Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Cannot use manage master password in Secrets Manager when creating RDS from snapshot #31509

Closed
jarten-mlg opened this issue May 20, 2023 · 8 comments · Fixed by #33699
Closed

[Bug]: Cannot use manage master password in Secrets Manager when creating RDS from snapshot #31509

jarten-mlg opened this issue May 20, 2023 · 8 comments · Fixed by #33699
Labels
bug Addresses a defect in current functionality. service/rds Issues and PRs that pertain to the rds service.
Milestone
v5.22.0

Comments

@jarten-mlg
Copy link

Terraform Core Version

1.3.9

AWS Provider Version

4.64.0

Affected Resource(s)

aws_db_instance

Expected Behavior

When using:
manage_master_user_password = true

to store the RDS password in secrets manager when restoring from a snapshot:

snapshot_identifier = "snapshot-name"

Actual Behavior

The RDS instance will be created from the snapshot but still use the original password from the snapshot.

If I comment out the line:
manage_master_user_password = true

do a terraform apply, and then uncomment the line, and terraform apply again, THEN it will store the credentials in secrets manager.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

manage_master_user_password = true
snapshot_identifier = "rds-test1"

Steps to Reproduce

The RDS instance will be created from the snapshot but still use the original password from the snapshot.

If I comment out the line:
manage_master_user_password = true

do a terraform apply, and then uncomment the line, and terraform apply again, THEN it will store the credentials in secrets manager.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@jarten-mlg jarten-mlg added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels May 20, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@justinretzolk
Copy link
Member

Hey @jarten-mlg 👋 Thank you for taking the time to raise this! So that we have the necessary information in order to look into this, can you supply a sample Terraform configuration as well as debug logs (redacted as needed)?

@justinretzolk justinretzolk added waiting-response Maintainers are waiting on response from community or contributor. service/rds Issues and PRs that pertain to the rds service. and removed needs-triage Waiting for first response or review from a maintainer. labels May 22, 2023
@jarten-mlg
Copy link
Author

jarten-mlg commented May 23, 2023
edited by justinretzolk

Hi @justinretzolk, there aren't debug logs as there no errors, however I have this snippet below that shows the resource I am creating from the RDS snapshot, however you follow the steps listed in the description you should be able to recreate the same output:

resource "aws_db_instance" "rds_01" {
  identifier                  = "rds-01"
  instance_class              = "db.t3.micro"
  #allocated_storage           = 200
  storage_type                = "gp2"
  #max_allocated_storage       = 1000
  #engine                      = "mysql"
  #engine_version              = "8.0.32"
  storage_encrypted           = true
  auto_minor_version_upgrade  = true
  backup_retention_period     = "7"
  copy_tags_to_snapshot       = true
  delete_automated_backups    = true
  manage_master_user_password = true
  snapshot_identifier          = "rds-test1"
  db_subnet_group_name        = aws_db_subnet_group.rds_db_subnet_group.name
  availability_zone           = "us-east-1a"
  vpc_security_group_ids      = [aws_security_group_rds.id]
  multi_az                    = false
  parameter_group_name        = "default.mysql8.0"
  publicly_accessible         = false
  skip_final_snapshot         = true
  iam_database_authentication_enabled = true
  tags = merge(var.tags, {Name = "rds-01"}) 
}

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label May 23, 2023
@jkoermer-eqxm
Copy link

My Process:

  1. Original database did not enable manage_master_user_password
  2. Create a snapshot of original database
  3. Restore from original database with manage_master_user_password = true in terraform
    DB Restored with the original username and password, no AWS Secret
    Terraform plan showed no difference
    State File: manage_master_user_password = true
    AWS CLI: There is no MasterUserSecret Attribute
  4. Enabled in the AWS console
    Terraform plan still showed no difference
    AWS CLI: There is a MasterUserSecret section

Terraform State File

% terraform state show 'module.rds.aws_db_instance.rds[0]'
# module.rds.aws_db_instance.rds[0]:
resource "aws_db_instance" "rds" {
    address                               = "<database_name>.<region>.rds.amazonaws.com"
    allocated_storage                     = 30
    allow_major_version_upgrade           = false
    apply_immediately                     = true
    arn                                   = "arn:aws:rds:<region>:<account_no>:db:<database_name>"
    auto_minor_version_upgrade            = true
    availability_zone                     = "<availability_zone>"
    db_name                               = "<database_name>"
    engine                                = "postgres"
    engine_version                        = "14.4"
    engine_version_actual                 = "14.4"
    final_snapshot_identifier             = "<final_snapshot_name>"
    iam_database_authentication_enabled   = false
    id                                    = "<database_name>"
    identifier                            = "<database_name>"
    instance_class                        = "db.t4g.medium"
    kms_key_id                            = "arn:aws:kms:<region>:<account_no>:key/xxxxx"
    license_model                         = "postgresql-license"
    listener_endpoint                     = []
    manage_master_user_password           = true
    master_user_secret                    = []
    master_user_secret_kms_key_id         = "<alias>"
    max_allocated_storage                 = 0
    name                                  = "<database_name>"
    replicas                              = []
    skip_final_snapshot                   = false
    snapshot_identifier                   = "<datbase_snapshot>"
    status                                = "storage-optimization"
    username                              = "<admin_username>"
    ....
}

AWS Configuration ()

% aws2 rds describe-db-instances --db-instance-identifier <database_name>
DBInstances:
- ActivityStreamStatus: stopped
  AssociatedRoles: []
  AutoMinorVersionUpgrade: true
  AvailabilityZone: <availability_zone>
  DBInstanceArn: arn:aws:rds:<region>:<account_no>:db:<database_name>
  DBInstanceClass: db.t4g.medium
  DBInstanceIdentifier: <database_name>
  DBInstanceStatus: available
  DBName: <database_name>
  DBSecurityGroups: []
  DbInstancePort: 0
  DomainMemberships: []
  Engine: postgres
  EngineVersion: '14.4'
  IAMDatabaseAuthenticationEnabled: false
  KmsKeyId: arn:aws:kms:<region>:<account_no>:key/xxxxxxxxxx
  LicenseModel: postgresql-license
  MasterUsername: <admin_username>
  PendingModifiedValues: {}
  ReadReplicaDBInstanceIdentifiers: []
  ....

@jarten-mlg
Copy link
Author

Anyone have an update on this issue?

@gchristidis
Copy link
Contributor

The resourceInstanceCreate function when creating from a snapshot does not appear to include checking manage_master_user_password & master_user_secret_kms_key_id to add changes as a ModifyDb action after the restore from snapshot action as it does when creating from a replica source db.
In addition this also appears to be the case when creating a Db from a restore point in time.

@gchristidis gchristidis mentioned this issue Sep 30, 2023
Merged
@github-actions github-actions bot added this to the v5.22.0 milestone Oct 18, 2023
@github-actions
Copy link

This functionality has been released in v5.22.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/rds Issues and PRs that pertain to the rds service.
Projects
None yet
Milestone
v5.22.0
4 participants
@gchristidis @justinretzolk @jkoermer-eqxm @jarten-mlg