Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Incorrect evaluation of master_user_options when master_user_arn is set #9

Closed
marksansome opened this issue May 8, 2024 · 2 comments
Closed

Bug: Incorrect evaluation of master_user_options when master_user_arn is set #9

marksansome opened this issue May 8, 2024 · 2 comments
Labels
stale

Comments

@marksansome
Copy link

Description

In the current implementation, there seems to be a bug related to the evaluation of the master_user_options field when the master_user_arn is set to a non-null string. This results in master_user_arn being incorrectly evaluated to null.

Versions

  • Module version [Required]:
    1.1.2

  • Terraform version:
    1.6.6

  • Provider version(s):

+ provider registry.terraform.io/hashicorp/aws v5.48.0
+ provider registry.terraform.io/hashicorp/local v2.5.1
+ provider registry.terraform.io/hashicorp/null v3.2.2
+ provider registry.terraform.io/hashicorp/random v3.6.1
+ provider registry.terraform.io/hashicorp/tls v4.0.5

Reproduction Code [Required]

data "aws_iam_policy_document" "opensearch_assume_role" {
  statement {
    actions = [
      "sts:AssumeRole"
    ]

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${data.aws_caller_identity.root.account_id}:root"]
    }
  }
}

resource "aws_iam_role" "opensearch_master" {
  name               = "OpenSearch_Master_staging01"
  assume_role_policy = data.aws_iam_policy_document.opensearch_assume_role.json
}

module "opensearch" {
  source  = "terraform-aws-modules/opensearch/aws"
  version = "1.1.2"

  advanced_security_options = {
    enabled                        = false
    anonymous_auth_enabled         = false
    internal_user_database_enabled = false

    master_user_options = {
      master_user_arn = aws_iam_role.opensearch_master.arn
    }
  }

  cluster_config = {
    instance_count           = 3
    dedicated_master_enabled = true
    dedicated_master_type    = "m6g.large.search"
    instance_type            = "r6g.large.search"

    zone_awareness_config = {
      availability_zone_count = 3
    }

    zone_awareness_enabled = true
  }

  domain_name = "staging01"

  engine_version = "OpenSearch_2.11"

  depends_on = [
    aws_iam_role.opensearch_master
  ]
}

Steps to reproduce the behavior:

Run terraform plan

Expected behavior

When var.advanced_security_options.master_user_options.master_user_arn is set, we should see that the arn is passed to the resource

Actual behavior

Running plan for the above code shows that no master_user_options are configured as part of aws_opensearch_domain. See resource reference

      + advanced_security_options {
          + anonymous_auth_enabled         = false
          + enabled                        = false
          + internal_user_database_enabled = false
        }

Additional context

Looking at the module I believe the issue is in this line in main.tf

master_user_arn      = try(master_user_options.value.master_user_arn, null) == null ? try(master_user_options.value.master_user_arn, data.aws_iam_session_context.current[0].issuer_arn) : null

My understanding is that if master_user_options.value.master_user_arn has a value the try will evaluate to true making the outcome of the ternary expression null
@MaximPeten MaximPeten mentioned this issue May 13, 2024
Closed
3 tasks
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 8, 2024

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

@github-actions github-actions bot added the stale label Jun 8, 2024
@github-actions GitHub Actions
Copy link

This issue was automatically closed because of stale in 10 days

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
1 participant
@marksansome