Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.4.0 release causes issues with existing cluster where you don't want to enforce encryption in transit #240

Closed
gusse opened this issue Jun 19, 2024 · 2 comments · Fixed by #238
Closed

1.4.0 release causes issues with existing cluster where you don't want to enforce encryption in transit #240

gusse opened this issue Jun 19, 2024 · 2 comments · Fixed by #238
Labels
bug 🐛 An issue with the system

Comments

@gusse
Copy link
Contributor

gusse commented Jun 19, 2024

Describe the Bug

I have an existing cluster created with this module (created with version 0.52.0). Tried to upgrade the module to version 1.4.0 and that fails to apply the changes to replication group as encryption in transit isn't enforced:

Error: modifying ElastiCache Replication Group (cluster-name): InvalidParameterCombination: To modify transit encryption mode, set encryption-in-transit as enabled.
--
139 | status code: 400, request id: 801e97f5-50ee-4fcb-be54-132456d3bd8b
140 |  
141 | with module.redis[0].aws_elasticache_replication_group.default[0],
142 | on .terraform/modules/redis/main.tf line 157, in resource "aws_elasticache_replication_group" "default":
143 | 157: resource "aws_elasticache_replication_group" "default" {

I'm not sure if this is a problem with AWS provider or with this module

Expected Behavior

Module version could be just updated and nothing breaks or requires a change. I think the transit_encryption_mode variable could be optional and not required.

Steps to Reproduce

Create cluster with old module version, set transit_encryption_enabled = false with the module call and apply. Then try to update the module version to 1.4.0 and now transit_encryption_mode is set to preferred by default and cannot be unset with the module. Even if I try to enable the encryption to have it enabled as preferred but not required, it fails as the auth token cannot be updated.

TF Plan:

  # module.redis[0].aws_elasticache_replication_group.default[0] will be updated in-place
  ~ resource "aws_elasticache_replication_group" "default" {
      + auth_token                 = (sensitive value)
        id                         = "cluster-name"
        tags                       = {
            "Name" = "cluster-name"
        }
      ~ transit_encryption_enabled = false -> true
      + transit_encryption_mode    = "preferred"

And this results in a failure:

│ Error: modifying ElastiCache Replication Group (cluster-name) authentication: InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.
│ 	status code: 400, request id: 2239b079-2a7c-45ac-b952-5095b9e66cdc
│
│   with module.redis[0].aws_elasticache_replication_group.default[0],
│   on .terraform/modules/redis/main.tf line 157, in resource "aws_elasticache_replication_group" "default":
│  157: resource "aws_elasticache_replication_group" "default" {
│
╵

Screenshots

No response

Environment

  • terraform 1.4.6
  • provider[registry.terraform.io/hashicorp/aws] >= 5.32.0

Additional Context

No response
@gusse gusse added the bug 🐛 An issue with the system label Jun 19, 2024
@gusse
Copy link
Contributor Author

gusse commented Jun 19, 2024

And yes, 1.3.0 works fine

@amontalban
Copy link
Contributor

Should be fixed by 1.4.1. Sorry for the trouble!

@nitrocode nitrocode mentioned this issue Jun 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 An issue with the system
Projects
None yet
Milestone
No milestone
3 participants
@amontalban @nitrocode @gusse