Manage DMS service linked role in module to prevent race when attempting to create multiple serverless tasks

Question

Manage DMS service linked role in module to prevent race when attempting to create multiple serverless tasks

trobinsonpp opened this issue 7 months ago · 3 comments

Is your request related to a problem? Please describe.

Using this module to create multiple serverless tasks in an account where the service linked role AWSServiceRoleForDMSServerless has not been created can result in apply failure caused by a race between each instance of aws_dms_replication_config attempting to create the role (which seems to be done automatically by the API if the role does not exist). Only one replication task can create the role and succeed while the others fail with IAM error Service role name AWSServiceRoleForDMSServerless has been taken in this account, please try a different suffix.. Next apply succeeds to create the remaining serverless jobs after the service linked role has been created.

Describe the solution you'd like.

Add optional creation of the DMS service linked role to the module and make a dependency of aws_dms_replication_config

variable "create_service_linked_role" {
  type    = bool
  default = false
}

resource "aws_iam_service_linked_role" "this" {
  count            = var.create_service_linked_role ? 1 : 0
  aws_service_name = "dms.amazonaws.com"
}

resource "aws_dms_replication_config" "this" {
   ...

  depends_on = [
    aws_iam_service_linked_role.this
  ]
}

Describe alternatives you've considered.

Add note about this scenario to doc or examples if it is preferred to keep service linked role management out of the module.

resource "aws_iam_service_linked_role" "dms_serverless" {
  aws_service_name = "dms.amazonaws.com"
}

module "dms" {
  source = "terraform-aws-modules/dms/aws"
   ...

  depends_on = [
    aws_iam_service_linked_role.dms_serverless
  ]
}

Answer 1 · 2024-06-13T23:46:26.000Z

Service linked roles are usually managed outside of Terraform, and almost always managed outside of a module that would use said role. These roles are one per account, and they may or may not exist depending on whether or not AWS created one on your behalf

Answer 2 · 2024-06-13T23:50:34.000Z

Service linked roles are usually managed outside of Terraform, and almost always managed outside of a module that would use said role. These roles are one per account, and they may or may not exist depending on whether or not AWS created one on your behalf

Fair enough and I understand the tension with these special roles as account singletons. There is precedent for popular modules handling SLRs in module (https://github.com/SPHTech-Platform/terraform-aws-opensearch) and I do it in custom modules (because I want common/reasonable scenarios like adding multiple jobs at once to be expressible in a single TF apply) but it's an easy enough workaround. Thanks for the reply

Answer 3 · 2024-07-14T02:10:28.000Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.