Aws_db_option_group failing with "SSL option is missing required option settings"

wblakecannon · July 27, 2021, 6:20pm

I’m trying to create my first option group using Terraform. I am using dynamic block with variable. Everything looks okay according to the plan. However, when I try to make it I receive the error:

Error: Error modifying DB Option Group: InvalidParameterValue: SSL option is missing required option settings.
	status code: 400, request id: 86f1f7f6-d269-4612-ab71-6ca8b906c793

Here is my code:

main.tf

data "aws_security_group" "db_sg" {
  id = "sg-0c53cbbe463c660dc"
}

resource "aws_db_option_group" "diorad-test" {
  name                     = "diorad-test"
  option_group_description = "Test"
  engine_name              = "oracle-ee"
  major_engine_version     = 19

  dynamic "option" {
    for_each = var.options_diorad

    content {
      option_name = option.value.name
      port = 2484
      vpc_security_group_memberships = [data.aws_security_group.db_sg.id]

      option_settings {
        name  = option.value.setting
        value = option.value.value
      }
    }
  }
}

options.tf

variable "options_diorad" {
  default = [
    {
      name    = "SSL"
      setting = "SQLNET.SSL_VERSION"
      value   = "1.2"
    },
    {
      name    = "SSL"
      setting = "SQLNET.CIPHER_SUITE"
      value   = "SSL_RSA_WITH_AES_256_CBC_SHA"
    }
  ]
}

I can’t seem to find any more arguments I need to place.

wblakecannon · July 28, 2021, 4:10pm

The solution presents itself. I was looping in the wrong place. Here is the corrected code. Of course I will probably change the variable since there’s only two items now.

resource "aws_db_option_group" "diorad-test" {
  engine_name              = "oracle-ee"
  major_engine_version     = "19"
  name                     = "diorad-test"
  option_group_description = "Test"

  option {
    option_name                    = "SSL"
    port                           = 2484
    vpc_security_group_memberships = [data.aws_security_group.db_sg.id]

    dynamic "option_settings" {
      for_each = var.options_diorad

      content {
        name  = option_settings.value.setting
        value = option_settings.value.value
      }
    }
  }
}

wblakecannon · July 28, 2021, 6:05pm

Here’s a little more refined solution:

options.tf:

variable "options_diorad" {
  type = list(object({
    option_name = string
    option_settings = list(object({
      name  = string
      value = string
    }))
  }))

  default = [{
    option_name = "SSL"
    option_settings = [{
      name = "SQLNET.SSL_VERSION"
      value = "1.2" }, {
      name  = "SQLNET.CIPHER_SUITE"
      value = "SSL_RSA_WITH_AES_256_CBC_SHA"
    }]
  }]
}

main.tf

resource "aws_db_option_group" "diorad-test" {
  engine_name              = "oracle-ee"
  major_engine_version     = "19"
  name                     = "diorad-test"
  option_group_description = "Test"

  dynamic "option" {
    for_each = var.options_diorad

    content {
      option_name                    = option.value["option_name"]
      port                           = 2484
      vpc_security_group_memberships = [data.aws_security_group.db_sg.id]


      dynamic "option_settings" {
        for_each = option.value["option_settings"]

        content {
          name  = option_settings.value["name"]
          value = option_settings.value["value"]
        }
      }
    }
  }
}