both aws and aws-us-gov
@@ -109,8 +108,7 @@ resource "aws_opensearch_domain" "domain_1" {
 }
 
 resource "aws_opensearch_domain" "domain_2" {
-  domain_name    = "%s-2"
-  engine_version = "OpenSearch_1.1"
+  domain_name = "%s-2"
 
   cluster_config {
     instance_type = "t3.small.search" # supported in both aws and aws-us-gov

@@ -38,7 +38,7 @@ func waitUpgradeSucceeded(ctx context.Context, conn *opensearchservice.OpenSearc
 
 func WaitForDomainCreation(ctx context.Context, conn *opensearchservice.OpenSearchService, domainName string, timeout time.Duration) error {
 	var out *opensearchservice.DomainStatus
-	err := retry.RetryContext(ctx, timeout, func() *retry.RetryError {
+	err := tfresource.Retry(ctx, timeout, func() *retry.RetryError {
 		var err error
 		out, err = FindDomainByName(ctx, conn, domainName)
 		if err != nil {
@@ -50,26 +50,27 @@ func WaitForDomainCreation(ctx context.Context, conn *opensearchservice.OpenSear
 		}
 
 		return retry.RetryableError(
-			fmt.Errorf("%q: Timeout while waiting for the domain to be created", domainName))
-	})
+			fmt.Errorf("%q: Timeout while waiting for OpenSearch Domain to be created", domainName))
+	}, tfresource.WithDelay(10*time.Minute), tfresource.WithPollInterval(10*time.Second))
+
 	if tfresource.TimedOut(err) {
 		out, err = FindDomainByName(ctx, conn, domainName)
 		if err != nil {
-			return fmt.Errorf("Error describing OpenSearch domain: %w", err)
+			return fmt.Errorf("describing OpenSearch Domain: %w", err)
 		}
 		if !aws.BoolValue(out.Processing) && (out.Endpoint != nil || out.Endpoints != nil) {
 			return nil
 		}
 	}
 	if err != nil {
-		return fmt.Errorf("Error waiting for OpenSearch domain to be created: %w", err)
+		return fmt.Errorf("waiting for OpenSearch Domain to be created: %w", err)
 	}
 	return nil
 }
 
 func waitForDomainUpdate(ctx context.Context, conn *opensearchservice.OpenSearchService, domainName string, timeout time.Duration) error {
 	var out *opensearchservice.DomainStatus
-	err := retry.RetryContext(ctx, timeout, func() *retry.RetryError {
+	err := tfresource.Retry(ctx, timeout, func() *retry.RetryError {
 		var err error
 		out, err = FindDomainByName(ctx, conn, domainName)
 		if err != nil {
@@ -82,25 +83,26 @@ func waitForDomainUpdate(ctx context.Context, conn *opensearchservice.OpenSearch
 
 		return retry.RetryableError(
 			fmt.Errorf("%q: Timeout while waiting for changes to be processed", domainName))
-	})
+	}, tfresource.WithDelay(10*time.Minute), tfresource.WithPollInterval(10*time.Second))
+
 	if tfresource.TimedOut(err) {
 		out, err = FindDomainByName(ctx, conn, domainName)
 		if err != nil {
-			return fmt.Errorf("Error describing OpenSearch domain: %w", err)
+			return fmt.Errorf("describing OpenSearch Domain: %w", err)
 		}
 		if !aws.BoolValue(out.Processing) {
 			return nil
 		}
 	}
 	if err != nil {
-		return fmt.Errorf("Error waiting for OpenSearch domain changes to be processed: %w", err)
+		return fmt.Errorf("waiting for OpenSearch Domain changes to be processed: %w", err)
 	}
 	return nil
 }
 
 func waitForDomainDelete(ctx context.Context, conn *opensearchservice.OpenSearchService, domainName string, timeout time.Duration) error {
 	var out *opensearchservice.DomainStatus
-	err := retry.RetryContext(ctx, timeout, func() *retry.RetryError {
+	err := tfresource.Retry(ctx, timeout, func() *retry.RetryError {
 		var err error
 		out, err = FindDomainByName(ctx, conn, domainName)
 
@@ -115,24 +117,24 @@ func waitForDomainDelete(ctx context.Context, conn *opensearchservice.OpenSearch
 			return nil
 		}
 
-		return retry.RetryableError(fmt.Errorf("timeout while waiting for the OpenSearch domain %q to be deleted", domainName))
-	})
+		return retry.RetryableError(fmt.Errorf("timeout while waiting for the OpenSearch Domain %q to be deleted", domainName))
+	}, tfresource.WithDelay(10*time.Minute), tfresource.WithPollInterval(10*time.Second))
 
 	if tfresource.TimedOut(err) {
 		out, err = FindDomainByName(ctx, conn, domainName)
 		if err != nil {
 			if tfresource.NotFound(err) {
 				return nil
 			}
-			return fmt.Errorf("Error describing OpenSearch domain: %s", err)
+			return fmt.Errorf("describing OpenSearch Domain: %s", err)
 		}
 		if out != nil && !aws.BoolValue(out.Processing) {
 			return nil
 		}
 	}
 
 	if err != nil {
-		return fmt.Errorf("Error waiting for OpenSearch domain to be deleted: %s", err)
+		return fmt.Errorf("waiting for OpenSearch Domain to be deleted: %s", err)
 	}
 
 	// opensearch maintains information about the domain in multiple (at least 2) places that need

@@ -404,7 +404,8 @@ Remove `policy_document` from configurations as it no longer exists. Use the `aw
 
 ## resource/aws_opensearch_domain
 
-The `kibana_endpoint` attribute has been deprecated. All configurations using `kibana_endpoint` should be updated to use the `dashboard_endpoint` attribute instead.
+* The `kibana_endpoint` attribute has been deprecated. All configurations using `kibana_endpoint` should be updated to use the `dashboard_endpoint` attribute instead.
+* The `engine_version` attribute no longer has a default value. Omitting this attribute will now create a domain with the latest OpenSearch version, consistent with the behavior of the AWS API.
 
 ## resource/aws_rds_cluster
 

@@ -328,7 +328,9 @@ The following arguments are optional:
 * `cognito_options` - (Optional) Configuration block for authenticating dashboard with Cognito. Detailed below.
 * `domain_endpoint_options` - (Optional) Configuration block for domain endpoint HTTP(S) related options. Detailed below.
 * `ebs_options` - (Optional) Configuration block for EBS related options, may be required based on chosen [instance size](https://aws.amazon.com/opensearch-service/pricing/). Detailed below.
-* `engine_version` - (Optional) Either `Elasticsearch_X.Y` or `OpenSearch_X.Y` to specify the engine version for the Amazon OpenSearch Service domain. For example, `OpenSearch_1.0` or `Elasticsearch_7.9`. See [Creating and managing Amazon OpenSearch Service domains](http://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html#createdomains). Defaults to `OpenSearch_1.1`.
+* `engine_version` - (Optional) Either `Elasticsearch_X.Y` or `OpenSearch_X.Y` to specify the engine version for the Amazon OpenSearch Service domain. For example, `OpenSearch_1.0` or `Elasticsearch_7.9`.
+  See [Creating and managing Amazon OpenSearch Service domains](http://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html#createdomains).
+  Defaults to the lastest version of OpenSearch.
 * `encrypt_at_rest` - (Optional) Configuration block for encrypt at rest options. Only available for [certain instance types](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html). Detailed below.
 * `log_publishing_options` - (Optional) Configuration block for publishing slow and application logs to CloudWatch Logs. This block can be declared multiple times, for each log_type, within the same resource. Detailed below.
 * `node_to_node_encryption` - (Optional) Configuration block for node-to-node encryption options. Detailed below.