MSK cluster to get recreated when sasl is reverted to null

[nparfait]

Describe the Bug

In a certain case the msk config has a
tls block with enabled: false whilst also having sasl/scram
eg. output from aws kafka list-clusters

            "ClientAuthentication": {
                "Sasl": {
                    "Scram": {
                        "Enabled": true
                    },
                    "Iam": {
                        "Enabled": true
                    }
                },
                "Tls": {
                    "CertificateAuthorityArnList": [],
                    "Enabled": false
                },
                "Unauthenticated": {
                    "Enabled": false
                }
            },

When running a terraform plan it wants to recreate the cluster

   module.kafka.aws_msk_cluster.default[0] must be replaced
-/+ resource "aws_msk_cluster" "default" {
      ~ client_authentication {
          - tls { # forces replacement
              - certificate_authority_arns = [] -> null
            }
            # (1 unchanged block hidden)
        }

As a workaround i added a ignore changes to the aws_msk_cluster resource

  lifecycle {
    ignore_changes = [
      # Ignore changes to ebs_volume_size in favor of autoscaling policy
      broker_node_group_info[0].ebs_volume_size,
      client_authentication[0].tls
    ]
  }

Expected Behavior

I expect this to not replace the cluster as there is really no change

Steps to Reproduce

See above description.
I believe if you enable unauthenticated access via console and disable the cluster can have the extra info in the config

Screenshots

If applicable, add screenshots or logs to help explain your problem.

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

• OS: OSX
• Version 12.1 monterey

Additional Context

Add any other context about the problem here.

[nikhilo]

I'm also seeing a similar problem. Unfortunately we edited the security settings on our MSK cluster by hand (enabled TLS). Now if I describe the cluster using awscli, I see that the ClientAuthentication section now has the SASL block, which wasn't there before.

        "Sasl": {
            "Scram": {
                "Enabled": false
            },
            "Iam": {
                "Enabled": false
            }
        },

And if I try to apply my Terraform code (which now has client_tls_auth_enabled=true and correct certificate_authority_arns), I see that Terraform is trying to delete the SASL block and wanting to recreate the whole MSK cluster 🤦🏽‍♂️

      ~ client_authentication {
          - sasl { # forces replacement
              - iam   = false -> null
              - scram = false -> null
            }

            # (1 unchanged block hidden)
        }

[aleksey-dv]

Same issue.
Seems to be relative to bug in AWS terraform provider hashicorp/terraform-provider-aws#22839

[simoferr98]

same problem.

I am using the provider version = "~> 4.14.0"

[nitrocode]

@simoferr98 if you're hitting this issue, could you create a ticket with the terraform aws provider? All we can do in this module is bump the minimum aws version of the provider

[quercusilvam]

I also faced this issue. And this is related to: hashicorp/terraform-provider-aws#24914 & hashicorp/terraform-provider-aws#30752

A workaround is to set explicit false for not used authentication method, f.e.:

client_authentication {
    tls {
      certificate_authority_arns = local.pca_arn
    }
    sasl {
      iam   = false
      scram = false
    }
    unauthenticated = false
  }

But this will not work in this module. Even if I set

client_allow_unauthenticated = false
client_tls_auth_enabled      = true
client_sasl_iam_enabled      = false
client_sasl_scram_enabled    = false

You are using dynamic blocks that will not generate the sasl part if client_sasl_iam_enabled & client_sasl_scram_enabled are both false.

IMHO you could adopt this workaround in the module and always sets false values.

[nitrocode]

That's a great point. We're open to prs to fix this.

terraform-aws-msk-apache-kafka-cluster/main.tf

Lines 180 to 186 in 1a63c04

	dynamic "sasl" {
	for_each = var.client_sasl_scram_enabled || var.client_sasl_iam_enabled ? [1] : []
	content {
	scram = var.client_sasl_scram_enabled
	iam = var.client_sasl_iam_enabled
	}
	}

Changing the dynamic to a non-dynamic and defaulting the inputs of each boolean to false should fix this and apply the workaround mentioned above