resource/aws_db_instance: Adds support for domain joining RDS instances #5378
Conversation
…stance. This commit adds the domain related parameters to allow aws_db_instances to be joined to a Directory Services Active Directory domain. The original work to add the parameters was merged from mwalkera125 in hashicorp#5226. Subsequent changes added acceptance tests and documentation for the new arguments and attributes. Co-authored-by: Mike Walker <mike.walker@ticketmaster.com> Co-authored-by: Matthew Burtless <mburtless@threepnet.com>
mburtless
force-pushed
the
rds-add-domain
branch
from
c386751 to
2ad8d53
Compare
bflad
added
enhancement
There was a problem hiding this comment.
This is off to a great start, @mburtless! Left some initial comments below. Can you please let us know if you have any questions or are not able to address them? Thanks!
Also, its probably important to note that RestoreDBInstanceFromDBSnapshotInput also supports the Domain and DomainIAMRoleName parameters, so we should support that on creation there as well (preferably with a matching acceptance test). As for CreateDBInstanceReadReplicaInput/RestoreDBInstanceFromS3Input they will require some additional handling to perform the ModifyDBInstance call on creation so they do not require two terraform apply calls.
aws/resource_aws_db_instance.go
Outdated
| "domain": { | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| Computed: true, |
There was a problem hiding this comment.
Is there a reason why this attribute is marked Computed: true? We likely want Terraform to report when an instance is part of a domain, but that is not configured in Terraform.
There was a problem hiding this comment.
Not sure what the original reason was as this was merged from the previous code for this feature committed by @mikewalker125 in #1367. That said, your feedback makes sense to me. I'll remove Computed: true
aws/resource_aws_db_instance.go
Outdated
| "domain_iam_role_name": { | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| Computed: true, |
There was a problem hiding this comment.
Same here. Is there a reason why this attribute is marked Computed: true? We likely want Terraform to report when an instance has a domain IAM role assigned, but that is not configured in Terraform.
There was a problem hiding this comment.
Same as above, this was merged from the previous code for this feature committed by @mikewalker125 in #1367. Will remove here as well.
aws/resource_aws_db_instance.go
Outdated
| @@ -1012,6 +1032,11 @@ func resourceAwsDbInstanceRead(d *schema.ResourceData, meta interface{}) error { | |||
| return fmt.Errorf("error setting enabled_cloudwatch_logs_exports: %s", err) | |||
| } | |||
|
|
|||
| if v.DomainMemberships != nil { | |||
There was a problem hiding this comment.
It seems like we should be performing the following check here to prevent potential panics: if len(v.DomainMemberships) > 0 && v.DomainMemberships[0] != nil {
aws/resource_aws_db_instance_test.go
Outdated
| "aws_db_instance.mssql", "engine", "sqlserver-ex"), | ||
| ), | ||
| }, | ||
| }, |
There was a problem hiding this comment.
It might be good to add a TestStep that updates/removes the domain settings here.
There was a problem hiding this comment.
Makes sense, will add a step to test removing the instance from the domain.
bflad
added
the
waiting-response
|
@bflad - Thanks for the feedback. All of those comments make sense and I should be able to get the branch updated in the next few days. Regarding add support for |
|
We should either include it now or document that it currently takes two |
…s further checking to DomainMemberships
…in of db instance works as expected. This commit integrates suggesting made by @bflad in review. It also merges any updates to domain or domain_iam_role_name into a single update request, as both arguments must be present in order to update either property of a DB instance. Finally, it adds an accpetance test step to ensure that after a db instance is joined to a domain, it can be succesfully moved to another by updating the domain argument.X
|
As an update here, at this point I've integrated the suggestions above, except for adding support or documentation for Ended up adding a step to check for updating the Will try to dig into the remaining work shortly. |
|
Noting that after doing some digging, it doesn't appear as if Source: AWS mentions "Read replicas are available in Amazon RDS for MySQL, MariaDB, and PostgreSQL as well as Amazon Aurora." Additionally the CreateDBInstanceReadReplicaInput struct does not have fields or setters for Domain or DomainIAMRoleName. Will continue to explore implementation of these arguments for @bflad - Was there another use case you had in mind when you mentioned |
…FromDBSnapshotInput
|
@bflad - According to AWS Go API Reference With that in mind, I think all the features we need to support have been committed to this PR and are ready for another review (support for |
bflad
removed
the
waiting-response
* Ensure d.Set() is always called for domain and domain_iam_role_name * Remove extraneous d.IsNewResource() check in Update function * Randomize IAM role naming for new domain acceptance tests
There was a problem hiding this comment.
Great work, @mburtless! After the few minor adjustments noted below in a followup commit, we are all set. 🚀
53 tests passed (all tests)
--- PASS: TestAccAWSDBInstance_IsAlreadyBeingDeleted (501.55s)
--- PASS: TestAccAWSDBInstance_generatedName (502.27s)
--- PASS: TestAccAWSDBInstance_importBasic (504.88s)
--- PASS: TestAccAWSDBInstance_iamAuth (515.09s)
--- PASS: TestAccAWSDBInstance_basic (522.42s)
--- PASS: TestAccAWSDBInstance_namePrefix (523.04s)
--- PASS: TestAccAWSDBInstance_optionGroup (572.84s)
--- PASS: TestAccAWSDBInstance_kmsKey (601.98s)
--- PASS: TestAccAWSDBInstance_FinalSnapshotIdentifier_SkipFinalSnapshot (835.06s)
--- PASS: TestAccAWSDBInstance_FinalSnapshotIdentifier (866.54s)
--- PASS: TestAccAWSDBInstance_subnetGroup (888.59s)
--- PASS: TestAccAWSDBInstance_S3Import (795.53s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_Monitoring (1445.14s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_BackupWindow (1525.62s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_AvailabilityZone (1547.95s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_IamDatabaseAuthenticationEnabled (1550.03s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb (1716.81s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier (1257.94s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_AutoMinorVersionUpgrade (1786.90s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_BackupRetentionPeriod (1847.59s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_AutoMinorVersionUpgrade (1268.90s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_MaintenanceWindow (1918.71s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_AvailabilityZone (1172.26s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_ParameterGroupName (1592.86s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_BackupWindow (1208.86s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_AllocatedStorage (2129.93s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_AllocatedStorage (1672.45s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_Port (1745.71s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_VpcSecurityGroupIds (1748.25s)
--- PASS: TestAccAWSDBInstance_ReplicateSourceDb_MultiAZ (1946.01s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_BackupRetentionPeriod (1642.11s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_IamDatabaseAuthenticationEnabled (1219.17s)
--- PASS: TestAccAWSDBInstance_enhancedMonitoring (677.63s)
--- PASS: TestAccAWSDBInstance_separate_iops_update (694.58s)
--- PASS: TestAccAWSDBInstance_diffSuppressInitialState (449.14s)
--- PASS: TestAccAWSDBInstance_MinorVersion (531.46s)
--- PASS: TestAccAWSDBInstance_portUpdate (694.73s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_MaintenanceWindow (1350.10s)
--- PASS: TestAccAWSDBInstance_ec2Classic (450.75s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_Monitoring (1412.59s)
--- PASS: TestAccAWSDBInstance_cloudwatchLogsExportConfiguration (524.51s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_VpcSecurityGroupIds (1199.90s)
--- PASS: TestAccAWSDBInstance_cloudwatchLogsExportConfigurationUpdate (556.47s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_ParameterGroupName (1389.54s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_Port (1373.55s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_VpcSecurityGroupIds_Tags (1320.82s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_Tags (1428.65s)
--- PASS: TestAccAWSDBInstance_EnabledCloudwatchLogsExports_Oracle (823.45s)
--- PASS: TestAccAWSDBInstance_MSSQL_TZ (1398.21s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_MultiAZ (1994.06s)
--- PASS: TestAccAWSDBInstance_MSSQL_DomainSnapshotRestore (2877.79s)
--- PASS: TestAccAWSDBInstance_MSSQL_Domain (3217.20s)
--- PASS: TestAccAWSDBInstance_SnapshotIdentifier_MultiAZ_SQLServer (4178.93s)
| @@ -1153,6 +1179,11 @@ func resourceAwsDbInstanceRead(d *schema.ResourceData, meta interface{}) error { | |||
| return fmt.Errorf("error setting enabled_cloudwatch_logs_exports: %s", err) | |||
| } | |||
|
|
|||
| if len(v.DomainMemberships) > 0 && v.DomainMemberships[0] != nil { | |||
There was a problem hiding this comment.
To detect drift when the domain membership is removed out of band of Terraform, we should ensure the Terraform state always starts with "", e.g.
d.Set("domain", "")
d.Set("domain_iam_role_name", "")
if len(v.DomainMemberships) > 0 && v.DomainMemberships[0] != nil {
d.Set("domain", v.DomainMemberships[0].Domain)
d.Set("domain_iam_role_name", v.DomainMemberships[0].IAMRoleName)
}👍
| @@ -1412,6 +1443,14 @@ func resourceAwsDbInstanceUpdate(d *schema.ResourceData, meta interface{}) error | |||
| requestUpdate = true | |||
| } | |||
|
|
|||
| if (d.HasChange("domain") || d.HasChange("domain_iam_role_name")) && !d.IsNewResource() { | |||
There was a problem hiding this comment.
We very recently fixed the resource so it does not call the Update function after the Create function, so the !d.IsNewResource() check here is now extraneous. 😄
| } | ||
|
|
||
| resource "aws_iam_role" "role" { | ||
| name = "tf-acc-db-instance-mssql-domain-role" |
There was a problem hiding this comment.
Our CI environment (and soon locally 😉 ) runs acceptance testing in parallel so we need to randomize resource naming or we'll receive errors, e.g.
--- FAIL: TestAccAWSDBInstance_MSSQL_DomainSnapshotRestore (1891.97s)
testing.go:527: Step 0 error: Error applying: 1 error occurred:
* aws_iam_role.role: 1 error occurred:
* aws_iam_role.role: Error creating IAM Role tf-acc-db-instance-mssql-domain-role: EntityAlreadyExists: Role with name tf-acc-db-instance-mssql-domain-role already exists.
Since we're already passing rInt throughout the test configuration here to achieve this with other resources, we can just do the same here. 👍
|
Great news, glad I could help out! Thanks for all the help and feedback here Brian, and to @mikewalker125 for his work on the previous PR. |
|
This has been released in version 1.36.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
can we now use terraform to add RDS instances to domain? If yes, what attribute we should be using for that? |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Adds domain and
domain-iam-role-namedomain_iam_role_name parameters to resource aws_db_instance. Based on work from hashicorp/terraform#14425 and #1367.As #1367 has been closed, I've merged commits from branch by @mikewalker125 and added acceptance tests and updated documentation.
Output from acceptance testing: