Skip to content

1.4.0 release causes issues with existing cluster where you don't want to enforce encryption in transit #240

New issue
New issue
Closed
#238
Closed
1.4.0 release causes issues with existing cluster where you don't want to enforce encryption in transit#240
#238
Labels
bug🐛 An issue with the system
@gusse

Description

@gusse
gusse
opened on Jun 19, 2024

Describe the Bug

I have an existing cluster created with this module (created with version 0.52.0). Tried to upgrade the module to version 1.4.0 and that fails to apply the changes to replication group as encryption in transit isn't enforced:

Error: modifying ElastiCache Replication Group (cluster-name): InvalidParameterCombination: To modify transit encryption mode, set encryption-in-transit as enabled.
--
139 | status code: 400, request id: 801e97f5-50ee-4fcb-be54-132456d3bd8b
140 |  
141 | with module.redis[0].aws_elasticache_replication_group.default[0],
142 | on .terraform/modules/redis/main.tf line 157, in resource "aws_elasticache_replication_group" "default":
143 | 157: resource "aws_elasticache_replication_group" "default" {

I'm not sure if this is a problem with AWS provider or with this module

Expected Behavior

Module version could be just updated and nothing breaks or requires a change. I think the transit_encryption_mode variable could be optional and not required.

Steps to Reproduce

Create cluster with old module version, set transit_encryption_enabled = false with the module call and apply. Then try to update the module version to 1.4.0 and now transit_encryption_mode is set to preferred by default and cannot be unset with the module. Even if I try to enable the encryption to have it enabled as preferred but not required, it fails as the auth token cannot be updated.

TF Plan:

  # module.redis[0].aws_elasticache_replication_group.default[0] will be updated in-place
  ~ resource "aws_elasticache_replication_group" "default" {
      + auth_token                 = (sensitive value)
        id                         = "cluster-name"
        tags                       = {
            "Name" = "cluster-name"
        }
      ~ transit_encryption_enabled = false -> true
      + transit_encryption_mode    = "preferred"

And this results in a failure:

│ Error: modifying ElastiCache Replication Group (cluster-name) authentication: InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.
│ 	status code: 400, request id: 2239b079-2a7c-45ac-b952-5095b9e66cdc
│
│   with module.redis[0].aws_elasticache_replication_group.default[0],
│   on .terraform/modules/redis/main.tf line 157, in resource "aws_elasticache_replication_group" "default":
│  157: resource "aws_elasticache_replication_group" "default" {
│
╵

Screenshots

No response

Environment

  • terraform 1.4.6
  • provider[registry.terraform.io/hashicorp/aws] >= 5.32.0

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug🐛 An issue with the system

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions