MSK cluster TLS config getting updated despite no changes #19
Description
Description
When I try to run terraform apply where TF code wasn't changed. Terraform run is failing
Open issue: hashicorp/terraform-provider-aws#24914
- ✋ I have searched the open/closed issues and my issue is not listed.
Versions
-
Module version [Required]: 2.1.0
-
Terraform version: 1.7.4
- Provider version(s): 5.37.0
Reproduction Code [Required]
module "msk_kafka_cluster" {
source = "terraform-aws-modules/msk-kafka-cluster/aws"
version = "2.1.0"
name = local.cluster_name
kafka_version = var.kafka_version
number_of_broker_nodes = length(tolist(data.aws_subnets.msk_enabled.ids))
enhanced_monitoring = "PER_BROKER"
broker_node_client_subnets = tolist(data.aws_subnets.msk_enabled.ids)
broker_node_instance_type = "kafka.m5.large"
broker_node_security_groups = [aws_security_group.kafka-clients.id]
encryption_in_transit_client_broker = "TLS"
encryption_in_transit_in_cluster = true
create_configuration = false
configuration_arn = aws_msk_configuration.msk-cluster.arn
configuration_revision = aws_msk_configuration.msk-cluster.latest_revision
jmx_exporter_enabled = true
node_exporter_enabled = true
cloudwatch_logs_enabled = true
s3_logs_enabled = false
scaling_max_capacity = 1000
scaling_target_value = 80
cloudwatch_log_group_retention_in_days = 90
client_authentication = var.client_authentication
create_scram_secret_association = true
scram_secret_association_secret_arn_list = [
data.aws_secretsmanager_secret.this.arn
]
tags = local.tags
timeouts = {
create = "120m"
}
}
Steps to reproduce the behavior:
Expected behavior
Terraform has to run and successfully finished with message No infrastructure changes
Actual behavior
Terraform tries to update security settings where security settings weren't changed
Terminal Output Screenshot(s)
Error: updating MSK Cluster (arn:aws:kafka:us-west-2:***********:cluster/msk-kafka-cluster/*******) security: operation error Kafka: UpdateSecurity, https response error StatusCode: 400, RequestID: ************, BadRequestException: The request does not include any updates to the security setting of the cluster. Verify the request, then try again. with module.msk_kafka_cluster.aws_msk_cluster.this[0] on .terraform/modules/msk_kafka_cluster/main.tf line 5, in resource "aws_msk_cluster" "this":
Additional context
If you set the client_authentication[0].tls in module like below. Terraform will complete successfully
resource "aws_msk_cluster" "this {
lifecycle {
ignore_changes = [
broker_node_group_info[0].storage_info[0].ebs_storage_info[0].volume_size,
client_authentication[0].tls
]
}
}