Skip to content

Remove ForceNew on AttrSecurityGroupIDs in domain_settings #40726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

timschill
Copy link

Remove ForceNew on AttrSecurityGroupIDs in domain_settings

Description

Updating the security group for a domain should not try and recreate the whole domain.
By removing the "ForceNew: true" on AttrSecurityGroupIDs in domain_settings we allow for the correct behavior.

Relations

Closes #40600

References

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-domain-domainsettings.html

Output from Acceptance Testing

% make testacc TESTS=TestAccXXX PKG=ec2

...

@timschill timschill requested a review from a team as a code owner December 30, 2024 12:25
Copy link
Contributor

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added service/sagemaker Issues and PRs that pertain to the sagemaker service. needs-triage Waiting for first response or review from a maintainer. labels Dec 30, 2024
Copy link
Contributor

Thank you for your contribution! 🚀

Please note that the CHANGELOG.md file contents are handled by the maintainers during merge. This is to prevent pull request merge conflicts, especially for contributions which may not be merged immediately. Please see the Contributing Guide for additional pull request review items.

Remove any changes to the CHANGELOG.md file and commit them in this pull request to prevent delays with reviewing and potentially merging this pull request.

Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @timschill 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTOR guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

@justinretzolk justinretzolk added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Jan 9, 2025
@jar-b jar-b force-pushed the b-sagemaker-domain_settings-sg-forceNew-false branch from 233a5cb to a9eeb06 Compare May 9, 2025 19:12
@github-actions github-actions bot added tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. size/M Managed by automation to categorize the size of a PR. labels May 9, 2025
@jar-b
Copy link
Member

jar-b commented May 9, 2025

While adding tests for this change I've run up against what I think may be an AWS SDK bug or issue with the SageMaker service related to removing configured domain settings security groups. I've pushed an acceptance test which exhibits this behavior and observed the same while attempting to remove a security group via the AWS console.

Here is the relevant line from a debug log showing that SecurityGroupIds is being set to an empty array.

  http.request.body=
  | {"AppNetworkAccessType":"PublicInternetOnly","DefaultUserSettings":{"AutoMountHomeEFS":"Enabled","CustomFileSystemConfigs":[],"DefaultLandingUri":"studio::","ExecutionRole":"arn:aws:iam::727561393803:role/jb-test","StudioWebPortal":"ENABLED"},"DomainId":"d-2iye2hgtwbct","DomainSettingsForUpdate":{"ExecutionRoleIdentityConfig":"DISABLED","SecurityGroupIds":[]},"TagPropagation":"DISABLED"}

The test step which attempts to remove the security group then fails because the security group was not actually removed, and a non-empty plan is present after the apply.

    domain_test.go:112: Step 2/3 error: After applying this test step, the refresh plan was not empty.
        stdout


        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place

        Terraform will perform the following actions:

          # aws_sagemaker_domain.test will be updated in-place
          ~ resource "aws_sagemaker_domain" "test" {
                id                                             = "d-sxsm2zfuprw8"
                tags                                           = {}
                # (15 unchanged attributes hidden)

              ~ domain_settings {
                  ~ security_group_ids             = [
                      - "sg-0ac8d36d178d91116",
                    ]
                    # (1 unchanged attribute hidden)
                }

                # (2 unchanged blocks hidden)
            }

        Plan: 0 to add, 1 to change, 0 to destroy.

When attempting the same change in the AWS console, the request payload looks something like:

{"DomainId":"d-2iye2hgtwbct","AppNetworkAccessType":"PublicInternetOnly","SubnetIds":["subnet-015e8acdf1e8d7789"],"DomainSettingsForUpdate":{"SecurityGroupIds":[]}}

After a few seconds the console will display a successful update popup, but the security group will remain in-place.

image

@jar-b
Copy link
Member

jar-b commented May 9, 2025

I've opened aws/aws-sdk-go-v2#3084 in the AWS SDK for Go repository to get additional guidance on whether this behavior is supported.

@jar-b
Copy link
Member

jar-b commented May 13, 2025

Update - the AWS SDK team is following up internally with the SageMaker service team as this appears to be an underlying issue with the service.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/sagemaker Issues and PRs that pertain to the sagemaker service. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: sagemaker domain_settings security_groups force new
3 participants