[Bug]: aws_db_instance ca_cert_identifier not applied when creating from a snapshot

[cg2v]

Terraform Core Version

1.5.7

AWS Provider Version

5.17.0

Affected Resource(s)

aws_rds_instance

Expected Behavior

When creating a database with both snapshot_identifier = "XXX" and ca_cert_identifier = "rds-ca-rsa2048-g1", the database is created with the correct certificate authority

Actual Behavior

The database is created with rds-ca-2019. Subsequent terraform runs do update the certificate authority

Relevant Error/Panic Output Snippet

# module.database.aws_db_instance.rds will be updated in-place
  ~ resource "aws_db_instance" "rds" {
      ~ ca_cert_identifier                    = "rds-ca-2019" -> "rds-ca-rsa2048-g1"
        id                                    = "db-ESVX3EXD54WKK3GE3DE6VDFMZ4"
        tags                                  = {}
        # (53 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Terraform Configuration Files

This is not a functional example. too bad.

resource "aws_db_instance" "rds" {
  identifier           = var.app_label
  engine               = "mysql"
  engine_version       = "8.0"
  instance_class       = "db.t3.micro"
  ca_cert_identifier = "rds-ca-rsa2048-g1"
  vpc_security_group_ids = [aws_security_group.rds.id]
  db_subnet_group_name = aws_db_subnet_group.rds.name
  snapshot_identifier = "${var.app_label}-master-snapshot"
  final_snapshot_identifier = "${var.app_label}-working-snapshot"
  storage_encrypted = true
  manage_master_user_password = true
  apply_immediately = true
}

Steps to Reproduce

run terraform apply twice. Note that the second run is not a noop.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[vbauchart]

looks like a duplicate of #33546

[cg2v]

The OP in that issue is

• modifying an existing database, not creating a new one
• not using apply_immediately=true, which means even in the absence of a bug, would still see something similar

The behavior you describe in your comment I certainly looks the same as what I am seeing, but I am not sure about the original report.

[tomwidmer]

I am seeing this behaviour as well under these circumstances:

1. Using DocumentDB specifically
2. Creating without a snapshot
3. trying to create with the old CA rds-ca-2019 - the default changed on January 25th 2024, so the newer one rds-ca-rsa2048-g1 is used by default
4. apply_immediately=true
5. Running the build a 2nd time detects the 'drift' (or, rather, the error) and fixes it.

Workaround: set the regional default value to rds-ca-2019 using aws rds modify-certificates. If you already want rds-ca-rsa2048-g1, that's now the default anyway if you haven't changed it yourself. (note 2019 certs expire in August 2024)