[Bug]: Provider produced inconsistent result after apply [aws_dms_replication_subnet_group]

[mttradebyte]

Terraform Core Version

1.0.0

AWS Provider Version

4.36.1

Affected Resource(s)

aws_dms_replication_subnet_group

Expected Behavior

An AWS DMS Replication Subnet Group should have been created

Actual Behavior

No subnet group created, and an error is thrown.

Relevant Error/Panic Output Snippet

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to aws_dms_replication_subnet_group.dms-replication-group, provider
│ "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Terraform Configuration Files

resource "aws_dms_replication_subnet_group" "dms-replication-group" {
  replication_subnet_group_description = "Subnet group for DBRO replication"
  replication_subnet_group_id          = "dbro-replication"

  subnet_ids = [
    data.aws_subnets.private.ids[0]
  ]
}

Steps to Reproduce

Just try to create a subnet group.

Plan output

  # aws_dms_replication_subnet_group.dms-replication-group will be created
  + resource "aws_dms_replication_subnet_group" "dms-replication-group" {
      + id                                   = (known after apply)
      + replication_subnet_group_arn         = (known after apply)
      + replication_subnet_group_description = "Subnet group for DBRO replication"
      + replication_subnet_group_id          = "dbro-replication"
      + subnet_ids                           = [
          + "subnet-xxxx",
        ]
      + tags_all                             = {
          ... snip ... 
        }
      + vpc_id                               = (known after apply)
    }

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[mttradebyte]

On further investigation, it seems to be caused by attempting to use a single AZ in the TF. It appears a subnet group must contain >1 subnets:

As a stop gap to being fully fixed, the documentation should be updated to reflect this requirement.

[ewbankkit]

There's a missing if err != nil check after this code

terraform-provider-aws/internal/service/dms/replication_subnet_group.go

Lines 92 to 99 in 86efdc4

	if tfresource.TimedOut(err) {
	_, err = conn.CreateReplicationSubnetGroup(request)
	if err != nil {
	return err
	}
	}

[MacoAccount]

We encounter the same issuer. Is there anyone following this item ?

[Dawn-cz]

I also encounter the same issuer！！！

[BryanStenson-okta]

On version v4.37.0, I'm seeing this issue, even when passing subnets in >1 availability zone.

[BryanStenson-okta]

so in my case, i'm taking the list of subnet ids from an output of a remote state object. if i cast this output to a list, this works:

resource "aws_dms_replication_subnet_group" "this" {
  replication_subnet_group_description = "postgres-to-kinesis"
  replication_subnet_group_id          = "postgres-to-kinesis"

  subnet_ids = tolist(data.terraform_remote_state.rds_platformdb.outputs.rds_platformdb_subnet_ids)

  tags = merge(local.common_tags,
    {
      Name = "postgres-to-kinesis"
    }
  )

}

without the tolist(...), it fails.

this works in v3.75.2 and v4.37.0 of the provider.

[klaidaslekavicius]

After turning on TF_LOG=debug I found this error message appearing in debug logs:

2022-11-11T12:20:57.230Z [DEBUG] provider.terraform-provider-aws_v4.33.0_x5: [DEBUG] [aws-sdk-go] {"__type":"AccessDeniedFault","message":"The IAM Role arn:aws:iam::047729596285:role/dms-vpc-role is not configured properly."}

2022-11-11T12:20:57.231Z [DEBUG] provider.terraform-provider-aws_v4.33.0_x5: [DEBUG] [aws-sdk-go] DEBUG: Validate Response dms/CreateReplicationSubnetGroup failed, attempt 0/25, error AccessDeniedFault: The IAM Role arn:aws:iam::047729596285:role/dms-vpc-role is not configured properly.

The issue is related to the special role that AWS tries to create when creating a subnet group. Apparently, the provider doesn't create this role automatically, so you need to create this IAM role as well:

resource "aws_iam_role" "dms_vpc_iam_role" {
  name        = "dms-vpc-role"
  description = "Allows Database Migration Service to manage VPC"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Service = "dms.amazonaws.com"
        }
        Action = "sts:AssumeRole"
      },
    ]
  })
}

resource "aws_iam_role_policy_attachment" "dms_vpc_iam_role_policy_attachment" {
  role       = aws_iam_role.dms_vpc_iam_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole"
}

Let me know if this fixes the issue!

[YakDriver]

We should add this to the documentation: 👆

[YakDriver]

There are 3 different problems described here:

1. Inconsistent result error: This happens because of a code bug after one of the errors below (or another) happens.
2. Not using subnets that cover 2 AZs.
3. Not having the IAM role dms-vpc-role in place. (Relatedly, if creating at the same time, you'll need an explicit depends_on for the policy-role assignment rather than the role.)

Solving 1, as pointed out by @ewbankkit, requires a code change. 2 and 3 are documentation issues.

[github-actions]

This functionality has been released in v4.50.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.