Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't create secondary aurora-postgresql aws_rds_cluster inside an aws_rds_global_cluster when the source/primary cluster has storage encryption enabled #13715

Closed
djschnei21 opened this issue Jun 11, 2020 · 6 comments · Fixed by #14490
Closed

Can't create secondary aurora-postgresql aws_rds_cluster inside an aws_rds_global_cluster when the source/primary cluster has storage encryption enabled #13715

djschnei21 opened this issue Jun 11, 2020 · 6 comments · Fixed by #14490
Assignees
@bflad
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/rds Issues and PRs that pertain to the rds service.
Milestone
v3.1.0

Comments

@djschnei21
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.13
AWS Provider v2.65.0

Affected Resource(s)

  • aws_rds_cluster
  • aws_rds_global_cluster (indirectly)

Terraform Configuration Files

provider "aws" {
  alias   = "primary"
  version = "~>2.0"
  region  = "us-east-1"
}

provider "aws" {
  alias   = "secondary"
  version = "~>2.0"
  region  = "us-west-2"
}

resource "aws_rds_global_cluster" "global_cluster" {
  provider                  = "aws.primary"
  storage_encrypted         = true
  engine                    = "aurora-postgresql"
  engine_version            = "${var.engine-version}"
  database_name             = "${var.database_name}"
  global_cluster_identifier = "${var.vpc_name}-${var.app_name}-global"
}

resource "random_id" "snapshot_identifier" {
  byte_length = 4
}

data "aws_kms_key" "primary_kms" {
  provider = "aws.primary"
  key_id   = "alias/aws/rds"
}

resource "aws_rds_cluster" "primary_cluster" {
  provider = "aws.primary"
  lifecycle {
    ignore_changes = ["availability_zones"]
  }
  cluster_identifier        = "${var.vpc_name}-${var.app_name}-primary-cluster"
  global_cluster_identifier = "${aws_rds_global_cluster.global_cluster.id}"
  engine                    = "aurora-postgresql"
  engine_mode               = "provisioned"
  engine_version            = "${var.engine-version}"
  vpc_security_group_ids    = ["${var.sg-east}"]
  db_subnet_group_name      = "${var.east_subnet_group_name}"
  master_username           = "${var.master-username}"
  master_password           = "${var.master-user-password}"
  backup_retention_period   = 14
  preferred_backup_window   = "01:00-02:00"
  storage_encrypted         = true
  kms_key_id                = "${data.aws_kms_key.primary_kms.arn}"
  final_snapshot_identifier = "${var.vpc_name}-${var.app_name}-primary-cluster-final-snapshot-${random_id.snapshot_identifier.hex}"
  skip_final_snapshot       = "${var.skip_final_snapshot}"
}

resource "aws_rds_cluster_instance" "primary" {
  depends_on                      = ["aws_rds_cluster.primary_cluster"]
  provider                        = "aws.primary"
  count                           = 1
  engine                          = "aurora-postgresql"
  cluster_identifier              = "${aws_rds_cluster.primary_cluster.id}"
  identifier                      = "${var.vpc_name}-${var.app_name}-primary-instance"
  promotion_tier                  = "${count.index + 1}"
  performance_insights_enabled    = true
  performance_insights_kms_key_id = "${var.east_kms_key_id}"
  copy_tags_to_snapshot           = true
  instance_class                  = "${var.instance-class}"
  auto_minor_version_upgrade      = true
  db_subnet_group_name            = "${var.east_subnet_group_name}"
}

################# Below runs if dr = true #################

data "aws_kms_key" "secondary_kms" {
  count    = "${var.dr ? 1 : 0}"
  provider = "aws.secondary"
  key_id   = "alias/aws/rds"
}

resource "aws_rds_cluster" "secondary_cluster" {
  depends_on = ["aws_rds_cluster_instance.primary"]
  count      = "${var.dr ? 1 : 0}"
  provider   = "aws.secondary"
  lifecycle {
    ignore_changes = ["availability_zones"]
  }
  cluster_identifier            = "${var.vpc_name}-${var.app_name}-secondary-cluster"
  global_cluster_identifier     = "${aws_rds_global_cluster.global_cluster.id}"
  engine                        = "aurora-postgresql"
  engine_mode                   = "provisioned"
  engine_version                = "${var.engine-version}"
  vpc_security_group_ids        = ["${var.sg-west}"]
  db_subnet_group_name          = "${var.west_subnet_group_name}"
  backup_retention_period       = 14
  preferred_backup_window       = "01:00-02:00"
  storage_encrypted             = true
  kms_key_id                    = "${data.aws_kms_key.secondary_kms.arn}"
  final_snapshot_identifier     = "${var.vpc_name}-${var.app_name}-secondary-cluster-final-snapshot-${random_id.snapshot_identifier.hex}"
  skip_final_snapshot           = "${var.skip_final_snapshot}"
  source_region                 = "us-east-1"
  replication_source_identifier = "${aws_rds_cluster.primary_cluster.arn}"
}

resource "aws_rds_cluster_instance" "secondary" {
  depends_on                      = ["aws_rds_cluster.secondary_cluster"]
  count                           = "${var.dr ? 1 : 0}"
  provider                        = "aws.secondary"
  engine                          = "aurora-postgresql"
  cluster_identifier              = "${aws_rds_cluster.secondary_cluster.id}"
  identifier                      = "${var.vpc_name}-${var.app_name}-secondary-instance"
  promotion_tier                  = "${count.index + 1}"
  performance_insights_enabled    = true
  performance_insights_kms_key_id = "${var.west_kms_key_id}"
  copy_tags_to_snapshot           = true
  instance_class                  = "${var.instance-class}"
  auto_minor_version_upgrade      = true
  db_subnet_group_name            = "${var.west_subnet_group_name}"
}

Debug Output

Debug Output gist.

Expected Behavior

Secondary aws_rds_cluster is created in a different region, associated with the parent aws_rds_global_cluster, replicating the primary aws_rds_cluster, and encrypted with the destination region's KMS key

Actual Behavior

I get an error that the source cluster "doesn't have binlogs enabled". This doesn't really make any sense since binlogs are a MySql thing AFAIK and I'm creating a postgresql cluster

Steps to Reproduce

  1. terraform apply the above module
@ghost ghost added service/kms Issues and PRs that pertain to the kms service. service/rds Issues and PRs that pertain to the rds service. labels Jun 11, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jun 11, 2020
@djschnei21 djschnei21 changed the title Can't create secondary aurora-postgresql aws_rds_cluster inside a aws_rds_global_cluster when the source/primary cluster has storage encryption enabled Can't create secondary aurora-postgresql aws_rds_cluster inside an aws_rds_global_cluster when the source/primary cluster has storage encryption enabled Jun 11, 2020
@jgreat
Copy link

jgreat commented Jun 17, 2020
edited
Loading

I also ran into this issue. I worked through it with the aws-cli and figured out the Error: error creating RDS cluster: InvalidDBClusterStateFault: Source cluster doesn't have binlogs enabled. is because global_cluster_identifier and replication_source_identifier are supposed to be mutually exclusive options.

The provider is taking the wrong path and just submitting ReplicationSourceIdentifier and leaving out the GlobalClusterIdentifier in the POST. If both options were submitted you'd get back a different error. It would be nice if the provider checked for exclusivity on the plan.

So take out the replication_source_identifier option and that should get you past this error.

@bd-robert-suarez
Copy link

I'm running into a similar issue trying to create a global cluster with encryption. I get a presigned URL error when I specify only the global cluster ID and exclude the replication source. Can't seem to find anyone in the same position.

@breathingdust breathingdust added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Jul 15, 2020
@bflad bflad removed the service/kms Issues and PRs that pertain to the kms service. label Aug 6, 2020
bflad added a commit that referenced this issue Aug 6, 2020
@bflad
resource/aws_rds_cluster: Consolidate CreateDBCluster logic and preve…
15c4888 
…nt creation issue when global_cluster_identifier and replication_source_identifier are both configured

Reference: #13715

After adding new acceptance testing with previous resource logic:

```
    TestAccAWSRDSCluster_GlobalClusterIdentifier_ReplicationSourceIdentifier: testing.go:684: Step 0 error: errors during apply:

        Error: error creating RDS cluster: InvalidDBClusterStateFault: Source cluster arn:aws:rds:us-west-2:--OMITTED--:cluster:tf-acc-test-728428284997379009-primary doesn't have binlogs enabled.
        	status code: 400, request id: 36e4f744-9080-4a6c-adca-fb2fc660d66e
```

After consolidating `CreateDBCluster` logic (allowing both `global_cluster_identifier` and `replication_source_identifier` to be set in the same call):

```
    TestAccAWSRDSCluster_GlobalClusterIdentifier_ReplicationSourceIdentifier: testing.go:684: Step 0 error: errors during apply:

        Error: error creating RDS cluster: InvalidParameterCombination: Value for replicationSourceIdentifier should not be specified for db cluster that is a member of global cluster
        	status code: 400, request id: f8558f28-14d1-49b3-9d94-1a607b1b689d
```

Opt to conditionalize the creation handling for this situation rather than return an error for the conflicting arguments since the existing configuration may be prevalent and the end result is the same. Document `ignore_changes`.

Output from acceptance testing (omitting failures from #14384):

```
--- PASS: TestAccAWSRDSCluster_AvailabilityZones (138.84s)
--- PASS: TestAccAWSRDSCluster_BacktrackWindow (166.46s)
--- PASS: TestAccAWSRDSCluster_backupsUpdate (161.00s)
--- PASS: TestAccAWSRDSCluster_basic (143.12s)
--- PASS: TestAccAWSRDSCluster_ClusterIdentifierPrefix (137.99s)
--- PASS: TestAccAWSRDSCluster_copyTagsToSnapshot (205.95s)
--- PASS: TestAccAWSRDSCluster_DbSubnetGroupName (159.06s)
--- PASS: TestAccAWSRDSCluster_DeletionProtection (160.99s)
--- PASS: TestAccAWSRDSCluster_EnabledCloudwatchLogsExports (341.44s)
--- PASS: TestAccAWSRDSCluster_EnableHttpEndpoint (356.65s)
--- PASS: TestAccAWSRDSCluster_encrypted (121.15s)
--- PASS: TestAccAWSRDSCluster_EngineMode (432.72s)
--- PASS: TestAccAWSRDSCluster_EngineMode_Global (139.87s)
--- PASS: TestAccAWSRDSCluster_EngineMode_Multimaster (139.86s)
--- PASS: TestAccAWSRDSCluster_EngineMode_ParallelQuery (137.74s)
--- PASS: TestAccAWSRDSCluster_EngineVersion (425.30s)
--- PASS: TestAccAWSRDSCluster_EngineVersionWithPrimaryInstance (1107.25s)
--- PASS: TestAccAWSRDSCluster_generatedName (126.84s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_EngineMode_Global (189.88s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_EngineMode_Global_Add (163.70s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_EngineMode_Global_Remove (162.57s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_EngineMode_Global_Update (172.66s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_EngineMode_Provisioned (157.23s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_PrimarySecondaryClusters (1768.71s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_ReplicationSourceIdentifier (1747.31s)
--- PASS: TestAccAWSRDSCluster_iamAuth (127.32s)
--- PASS: TestAccAWSRDSCluster_kmsKey (161.41s)
--- PASS: TestAccAWSRDSCluster_missingUserNameCausesError (4.87s)
--- PASS: TestAccAWSRDSCluster_Port (253.12s)
--- PASS: TestAccAWSRDSCluster_ScalingConfiguration (386.00s)
--- PASS: TestAccAWSRDSCluster_ScalingConfiguration_DefaultMinCapacity (379.58s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier (371.73s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_DeletionProtection (409.17s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EncryptedRestore (358.98s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_ParallelQuery (439.76s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_Provisioned (333.04s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineVersion_Different (359.99s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineVersion_Equal (337.24s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_MasterPassword (347.53s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_MasterUsername (381.60s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_PreferredBackupWindow (379.98s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_PreferredMaintenanceWindow (363.89s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_Tags (381.05s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_VpcSecurityGroupIds (362.04s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_VpcSecurityGroupIds_Tags (369.15s)
--- PASS: TestAccAWSRDSCluster_Tags (136.51s)
--- PASS: TestAccAWSRDSCluster_takeFinalSnapshot (207.97s)
--- PASS: TestAccAWSRDSCluster_updateIamRoles (180.35s)
```
@bflad bflad mentioned this issue Aug 6, 2020
Merged
@bflad
Copy link
Contributor

bflad commented Aug 6, 2020

Fix submitted (#14490) to prevent the confusing error on creation, however we will document the recommendation that lifecycle configuration block ignore_changes should be used in this case with the replication_source_identifier, e.g.

resource "aws_rds_cluster" "secondary" {
  global_cluster_identifier = aws_global_cluster.example.id
  # ... other configuration ...

  lifecycle {
    ignore_changes = [replication_source_identifier]
  }
}

@bflad bflad self-assigned this Aug 6, 2020
@bflad bflad added this to the v3.1.0 milestone Aug 6, 2020
bflad added a commit that referenced this issue Aug 6, 2020
@bflad
resource/aws_rds_cluster: Consolidate CreateDBCluster logic and preve…
a217f76 
…nt creation issue when global_cluster_identifier and replication_source_identifier are both configured (#14490)

Reference: #13715

After adding new acceptance testing with previous resource logic:

```
    TestAccAWSRDSCluster_GlobalClusterIdentifier_ReplicationSourceIdentifier: testing.go:684: Step 0 error: errors during apply:

        Error: error creating RDS cluster: InvalidDBClusterStateFault: Source cluster arn:aws:rds:us-west-2:--OMITTED--:cluster:tf-acc-test-728428284997379009-primary doesn't have binlogs enabled.
        	status code: 400, request id: 36e4f744-9080-4a6c-adca-fb2fc660d66e
```

After consolidating `CreateDBCluster` logic (allowing both `global_cluster_identifier` and `replication_source_identifier` to be set in the same call):

```
    TestAccAWSRDSCluster_GlobalClusterIdentifier_ReplicationSourceIdentifier: testing.go:684: Step 0 error: errors during apply:

        Error: error creating RDS cluster: InvalidParameterCombination: Value for replicationSourceIdentifier should not be specified for db cluster that is a member of global cluster
        	status code: 400, request id: f8558f28-14d1-49b3-9d94-1a607b1b689d
```

Opt to conditionalize the creation handling for this situation rather than return an error for the conflicting arguments since the existing configuration may be prevalent and the end result is the same. Document `ignore_changes`.

Output from acceptance testing (omitting failures from #14384):

```
--- PASS: TestAccAWSRDSCluster_AvailabilityZones (138.84s)
--- PASS: TestAccAWSRDSCluster_BacktrackWindow (166.46s)
--- PASS: TestAccAWSRDSCluster_backupsUpdate (161.00s)
--- PASS: TestAccAWSRDSCluster_basic (143.12s)
--- PASS: TestAccAWSRDSCluster_ClusterIdentifierPrefix (137.99s)
--- PASS: TestAccAWSRDSCluster_copyTagsToSnapshot (205.95s)
--- PASS: TestAccAWSRDSCluster_DbSubnetGroupName (159.06s)
--- PASS: TestAccAWSRDSCluster_DeletionProtection (160.99s)
--- PASS: TestAccAWSRDSCluster_EnabledCloudwatchLogsExports (341.44s)
--- PASS: TestAccAWSRDSCluster_EnableHttpEndpoint (356.65s)
--- PASS: TestAccAWSRDSCluster_encrypted (121.15s)
--- PASS: TestAccAWSRDSCluster_EngineMode (432.72s)
--- PASS: TestAccAWSRDSCluster_EngineMode_Global (139.87s)
--- PASS: TestAccAWSRDSCluster_EngineMode_Multimaster (139.86s)
--- PASS: TestAccAWSRDSCluster_EngineMode_ParallelQuery (137.74s)
--- PASS: TestAccAWSRDSCluster_EngineVersion (425.30s)
--- PASS: TestAccAWSRDSCluster_EngineVersionWithPrimaryInstance (1107.25s)
--- PASS: TestAccAWSRDSCluster_generatedName (126.84s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_EngineMode_Global (189.88s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_EngineMode_Global_Add (163.70s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_EngineMode_Global_Remove (162.57s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_EngineMode_Global_Update (172.66s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_EngineMode_Provisioned (157.23s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_PrimarySecondaryClusters (1768.71s)
--- PASS: TestAccAWSRDSCluster_GlobalClusterIdentifier_ReplicationSourceIdentifier (1747.31s)
--- PASS: TestAccAWSRDSCluster_iamAuth (127.32s)
--- PASS: TestAccAWSRDSCluster_kmsKey (161.41s)
--- PASS: TestAccAWSRDSCluster_missingUserNameCausesError (4.87s)
--- PASS: TestAccAWSRDSCluster_Port (253.12s)
--- PASS: TestAccAWSRDSCluster_ScalingConfiguration (386.00s)
--- PASS: TestAccAWSRDSCluster_ScalingConfiguration_DefaultMinCapacity (379.58s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier (371.73s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_DeletionProtection (409.17s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EncryptedRestore (358.98s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_ParallelQuery (439.76s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineMode_Provisioned (333.04s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineVersion_Different (359.99s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_EngineVersion_Equal (337.24s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_MasterPassword (347.53s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_MasterUsername (381.60s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_PreferredBackupWindow (379.98s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_PreferredMaintenanceWindow (363.89s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_Tags (381.05s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_VpcSecurityGroupIds (362.04s)
--- PASS: TestAccAWSRDSCluster_SnapshotIdentifier_VpcSecurityGroupIds_Tags (369.15s)
--- PASS: TestAccAWSRDSCluster_Tags (136.51s)
--- PASS: TestAccAWSRDSCluster_takeFinalSnapshot (207.97s)
--- PASS: TestAccAWSRDSCluster_updateIamRoles (180.35s)
```
@bflad
Copy link
Contributor

bflad commented Aug 6, 2020

The above mentioned fix has been merged and will release with version 3.1.0 of the Terraform AWS Provider, likely later today. 👍

@ghost
Copy link

ghost commented Aug 7, 2020

This has been released in version 3.1.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Sep 6, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Sep 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
enhancement Requests to existing resources that expand the functionality or scope. service/rds Issues and PRs that pertain to the rds service.
Projects
None yet
Milestone
v3.1.0
5 participants
@bflad @breathingdust @jgreat @djschnei21 @bd-robert-suarez