aws_opensearch_domain requires tls_security_policy incorrectly when domain_endpoint_options block is given

[gygitlab]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.6
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.18.0
+ provider registry.terraform.io/hashicorp/tls v3.4.0

Affected Resource(s)

• aws_opensearch_domain

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_opensearch_domain" "test" {
  [...]

  domain_endpoint_options {
    enforce_https  = true
  }
}

Debug Output

╷
│ Error: Error creating OpenSearch domain: ValidationException: 1 validation error detected: Value '' at 'domainEndpointOptions.tLSSecurityPolicy' failed to satisfy constraint: Member must satisfy enum value set: [Policy-Min-TLS-1-0-2019-07, Policy-Min-TLS-1-2-2019-07]
│
│   with module.gitlab_ref_arch_aws.aws_opensearch_domain.test[0],
│   on /opensearch.tf line 11, in resource "aws_opensearch_domain" "gitlab":
│   11: resource "aws_opensearch_domain" "gitlab" {

Expected Behavior

The [tls_security_policy setting is listed as optional] and shouldn't be required when passing it's parent block. It should just default to what the AWS service sets when not given.

Actual Behavior

Passing it's parent block looks to require the policy suggesting that the block is passing an empty value instead of a null incorrectly.

Steps to Reproduce

1. Configure an aws_opensearch_domain as normal with a domain_endpoint_options block specific that doesn't include the optional tls_security_policy setting.
2. terraform apply

[justinretzolk]

Similar to: #13552

@gygitlab -- Thank you for taking the time to raise this! In the issue I linked above, there's a workaround (granted, that's for the aws_elasticsearch_domain resource) that may work for you. Just wanted to alert you to that in case it helps you get around this until the issue can be investigated 🙂

[gygitlab]

Similar to: #13552

@gygitlab -- Thank you for taking the time to raise this! In the issue I linked above, there's a workaround (granted, that's for the aws_elasticsearch_domain resource) that may work for you. Just wanted to alert you to that in case it helps you get around this until the issue can be investigated 🙂

Hi @justinretzolk. Can confirm the workaround works thanks.

Apologies for missing that issue, my search-fu failed me. That said since this is technically a separate resource it's maybe best to keep this open to ensure it gets fixed also. Thanks again!

[justinretzolk]

Hey @gygitlab -- I agree, since this is technically a separate resource, I'm going to leave this issue open as well, so that whoever picks it up to work on it hopefully catches/fixes both in one go 🙂. I don't at all blame you for missing the other, and am glad the workaround worked for you!

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!