[BUG] Inconsistent Plan and Apply on RDS INSTANCE with enabled_cloudwatch_logs_exports attributes

[zopanix]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.16
+ provider.aws v2.34.0
+ provider.random v2.2.1
+ provider.tls v2.1.1

Affected Resource(s)

• aws_rds_instance

Terraform Configuration Files

resource "aws_db_instance" "this" {

  identifier                            = format("asdfasdfasdfa%s", var.environment)
  db_subnet_group_name                  = aws_db_subnet_group.this.id
  allocated_storage                     = var.allocated_storage
  instance_class                        = var.instance_class
  storage_type                          = var.storage_type
  multi_az                              = var.multi_az
  snapshot_identifier                   = var.snapshot_identifier
  final_snapshot_identifier             = format("asdfasdfsadf%s", var.environment)
  kms_key_id                            = aws_kms_key.this.arn
  allow_major_version_upgrade           = false
  auto_minor_version_upgrade            = false
  apply_immediately                     = false
  copy_tags_to_snapshot                 = true
  skip_final_snapshot                   = var.skip_final_snapshot
  deletion_protection                   = false
  backup_retention_period               = var.backup_retention_period
  backup_window                         = var.backup_window
  engine                                = var.engine
  engine_version                        = var.engine_version
  maintenance_window                    = "SUN:02:00-SUN:04:00"
  storage_encrypted                     = true
  name                                  = upper(format("sdfgsdfgsdf%s", var.environment))
  username                              = var.username
  password                              = random_password.this.result
  license_model                         = "license-included"
  monitoring_interval                   = 60
  monitoring_role_arn                   = aws_iam_role.this.arn
  performance_insights_enabled          = true
  performance_insights_kms_key_id       = aws_kms_key.this.arn
  performance_insights_retention_period = 7
  enabled_cloudwatch_logs_exports = [
    "alert",
    "trace",
    "listener"
  ]
  vpc_security_group_ids = concat([aws_security_group.this.id], var.security_group_ids)

  tags = merge(
    {
      Terraform = "true"
    },
    var.tags,
    var.rds_tags
  )
}

Expected Behavior

When re-applying the following code, no changes should occur.

Actual Behavior

enabled_cloudwatch_logs_exports array gets sorted alphabetically and terraform makes tries to update the instance, it shoulnd't, and when it does, it fails becasue AWS API tells it there are no changes.

PLANL

  # module.plm.module.database.aws_db_instance.this will be updated in-place
  ~ resource "aws_db_instance" "this" {
        address                               = "plm-dev1-database-rds.cedbwfct6u9i.ca-central-1.rds.amazonaws.com"
        allocated_storage                     = 300
        allow_major_version_upgrade           = false
        apply_immediately                     = false
        arn                                   = "arn:aws:rds:ca-central-1:203325506971:db:plm-dev1-database-rds"
        auto_minor_version_upgrade            = false
        availability_zone                     = "ca-central-1b"
        backup_retention_period               = 30
        backup_window                         = "19:00-20:30"
        ca_cert_identifier                    = "rds-ca-2015"
        character_set_name                    = "AL32UTF8"
        copy_tags_to_snapshot                 = true
        db_subnet_group_name                  = "plm-dev1-database-rds"
        deletion_protection                   = false
      ~ enabled_cloudwatch_logs_exports       = [
            "alert",
          - "listener",
            "trace",
          + "listener",
        ]
        endpoint                              = "plm-dev1-database-rds.cedbwfct6u9i.ca-central-1.rds.amazonaws.com:1521"
        engine                                = "oracle-se1"
        engine_version                        = "11.2.0.4.v21"
        final_snapshot_identifier             = "plm-dev1-database-snapshot"
        hosted_zone_id                        = "Z1JG78A3UK1DU3"
        iam_database_authentication_enabled   = false
        id                                    = "plm-dev1-database-rds"
        identifier                            = "plm-dev1-database-rds"
        instance_class                        = "db.m5.2xlarge"
        iops                                  = 0
        kms_key_id                            = "arn:aws:kms:ca-central-1:203325506971:key/5c32ff51-601e-4f3c-beef-8de604aa810b"
        license_model                         = "license-included"
        maintenance_window                    = "sun:02:00-sun:04:00"
        max_allocated_storage                 = 0
        monitoring_interval                   = 60
        monitoring_role_arn                   = "arn:aws:iam::203325506971:role/plm-dev1-database-role"
        multi_az                              = false
        name                                  = "PLMDEV1"
        option_group_name                     = "default:oracle-se1-11-2"
        parameter_group_name                  = "default.oracle-se1-11.2"
        password                              = (sensitive value)
        performance_insights_enabled          = true
        performance_insights_kms_key_id       = "arn:aws:kms:ca-central-1:203325506971:key/5c32ff51-601e-4f3c-beef-8de604aa810b"
        performance_insights_retention_period = 7
        port                                  = 1521
        publicly_accessible                   = false
        replicas                              = []
        resource_id                           = "db-ZMJXYB3IGI2YOTJX6OLT6UNZLE"
        security_group_names                  = []
        skip_final_snapshot                   = false
        status                                = "available"
        storage_encrypted                     = true
        storage_type                          = "gp2"
        tags                                  = {
            "Backup"    = "True"
            "Terraform" = "true"
        }
        username                              = "dbadmin"
        vpc_security_group_ids                = [
            "sg-00912f01acefab5be",
        ]
    }

APPLY:

Error: Error modifying DB Instance plm-dev1-database-rds: InvalidParameterCombination: No modifications were requested
	status code: 400, request id: dfeb845e-2c88-4d5f-a5ed-eb2b580776c3

  on .terraform/modules/plm/modules/database/main.tf line 50, in resource "aws_db_instance" "this":
  50: resource "aws_db_instance" "this" {

Steps to Reproduce

1. terraform apply
2. terraform apply

Workaround

** NOTE THIS HASN'T BEEN TESTED BUT WILL PROBABLY WORK.**
Re-order the enabled_cloudwatch_logs_exports attributes alphabetically in the code. Eveything should be fine.

Important Factoids

• RDS is an Oracle RDS instance. But I don't think this changes anything.
• Sorry for the title of the bug, not very clear.

References

I found no other related issue

[bflad]

The fix for this has been merged and will release with version 3.9.0 of the Terraform AWS Provider, likely tomorrow. 👍

[ghost]

This has been released in version 3.9.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!