Compatibility issue with Terraform AWS Provider v6.0.0 #260
Description
Describe the Bug
Description
A breaking change introduced in Terraform AWS Provider v6.0.0 prevents deploying Redis instances when auth_token is not specified.
resource/aws_elasticache_replication_group: auth_token_update_strategy no longer has a default value. If auth_token is set, auth_token_update_strategy must also be explicitly configured. (hashicorp/terraform-provider-aws#42336)
Log
* Failed to execute "terraform apply" in "..."
╷
│ Error: Missing required argument
│
│ with module.redis.aws_elasticache_replication_group.default[0],
│ on .terraform\modules\redis\main.tf line 166, in resource "aws_elasticache_replication_group" "default":
│ 166: auth_token_update_strategy = var.auth_token_update_strategy
│
│ "auth_token_update_strategy": all of
│ `auth_token,auth_token_update_strategy` must be specified
╵
exit status 1Expected Behavior
- It should be possible to create Redis instances without specifying
auth_token.
Steps to Reproduce
- Deploy a Redis instance without specifying
auth_token. - Ensure
.terraform.lock.hclis as follows:
provider "registry.terraform.io/hashicorp/aws" {
version = "6.0.0"
constraints = "6.0.0"
hashes = [
"h1:UIEId3EdDvMWAZ6C3Wvh/WRtlemiPKzsn3EpEIKK+08=",
"zh:16b1bb786719b7ebcddba3ab751b976ebf4006f7144afeebcb83f0c5f41f8eb9",
"zh:1fbc08b817b9eaf45a2b72ccba59f4ea19e7fcf017be29f5a9552b623eccc5bc",
"zh:304f58f3333dbe846cfbdfc2227e6ed77041ceea33b6183972f3f8ab51bd065f",
"zh:4cd447b5c24f14553bd6e1a0e4fea3c7d7b218cbb2316a3d93f1c5cb562c181b",
"zh:589472b56be8277558616075fc5480fcd812ba6dc70e8979375fc6d8750f83ef",
"zh:5d78484ba43c26f1ef6067c4150550b06fd39c5d4bfb790f92c4a6f7d9d0201b",
"zh:5f470ce664bffb22ace736643d2abe7ad45858022b652143bcd02d71d38d4e42",
"zh:7a9cbb947aaab8c885096bce5da22838ca482196cf7d04ffb8bdf7fd28003e47",
"zh:854df3e4c50675e727705a0eaa4f8d42ccd7df6a5efa2456f0205a9901ace019",
"zh:87162c0f47b1260f5969679dccb246cb528f27f01229d02fd30a8e2f9869ba2c",
"zh:9a145404d506b52078cd7060e6cbb83f8fc7953f3f63a5e7137d41f69d6317a3",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:a4eab2649f5afe06cc406ce2aaf9fd44dcf311123f48d344c255e93454c08921",
"zh:bea09141c6186a3e133413ae3a2e3d1aaf4f43466a6a468827287527edf21710",
"zh:d7ea2a35ff55ddfe639ab3b04331556b772a8698eca01f5d74151615d9f336db",
]
}
provider "registry.terraform.io/hashicorp/null" {
version = "3.2.4"
constraints = "3.2.4"
hashes = [
"h1:+Ag4hSb4qQjNtAS6gj2+gsGl7v0iB/Bif6zZZU8lXsw=",
"zh:59f6b52ab4ff35739647f9509ee6d93d7c032985d9f8c6237d1f8a59471bbbe2",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
"zh:795c897119ff082133150121d39ff26cb5f89a730a2c8c26f3a9c1abf81a9c43",
"zh:7b9c7b16f118fbc2b05a983817b8ce2f86df125857966ad356353baf4bff5c0a",
"zh:85e33ab43e0e1726e5f97a874b8e24820b6565ff8076523cc2922ba671492991",
"zh:9d32ac3619cfc93eb3c4f423492a8e0f79db05fec58e449dee9b2d5873d5f69f",
"zh:9e15c3c9dd8e0d1e3731841d44c34571b6c97f5b95e8296a45318b94e5287a6e",
"zh:b4c2ab35d1b7696c30b64bf2c0f3a62329107bd1a9121ce70683dec58af19615",
"zh:c43723e8cc65bcdf5e0c92581dcbbdcbdcf18b8d2037406a5f2033b1e22de442",
"zh:ceb5495d9c31bfb299d246ab333f08c7fb0d67a4f82681fbf47f2a21c3e11ab5",
"zh:e171026b3659305c558d9804062762d168f50ba02b88b231d20ec99578a6233f",
"zh:ed0fe2acdb61330b01841fa790be00ec6beaac91d41f311fb8254f74eb6a711f",
]
}
provider "registry.terraform.io/hashicorp/random" {
version = "3.7.2"
constraints = "3.7.2"
hashes = [
"h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=",
"zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f",
"zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc",
"zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab",
"zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3",
"zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212",
"zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
"zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34",
"zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967",
"zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d",
"zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62",
"zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0",
]
}
Screenshots
No response
Environment
- OS: Linux/Windows
- Terraform
v1.12.2. - Terraform modules:
cloudposse/terraform-aws-elasticache-redisversionv1.9.1.
Additional Context
Current workaround
Lock terraform-provider-aws to a version lower than 6.0.0, e.g. 5.100.0:
provider "registry.terraform.io/hashicorp/aws" {
version = "5.100.0"
constraints = "5.100.0"
hashes = [
"h1:H3mU/7URhP0uCRGK8jeQRKxx2XFzEqLiOq/L2Bbiaxs=",
"zh:054b8dd49f0549c9a7cc27d159e45327b7b65cf404da5e5a20da154b90b8a644",
"zh:0b97bf8d5e03d15d83cc40b0530a1f84b459354939ba6f135a0086c20ebbe6b2",
"zh:1589a2266af699cbd5d80737a0fe02e54ec9cf2ca54e7e00ac51c7359056f274",
"zh:6330766f1d85f01ae6ea90d1b214b8b74cc8c1badc4696b165b36ddd4cc15f7b",
"zh:7c8c2e30d8e55291b86fcb64bdf6c25489d538688545eb48fd74ad622e5d3862",
"zh:99b1003bd9bd32ee323544da897148f46a527f622dc3971af63ea3e251596342",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:9f8b909d3ec50ade83c8062290378b1ec553edef6a447c56dadc01a99f4eaa93",
"zh:aaef921ff9aabaf8b1869a86d692ebd24fbd4e12c21205034bb679b9caf883a2",
"zh:ac882313207aba00dd5a76dbd572a0ddc818bb9cbf5c9d61b28fe30efaec951e",
"zh:bb64e8aff37becab373a1a0cc1080990785304141af42ed6aa3dd4913b000421",
"zh:dfe495f6621df5540d9c92ad40b8067376350b005c637ea6efac5dc15028add4",
"zh:f0ddf0eaf052766cfe09dea8200a946519f653c384ab4336e2a4a64fdd6310e9",
"zh:f1b7e684f4c7ae1eed272b6de7d2049bb87a0275cb04dbb7cda6636f600699c9",
"zh:ff461571e3f233699bf690db319dfe46aec75e58726636a0d97dd9ac6e32fb70",
]
}Possible solutions
Option 1 (non-breaking change)
- Update
versions.tfto excludev6.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
// From
version = ">= 5.73.0"
// To
version = ">= 5.73.0, < 6.0.0"
}
}
}Option 2 (non-breaking change)
- Update definition of
auth_token_update_strategyvariable to acceptnull.
variable "auth_token_update_strategy" {
validation {
# From
condition = contains(["set", "rotate", "delete"], lower(var.auth_token_update_strategy))
# To
condition = var.auth_token_update_strategy == null || contains(["set", "rotate", "delete"], lower(var.auth_token_update_strategy))
}- Requires consumers to specify
auth_token_update_strategy = nullto bypass default value (ROTATE).
Option 3 (non-breaking change)
- Update definition of
auth_token_update_strategyvariable to acceptnullas mentioned above. - Update definition of
aws_elasticache_replication_groupresource to only setauth_token_update_strategywhenauth_tokenis specified.
resource "aws_elasticache_replication_group" "default" {
auth_token = var.transit_encryption_enabled ? var.auth_token : null
// From
auth_token_update_strategy = var.auth_token_update_strategy
// To
auth_token_update_strategy = var.auth_token != null ? var.auth_token_update_strategy : null
}- Should not require any change in the consumer side.
Option 4 (breaking change; aligns with v6 behavior)
- Update definition of
auth_token_update_strategyvariable to acceptnullas mentioned above. - Update definition of
auth_token_update_strategyvariable to have a default value ofnull.
variable "auth_token_update_strategy" {
// From
default = "ROTATE"
// To
default = null
}- Update definition of
aws_elasticache_replication_groupresource to only setauth_token_update_strategywhenauth_tokenis specified as mentioned above. - Consumers will require to explicitly set
auth_token_update_strategy = "ROTATE"as needed.