Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable Aurora Enhanced Monitoring on existing instances - "IAM role invalid or wrong perms", followed by "MonitoringRoleARN value is required" #315

Closed
hashibot opened this issue Jun 13, 2017 · 21 comments · Fixed by #9747
Labels
bug Addresses a defect in current functionality. service/rds Issues and PRs that pertain to the rds service.
Milestone

Comments

@hashibot
Copy link

This issue was originally opened by @ssm1th as hashicorp/terraform#9435. It was migrated here as part of the provider split. The original body of the issue is below.


Similar issue as @deanmraz reported in hashicorp/terraform#5455 I think.

Attempting to enable Enhanced Monitoring on existing Aurora instances initially throws the following error:

InvalidParameterValue: IAM role ARN value is invalid or does not include the required permissions for: ENHANCED_MONITORING

When attempting an apply again following that error, I'm getting:

InvalidParameterCombination: A MonitoringRoleARN value is required if you specify a MonitoringInterval value other than 0

I suspect the latter is being thrown because the first apply actually added monitoring_role_arn to tfstate.

Have tried using the existing AWS provided managed policy and attaching it to a Terraform created role (all within Terraform), and I've also tried creating my own policy as per hashicorp/terraform#5455 and attaching that to a self made role too, but the behaviour is still the same.

The addition of monitoring_role_arn to tfstate following the first error sounds like a bug to me, but does anybody have any ideas or suggestions on how to get around this and get it working?

Thanks.

@hashibot hashibot added the bug Addresses a defect in current functionality. label Jun 13, 2017
@albrechtsimon
Copy link

Did this get addressed somehow? I am currently facing the exact same issues reported above.

@helenes-r7
Copy link

+1 Also running into this.
I'm going to try the solution here: hashicorp/terraform#5455
but it would be nice to consistently use "aws_iam_policy_document" throughout

@albrechtsimon
Copy link

@helenes-r7 Did the solution you linked above work for you? It did not for me.

@terrysdev9
Copy link

I'm getting the same issue as well. My monitoring role exists, my remote TF state says my monitoring interval is > 0 with the monitoring role correctly set. However, during the apply, the deploy fails with the "MonitoringRoleARN value is required" error. I turned on DEBUG output for the apply and noticed the POST call to the RDS API only has the MonitoringInterval parameter set to my value, but the MonitoringRoleARN is nowhere to be found. This happens even when I explicitly set the aws_db_instance.monitoring_role_arn with the actual value. Anybody find a solution for this?

@hegyre
Copy link

hegyre commented Oct 26, 2017

Hello @terrysdev9 ,

I also have the exact same issue for MySQL.
It's like the variable is not populated...

I got InvalidParameterCombination: A MonitoringRoleARN value is required if you specify a MonitoringInterval value other than 0.

I ended up modifiying the DB instance by hand via AWS Console.

Here's my config:


# IAM Role Definition for RDS Enhanced Monitoring
data "aws_iam_policy_document" "rds-assume-role-policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["monitoring.rds.amazonaws.com"]
    }
  }
}

# Create RDS Enhanced Monitoring role
resource "aws_iam_role" "rds_monitoring_all_iam_role" {
  name               = "${var.project}-role-all-rds-monitor"
  path               = "/"
  assume_role_policy = "${data.aws_iam_policy_document.rds-assume-role-policy.json}"
}

# Attach RDS Enhanced Monitoring role policy(ies)
resource "aws_iam_role_policy_attachment" "rds_monitoring_all_iam_role_policies_attach" {
    role       = "${aws_iam_role.rds_monitoring_all_iam_role.id}"
    policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
}

resource "aws_db_instance" "db_pre_za" {
...
monitoring_interval          = 60
monitoring_role_arn         = "${aws_iam_role.rds_monitoring_iam_role.arn}"
...
}

@terrysdev9
Copy link

Hi @hegyre,

I ended up re-creating the RDS instance with the monitoring role ARN set, but my monitoring interval remained at 0. I was then able to change the interval to some value >0 and back to 0 with no issues. If you changed the DB instance via the console, did your refresh on your TF state and do a plan to see if it picked up your changes?

@hegyre
Copy link

hegyre commented Oct 26, 2017

@terrysdev9 ,

The refresh picked up the changes I manually did on the DB instance:

                        "monitoring_interval": "60",
                        "monitoring_role_arn": "arn:aws:iam::200274800666:role/dcsie-role-all-rds-monitor",

Howerver, since I have commented these in the tf file:

#  monitoring_interval         = 60
#  monitoring_role_arn         = "${aws_iam_role.rds_monitoring_all_iam_role.arn}"

Then the plan would like to set it to 0, but only for the monitoring_interval, not for the monitoring_role_arn:

Terraform will perform the following actions:

  ~ aws_db_instance.db_pre_za
      monitoring_interval: "60" => "0"

Now If I uncomment these, the plan is fine

To summup:
This is not working if the RDS instance has been created before enabing this monitoring option.

I have to test this with a new DB AND this monitoring option enabled during RDS instance creation time.

@geofffranks
Copy link

In our experience, we have an RDS instance that we created via terraform a few weeks ago. When we tried adding enhanced monitoring by setting monitoring_interval and monitoring_role_arn at the same time, terraform failed with the error FIXME. Subsequent runs always failed with InvalidParameterCombination: A MonitoringRoleARN value is required if you specify a MonitoringInterval value other than 0., unless we modified the tfstate file to forget about the monitoring_* properties.

The initial failure we suspect is due to either the role not being created properly before its ARN was applied to the RDS instance (is that even possible?), or that the assumerole policy of our role was using the service rds.amazonaws.com instead of monitoring.rds.amazonaws.com.

Once we had role created with monitoring.rds.amazonaws.com as our AssumeRolePolicy Service, and removed the monitoring settings from our tfstate, terraform was able to successfully add enhanced monitoring to the RDS instance.

@radeksimko radeksimko added the service/rds Issues and PRs that pertain to the rds service. label Jan 25, 2018
@mjaas
Copy link

mjaas commented Jun 27, 2018

@geofffranks Thanks!!! We found same error 11.7, and soleved it your solution.

@wagnerone
Copy link

wagnerone commented Oct 30, 2018

We ran into this today. It was quite aggravating. Rather than modify the tfstate directly we created a second, temporary rule, assigned monitoring_role_arn to that and then reverted to our original role that had formerly had rds.amazonaws.com and since changed to monitoring.rds.amazonaws.com

Terraform v0.11.7
provider.aws v1.41.0

@sterfield
Copy link

Yeah, got the same issue. There's two problems here:

The first issue is a race condition problem: the RDS declaration has a direct dependency on the monitoring role, so as soon as the role is available, the modification of the RDS is fired. So the modification of the RDS (adding the monitoring role) and the aws_iam_role_policy_attachment are happening at the same time. RDS is checking if the role has indeed the right to use enhanced monitoring, but at that moment, that's not the case, hence the first error.

I tried to fix this issue by forcing a dependency on aws_rds_instance to aws_iam_role_policy_attachment but in my tests, even if the calls are done sequentially, they happen so fast that RDS is still checking too soon if the role has the correct right, leading to the same error.

Here's a breakdown of first run of TF, with the manual dependency on aws_iam_role_policy_attachment:

  • request creation of the role @ 2018-11-09T12:40:35.128+0100
  • answer HTTP 200 @ 2018-11-09T12:40:35.813+0100
  • request attachment policy AmazonRDSEnhancedMonitoringRole@ 2018-11-09T12:40:36.481+0100
  • answer HTTP 200 @ 2018-11-09T12:40:37.188+0100
  • request iam/ListAttachedRolePolicies (I suppose to confirm that the attachment is correctly done) @ 2018-11-09T12:40:37.848+0100
  • answer HTTP 200 with the policy AmazonRDSEnhancedMonitoringRole listed @ 2018-11-09T12:40:38.495+0100
  • request to modify the DB instance and add the enhanced monitoring @ 2018-11-09T12:40:38.509+0100
  • answer HTTP 400 Bad Request @ 2018-11-09T12:40:39.498+0100. Reason is IAM role ARN value is invalid or does not include the required permissions for: ENHANCED_MONITORING

As you can see, there's less than 2s between the confirmation that the policy is correctly attached, and the call to modify the instance with the call. I suspect some cache on AWS side, that is not refreshed when we make the call to modify the RDS. Policy attachment is clearly done when we initiate the DB modify API call.

The second problem is a Terraform bug: whatever the outcome of the first call, the monitoring_role_arn attribute is set to the ARN, so next calls are only pushing the monitoring_interval. As a consequence, the monitoring ARN is not sent in the AWS API call, making the request incorrect.

TL;DR: this is the combination of two bugs, one on AWS side and one on TF side.

@sterfield
Copy link

sterfield commented Nov 12, 2018

I've opened an issue on AWS side for this. I'll keep you guys posted, but looking at this forum thread, it's very likely that IAM information is being propagated but haven't reached yet the RDS API.

In that case, it means that TF may need to retry the RDS call a few times to see if the RDS api finally get the correct answer.

@sterfield
Copy link

Got the confirmation from AWS support that there's indeed a propagation delay between the IAM call and the propagation to all AWS services.

So I think that the AWS provider needs to be updated in two ways:

  • correct the bug that fill the monitoring_role_arn if the modify-db-instance call is not successful. There's no valid reason to update the state if the call is unsuccessful.
  • Try multiple times the modify-db-instance call when activating the enhanced monitoring on an RDS / Aurora instance. Each call should be made with a 5s sleep between them, in order to allow the IAM modification to correctly propagate and then, allow the modify-db-instance to successfully validate that the role being passed has indeed the correct set of rights to collect metrics for the enhanced monitoring.

It's worth mentioning that, if the first bug is solved, then the second is less critical, as TF will fail the first time, but will succeed at the next run. Not pretty, but this can work.

Thanks,

@pedrocarrico
Copy link

I can confirm that if done as @geofffranks described in here it works.

Doing a two stage apply by creating the role first and then updating the RDS instance with the monitoring_role_arn and monitoring_interval works.

@flmmartins
Copy link

Also facing this issue curently. When aws is handling this?

@brycehemme
Copy link

brycehemme commented Jul 17, 2019

I'm encountering the same exact issue as @hegyre. I have an existing Postgres 10 instance and when I apply the monitoring_role_arn it never gets set which results in the exception.

InvalidParameterCombination: A MonitoringRoleARN value is required if you specify a MonitoringInterval value other than 0.

What's the status on this issue?

@carlosjgp
Copy link

In my case I'm observing this error when

1st apply)

  • create the DB instance
    2nd apply)
  • add monitoring role
    3rd apply)
  • increase monitoring interval
       ~ monitoring_interval                   = 0 -> 30
          monitoring_role_arn                   = "arn:aws:iam::xxxxxxxx:role/rds-enhanced-monitoring-role"

bflad added a commit that referenced this issue Aug 13, 2019
…tten to state and retry ModifyDBInstance on IAM eventual consistency error

References:

- #315
- #2188
- #5559

Previously before code updates:

```
--- FAIL: TestAccAWSDBInstance_MonitoringRoleArn_RemovedToEnabled (430.95s)
    testing.go:568: Step 2 error: errors during apply:

        Error: Error modifying DB Instance tf-acc-test-1165998526456666486: InvalidParameterValue: IAM role ARN value is invalid or does not include the required permissions for: ENHANCED_MONITORING
        	status code: 400, request id: 524f599d-3870-48b3-843e-28885ae3f75c

          on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test908490254/main.tf line 29:
          (source code not available)

--- PASS: TestAccAWSDBInstance_MonitoringRoleInterval (565.47s)
--- PASS: TestAccAWSDBInstance_MonitoringRoleArn_EnabledToDisabled (593.87s)
--- PASS: TestAccAWSDBInstance_MonitoringRoleArn_EnabledToRemoved (626.12s)
```

Output from acceptance testing:

```
--- PASS: TestAccAWSDBInstance_MonitoringRoleArn_EnabledToDisabled (587.93s)
--- PASS: TestAccAWSDBInstance_MonitoringRoleArn_RemovedToEnabled (614.89s)
--- PASS: TestAccAWSDBInstance_MonitoringRoleArn_EnabledToRemoved (656.13s)
--- PASS: TestAccAWSDBInstance_MonitoringRoleInterval (702.57s)
```
@bflad
Copy link
Contributor

bflad commented Aug 13, 2019

Fix submitted: #9747

bflad added a commit that referenced this issue Aug 13, 2019
…lways written to state

Reference: #315

Output from acceptance testing:

```
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraMysql2 (588.69s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraMysql1 (640.98s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraPostgresql (661.39s)
--- PASS: TestAccAWSRDSClusterInstance_namePrefix (674.32s)
--- PASS: TestAccAWSRDSClusterInstance_CopyTagsToSnapshot (703.51s)
--- PASS: TestAccAWSRDSClusterInstance_PubliclyAccessible (714.73s)
--- PASS: TestAccAWSRDSClusterInstance_disappears (735.39s)
--- PASS: TestAccAWSRDSClusterInstance_generatedName (774.99s)
--- PASS: TestAccAWSRDSClusterInstance_MonitoringRoleArn_EnabledToRemoved (834.26s)
--- PASS: TestAccAWSRDSClusterInstance_MonitoringRoleArn_RemovedToEnabled (876.44s)
--- PASS: TestAccAWSRDSClusterInstance_az (877.93s)
--- PASS: TestAccAWSRDSClusterInstance_MonitoringRoleArn_EnabledToDisabled (912.63s)
--- PASS: TestAccAWSRDSClusterInstance_MonitoringInterval (1037.61s)
--- PASS: TestAccAWSRDSClusterInstance_kmsKey (1205.30s)
--- PASS: TestAccAWSRDSClusterInstance_basic (1301.24s)
```
@bflad bflad added this to the v2.25.0 milestone Aug 15, 2019
@bflad
Copy link
Contributor

bflad commented Aug 15, 2019

The fix for this has been merged and will release in version 2.25.0 of the Terraform AWS Provider, in about a week.

@ghost
Copy link

ghost commented Aug 23, 2019

This has been released in version 2.25.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

paulrigor added a commit to paulrigor/terraform-provider-aws that referenced this issue Sep 6, 2019
* provider: Ensure needs-triage issue labeling step in GitHub Actions v2 is conditional on opened action

The payload is slightly different in v2, so actions/[email protected] fails with the action flag and does not return a neutral status. Instead, we will pre-filter the step via if.

References:

- https://help.github.com/en/articles/workflow-syntax-for-github-actions#jobsjob_idif
- https://github.com/actions/github/blob/4f0213ed102c4b518a7ce8bc4e6268bdd710770e/entrypoint.js#L73-L85

* resource/aws_lb_target_group_attachment: Prevent potential panic and update test function names for codebase conventions

Output from acceptance testing:

```
--- PASS: TestAccAWSLBTargetGroupAttachment_lambda (31.23s)
--- PASS: TestAccAWSLBTargetGroupAttachment_disappears (91.09s)
--- PASS: TestAccAWSLBTargetGroupAttachment_ipAddress (102.80s)
--- PASS: TestAccAWSLBTargetGroupAttachment_basic (103.02s)
--- PASS: TestAccAWSLBTargetGroupAttachment_withoutPort (123.06s)
--- PASS: TestAccAWSLBTargetGroupAttachment_BackwardsCompatibility (123.37s)
```

* Update CHANGELOG for hashicorp#9610

* Added CW log export value for aurora-postgresql

* tests/resource/aws_rds_cluster_instance: Ensure covering acceptance tests for performance_insights_enabled on Aurora MySQL 1/2 and Postgresql

Reference: hashicorp#9227
Reference: hashicorp#9635

Output from acceptance testing:

```
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraMysql1 (629.12s)
--- PASS: TestAccAWSRDSClusterInstance_namePrefix (677.80s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraMysql2 (679.39s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraPostgresql (680.27s)
--- PASS: TestAccAWSRDSClusterInstance_CopyTagsToSnapshot (699.01s)
--- PASS: TestAccAWSRDSClusterInstance_generatedName (712.49s)
--- PASS: TestAccAWSRDSClusterInstance_az (722.51s)
--- PASS: TestAccAWSRDSClusterInstance_disappears (763.18s)
--- PASS: TestAccAWSRDSClusterInstance_withInstanceEnhancedMonitor (873.08s)
--- PASS: TestAccAWSRDSClusterInstance_kmsKey (1062.91s)
--- PASS: TestAccAWSRDSClusterInstance_PubliclyAccessible (1247.95s)
--- PASS: TestAccAWSRDSClusterInstance_basic (1423.02s)
```

* Update CHANGELOG for hashicorp#9635

* resource/aws_db_instance: Only send performance_insights_kms_key_id on update if configured

Reference: hashicorp#8792
Reference: hashicorp#9399
Reference: hashicorp#9406

Previously before code update:

```
--- PASS: TestAccAWSRDSDBInstance_PerformanceInsightsRetentionPeriod (667.32s)
--- PASS: TestAccAWSRDSDBInstance_PerformanceInsightsEnabled_EnabledToDisabled (733.03s)
--- PASS: TestAccAWSRDSDBInstance_PerformanceInsightsKmsKeyId (862.56s)
--- FAIL: TestAccAWSRDSDBInstance_PerformanceInsightsEnabled_DisabledToEnabled (5686.66s)
    testing.go:568: Step 2 error: errors during apply:

        Error: Error modifying DB Instance tf-acc-test-5551941564373291595: InternalFailure:
        	status code: 500, request id: 9ad8b0ff-c5a2-43d0-a531-60aa047b8570
```

Output from acceptance testing:

```
--- PASS: TestAccAWSRDSDBInstance_PerformanceInsightsEnabled_EnabledToDisabled (680.88s)
--- PASS: TestAccAWSRDSDBInstance_PerformanceInsightsEnabled_DisabledToEnabled (680.95s)
--- PASS: TestAccAWSRDSDBInstance_PerformanceInsightsRetentionPeriod (685.18s)
--- PASS: TestAccAWSRDSDBInstance_PerformanceInsightsKmsKeyId (851.11s)
```

* resource/aws_rds_cluster_instance: Ensure performance_insights_kms_key_id updates include performance_insights_enabled

Reference: hashicorp#3015

This update ensures the correct RDS API error is shown when attempting to modify the Performance Insights KMS Key ID (we use `ExpectError` in the testing so this passes):

```
--- FAIL: TestAccAWSRDSClusterInstance_PerformanceInsightsKmsKeyId_DefaultKeyToCustomKey (691.76s)
    testing.go:568: Step 2 error: errors during apply:

        Error: Error modifying DB Instance tf-acc-test-2133090011528324987: InvalidParameterCombination: You cannot change your Performance Insights KMS key
```

Previously before code update:

```
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraMysql2 (587.54s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraMysql1 (594.85s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsKmsKeyId_CustomKey (660.70s)
--- FAIL: TestAccAWSRDSClusterInstance_PerformanceInsightsKmsKeyId_DefaultKeyToCustomKey (667.49s)
    testing.go:568: Step 2 error: errors during apply:

        Error: Error modifying DB Instance tf-acc-test-4757962708939555369: InvalidParameterCombination: Can not set PerformanceInsightsKMSKeyId without EnablePerformanceInsights
        	status code: 400, request id: c64b9f56-1b56-420c-9575-c5cfed87270b

          on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test833219777/main.tf line 15:
          (source code not available)

--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraPostgresql (699.46s)
```

Output from acceptance testing:

```
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsKmsKeyId_AuroraMysql2_DefaultKeyToCustomKey (630.56s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraMysql1 (649.52s)
--- PASS: TestAccAWSRDSClusterInstance_generatedName (651.77s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsKmsKeyId_AuroraMysql1_DefaultKeyToCustomKey (652.94s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraPostgresql (670.18s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsKmsKeyId_CustomKey (671.61s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsKmsKeyId_AuroraPostgresql_DefaultKeyToCustomKey (672.19s)
--- PASS: TestAccAWSRDSClusterInstance_PubliclyAccessible (683.28s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraMysql2 (690.78s)
--- PASS: TestAccAWSRDSClusterInstance_disappears (730.05s)
--- PASS: TestAccAWSRDSClusterInstance_CopyTagsToSnapshot (732.08s)
--- PASS: TestAccAWSRDSClusterInstance_az (747.28s)
--- PASS: TestAccAWSRDSClusterInstance_namePrefix (764.03s)
--- PASS: TestAccAWSRDSClusterInstance_kmsKey (792.98s)
--- PASS: TestAccAWSRDSClusterInstance_withInstanceEnhancedMonitor (822.65s)
--- PASS: TestAccAWSRDSClusterInstance_basic (1516.75s)
```

* resource/aws_db_instance: Ensure monitoring attributes are always written to state and retry ModifyDBInstance on IAM eventual consistency error

References:

- hashicorp#315
- hashicorp#2188
- hashicorp#5559

Previously before code updates:

```
--- FAIL: TestAccAWSDBInstance_MonitoringRoleArn_RemovedToEnabled (430.95s)
    testing.go:568: Step 2 error: errors during apply:

        Error: Error modifying DB Instance tf-acc-test-1165998526456666486: InvalidParameterValue: IAM role ARN value is invalid or does not include the required permissions for: ENHANCED_MONITORING
        	status code: 400, request id: 524f599d-3870-48b3-843e-28885ae3f75c

          on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test908490254/main.tf line 29:
          (source code not available)

--- PASS: TestAccAWSDBInstance_MonitoringRoleInterval (565.47s)
--- PASS: TestAccAWSDBInstance_MonitoringRoleArn_EnabledToDisabled (593.87s)
--- PASS: TestAccAWSDBInstance_MonitoringRoleArn_EnabledToRemoved (626.12s)
```

Output from acceptance testing:

```
--- PASS: TestAccAWSDBInstance_MonitoringRoleArn_EnabledToDisabled (587.93s)
--- PASS: TestAccAWSDBInstance_MonitoringRoleArn_RemovedToEnabled (614.89s)
--- PASS: TestAccAWSDBInstance_MonitoringRoleArn_EnabledToRemoved (656.13s)
--- PASS: TestAccAWSDBInstance_MonitoringRoleInterval (702.57s)
```

* tests/resource/aws_db_instance: Ensure monitoring_interval testing covers disabling and re-enabling

Output from acceptance testing:

```
--- PASS: TestAccAWSDBInstance_MonitoringInterval (978.85s)
```

* resource/aws_rds_cluster_instance: Ensure monitoring attributes are always written to state

Reference: hashicorp#315

Output from acceptance testing:

```
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraMysql2 (588.69s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraMysql1 (640.98s)
--- PASS: TestAccAWSRDSClusterInstance_PerformanceInsightsEnabled_AuroraPostgresql (661.39s)
--- PASS: TestAccAWSRDSClusterInstance_namePrefix (674.32s)
--- PASS: TestAccAWSRDSClusterInstance_CopyTagsToSnapshot (703.51s)
--- PASS: TestAccAWSRDSClusterInstance_PubliclyAccessible (714.73s)
--- PASS: TestAccAWSRDSClusterInstance_disappears (735.39s)
--- PASS: TestAccAWSRDSClusterInstance_generatedName (774.99s)
--- PASS: TestAccAWSRDSClusterInstance_MonitoringRoleArn_EnabledToRemoved (834.26s)
--- PASS: TestAccAWSRDSClusterInstance_MonitoringRoleArn_RemovedToEnabled (876.44s)
--- PASS: TestAccAWSRDSClusterInstance_az (877.93s)
--- PASS: TestAccAWSRDSClusterInstance_MonitoringRoleArn_EnabledToDisabled (912.63s)
--- PASS: TestAccAWSRDSClusterInstance_MonitoringInterval (1037.61s)
--- PASS: TestAccAWSRDSClusterInstance_kmsKey (1205.30s)
--- PASS: TestAccAWSRDSClusterInstance_basic (1301.24s)
```

* Update CHANGELOG.md

* Final retries for gamelift resources

* Final retry after timeout creating gluecrawler

* Final guard duty retry

* r/ram_resource_share_accepter: New resource

* Add arguments, delete to disassociate

* Update module aws/aws-sdk-go to v1.23.0

* New Resources: aws_fsx_lustre_file_system and aws_fsx_windows_file_system

Reference: hashicorp#7035
Reference: hashicorp#7074

Builds on hashicorp#7074 with the following changes:

- Split into two separate resources (`aws_fsx_lustre_file_system` and `aws_fsx_windows_file_system`) to simplify practitioner configuration (e.g. lose the required configuration blocks), ease maintenance for resource logic and single file system arguments (e.g. `kms_key_id` only for Windows), and enhance validations (e.g. `storage_capacity` differences between file systems)
- Add covering acceptance testing with updates/force new for all arguments
- Better alignment with API naming for some arguments (e.g. changing `capacity` into `storage_capacity` to remove ambiguity with `throughput_capacity`)
- Implement [resource Customizable Timeouts](https://www.terraform.io/docs/extend/resources/retries-and-customizable-timeouts.html)
- Implement `skip_final_backup` argument for Windows
- Implement `network_interface_ids`, `owner_id`, and `vpc_id` attributes
- Augment resource documentation with additional notes found in [API reference](https://docs.aws.amazon.com/fsx/latest/APIReference/) and clarify `security_group_ids` import behavior

Output from acceptance testing:

```
--- PASS: TestAccAWSFsxLustreFileSystem_Tags (458.62s)
--- PASS: TestAccAWSFsxLustreFileSystem_basic (526.79s)
--- PASS: TestAccAWSFsxLustreFileSystem_disappears (564.58s)
--- PASS: TestAccAWSFsxLustreFileSystem_WeeklyMaintenanceStartTime (697.83s)
--- PASS: TestAccAWSFsxLustreFileSystem_StorageCapacity (940.13s)
--- PASS: TestAccAWSFsxLustreFileSystem_SecurityGroupIds (1074.08s)
--- PASS: TestAccAWSFsxLustreFileSystem_ImportedFileChunkSize (1276.18s)
--- PASS: TestAccAWSFsxLustreFileSystem_ImportPath (1322.13s)
--- PASS: TestAccAWSFsxLustreFileSystem_ExportPath (1338.75s)

--- PASS: TestAccAWSFsxWindowsFileSystem_Tags (2256.64s)
--- PASS: TestAccAWSFsxWindowsFileSystem_WeeklyMaintenanceStartTime (2346.44s)
--- PASS: TestAccAWSFsxWindowsFileSystem_basic (2404.35s)
--- PASS: TestAccAWSFsxWindowsFileSystem_disappears (2412.10s)
--- PASS: TestAccAWSFsxWindowsFileSystem_AutomaticBackupRetentionDays (2514.61s)
--- PASS: TestAccAWSFsxWindowsFileSystem_DailyAutomaticBackupStartTime (2849.43s)
--- PASS: TestAccAWSFsxWindowsFileSystem_SelfManagedActiveDirectory (2850.64s)
--- PASS: TestAccAWSFsxWindowsFileSystem_ThroughputCapacity (3292.44s)
--- PASS: TestAccAWSFsxWindowsFileSystem_SecurityGroupIds (3609.37s)
--- PASS: TestAccAWSFsxWindowsFileSystem_KmsKeyId (3977.10s)
--- PASS: TestAccAWSFsxWindowsFileSystem_StorageCapacity (4026.67s)
--- PASS: TestAccAWSFsxWindowsFileSystem_CopyTagsToBackups (4389.57s)
```

* Add docs

* Add acceptance test, remove comments, fix minor issue

* Adjust for better code

* Remove the invitation ARN as argument

* Update CHANGELOG.md

* Update website/docs/r/fsx_lustre_file_system.html.markdown

Co-Authored-By: Ryn Daniels <[email protected]>

* Add test sweepers for fsx filesystems

* Update CHANGELOG for hashicorp#7074 and hashicorp#9761

* Final retries for ELB resources

* Final retries for IAM resources

* Final retry after timeout deleting inspector assessment target

* Add AWS Lake Formation service client.
Run 'go mod tidy'.

* Update CHANGELOG for hashicorp#9745

* resource/aws_ram_resource_share_accepter: Minor adjustments and documentation enhancements for initial release

Reference: hashicorp#8259

Output from acceptance testing:

```
--- PASS: TestAccAwsRamResourceShareAccepter_basic (31.57s)
```

* Update CHANGELOG for hashicorp#8259

* provider: Remove Route 53 endpoint workaround in AWS GovCloud (US)

The endpoint information is now correctly included in the AWS Go SDK as of [v1.22.3](aws/aws-sdk-go@1f4898f). The AWS China endpoint information for Route 53 is still not present in the AWS Go SDK.

Output from acceptance testing in AWS GovCloud (US):

```
--- PASS: TestAccAWSRoute53Zone_VPC_Single (66.92s)
--- PASS: TestAccAWSRoute53Zone_VPC_Multiple (96.71s)
--- PASS: TestAccAWSRoute53Zone_VPC_Updates (173.89s)
```

* resource/aws_ram_resource_share_accepter: go fmt

* Final retries after internet gateway timeouts

* Final retry deleting iot types

* Final retry after timeout creating launch config

* tests/data-source/aws_organizations_organization: Add Organizations PreCheck

For consistency with other Organizations testing and to prevent the following failure:

```
       --- FAIL: TestAccAWSOrganizations/Organization/DataSource (3.55s)
            testing.go:568: Step 0 error: errors during apply:

                Error: Error creating organization: AlreadyInOrganizationException: The AWS account is already a member of an organization.
```

Acceptance testing from Organizations member account:

```
        --- SKIP: TestAccAWSOrganizations/Organization/DataSource (1.57s)
            provider_test.go:247: skipping tests; this AWS account must not be an existing member of an AWS Organization
```

Acceptance testing from standalone account:

```
        --- PASS: TestAccAWSOrganizations/Organization/DataSource (29.70s)
```

* Final retries for LB resources

* v2.24.0

* Cleanup after v2.24.0 release

* Update CHANGELOG for hashicorp#9747

* Update CHANGELOG for hashicorp#9748

* Update CHANGELOG for hashicorp#9740

* initial commit

* changes based on feedback: DiffSuppresFunc instead of Computed + Updated Acceptance test

* go fmt

* resource/aws_cloudwatch_log_subscription_filter: Use Default with distribution attribute, refactor tests to ensure all arguments and Kinesis Data Firehose/Kinesis Stream destinations are tested

Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html

Output from acceptance testing (the test failure is a new bug discovery and will be fixed in a subsequent fix):

```
--- PASS: TestAccAWSCloudwatchLogSubscriptionFilter_basic (40.61s)
--- PASS: TestAccAWSCloudwatchLogSubscriptionFilter_disappears (41.09s)
--- PASS: TestAccAWSCloudwatchLogSubscriptionFilter_disappears_LogGroup (42.32s)
--- PASS: TestAccAWSCloudwatchLogSubscriptionFilter_Distribution (51.33s)
--- PASS: TestAccAWSCloudwatchLogSubscriptionFilter_DestinationArn_KinesisStream (108.80s)
--- FAIL: TestAccAWSCloudwatchLogSubscriptionFilter_RoleArn (114.10s)
    testing.go:568: Step 2 error: errors during apply:

        Error: Error updating SubscriptionFilter (tf-acc-test-3057491702311743141) for LogGroup (tf-acc-test-3057491702311743141), message: "Could not deliver test message to specified Kinesis stream. Check if the given kinesis stream is in ACTIVE state.", code: "InvalidParameterException"

          on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test472807723/main.tf line 98:
          (source code not available)

--- PASS: TestAccAWSCloudwatchLogSubscriptionFilter_DestinationArn_KinesisDataFirehose (126.02s)
```

* Update CHANGELOG for hashicorp#9265

* Update CHANGELOG.md

* Final retries for msk cluster

* Add Personailze service

* Run `make fmt`

* Final retries for redshift resources

* Final retries for routes

* Final sagemaker retries

* Security group retries

* Update CHANGELOG.md

* tests/resource/aws_rds_cluster_instance: Fix minor typo in master_password arguments

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/9746/files#r314539776

* Update CHANGELOG for hashicorp#9710

* Update module terraform-providers/terraform-provider-tls to v2.1.0

* Final retries for SQS resources

* Final retry for transfer server

* Retries and retry removal for opsworks resources

* Fix retiring_principal argument name for aws_kms_grant resource

* Final retry for wafregional acl association

* Final tag retries

* `status` is not an attribute in the schema (hashicorp#9823)

See https://github.com/terraform-providers/terraform-provider-aws/blob/00909998d919faf5494ab8f6b38241deb1957d99/aws/resource_aws_docdb_cluster.go#L33

* resource/aws_kinesis_firehose_delivery_stream: Address PR hashicorp#9103 feedback

Reference: hashicorp#9103

Mainly reverting some of the changes to processing_configuration/error_output_prefix and adding DiffSuppressFunc to handle the processing_configuration configuration block attribute.

Output from acceptance testing:

```
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_ErrorOutputPrefix (151.81s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_missingProcessingConfiguration (158.88s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_OrcSerDe_Empty (168.93s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_ExternalUpdate (169.36s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_SplunkConfigUpdates (170.83s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3KinesisStreamSource (136.10s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_Deserializer_Update (179.46s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3Updates (180.75s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_importBasic (187.90s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_Enabled (190.90s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_ParquetSerDe_Empty (192.30s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_Serializer_Update (196.54s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3basic (200.98s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_OpenXJsonSerDe_Empty (202.37s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_HiveJsonSerDe_Empty (222.59s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3KmsKeyArn (226.21s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3WithCloudwatchLogging (189.02s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3basic (136.60s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3ConfigUpdates (303.77s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3basicWithTags (184.97s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_RedshiftConfigUpdates (808.04s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ElasticsearchConfigUpdates (970.67s)
```

* Update CHANGELOG for hashicorp#9103

* Update CHANGELOG for hashicorp#9442

* Update CHANGELOG.md

* Update aws/resource_aws_internet_gateway.go

Co-Authored-By: Brian Flad <[email protected]>

* Update aws/resource_aws_msk_cluster.go

Co-Authored-By: Brian Flad <[email protected]>

* Update aws/resource_aws_security_group.go

Co-Authored-By: Brian Flad <[email protected]>

* Update aws/resource_aws_security_group.go

Co-Authored-By: Brian Flad <[email protected]>

* Update aws/resource_aws_sqs_queue_policy.go

Co-Authored-By: Brian Flad <[email protected]>

* Update aws/resource_aws_sqs_queue_policy.go

Co-Authored-By: Brian Flad <[email protected]>

* Update CHANGELOG.md

* Lint for the tautological linting gods

* Final ACL retries

* Update CHANGELOG.md

* WAF and wafregional token final retries (hashicorp#9826)

* update CHANGELOG for hashicorp#9826

* s3_bucket_object: Fix ETAG changes not forcing new

* Add default setting for aws_cloudwatch_event_target ecs_target's task_count (hashicorp#9773)

* Add default setting for aws_cloudwatch_event_target ecs_target's task_count.

* Remove forcenew from etag on s3_bucket_object

* Final retries for s3 timeouts

* Update CHANGELOG.md

* Update Changelog for hashicorp#9773

* Update db_instance.html.markdown

The description of `final_snapshot_identifier` doesn't feel correct to me.
When `skip_final_snapshot` is by default set to false and `final_snapshot_identifier`
is omitted, the provider errored with 
> RDS Cluster FinalSnapshotIdentifier is required when a final snapshot is require

Related: hashicorp#4910

* v2.25.0

* Cleanup after v2.25.0 release

* Fixes EC2 capacity reservation in state not found

* Support Kinesis Data Firehose server-side encryption.

* Update aws/resource_aws_kinesis_firehose_delivery_stream.go

Co-Authored-By: Brian Flad <[email protected]>

* Update aws/resource_aws_kinesis_firehose_delivery_stream.go

Co-Authored-By: Brian Flad <[email protected]>

* Update aws/resource_aws_kinesis_firehose_delivery_stream.go

Co-Authored-By: Brian Flad <[email protected]>

* Run 'make fmt'.

* Review: Remove customizable timeouts.

* Review: Replace 'CustomizeDiff' with 'DiffSuppressFunc'.

* Review: Revert to separate 'waiter' functions.

* Review: Separate test configurations for SSE.

* Comment out r/aws_kinesis_firehose_delivery_stream acceptance tests that fail.

* Add AWS Amplify service client.

* Add Amazon AppStream service client.

* Use isAWSErr in EC2 Capacity Reservation read

* Update CHANGELOG.md

* Adding an ElasticsearchDomain data source to the aws provider

* Added VPC Options to ElasticsearchDomain datasource

* Aligning elasticsearch datasource attributes to resource attributes

* Adding an extra test case with an advanced domain configuration

* Documented the additional attributes

* Adding link to aws_elasticsearch_domain datasource docs page

* feedback from review and corrections to make test pass

* removed log_type check because there seems to be odd behaviour with the resource

* changing zone_awareness_config type to TypeList

* documented the zone_awareness_config attribute in the cluster_config block

* Import testing for vpn gateway

* Added IoT Analytics Service

* Update CHANGELOG.md

* Add AWS IoTEvents service

* Update docs with iotevents service

* Update erb and order attributes in documentation

* Import test refactors for vpc resources

* Multiple load_balancer blocks

Add a note that multiple load_balancer blocks are supported with minimum aws provider. This wasn't clear and was only through seeing an old issue that it was possible. With recent support for multiple target groups for ecs service, I think this will be something people will try and use more.

* update CHANGELOG for hashicorp#1867

* Update module aws/aws-sdk-go to v1.23.12

* v2.26.0

* Cleanup after v2.26.0 release

* r/aws_s3_bucket: Include any system tags that Terraform ignores when setting S3 bucket tags (hashicorp#7342)

* Update Changelog for hashicorp#7342

* Update website/docs/r/ecs_service.html.markdown

Co-Authored-By: Brian Flad <[email protected]>

* resource/aws_kinesis_firehose_delivery_stream: Remove Computed from server_side_encryption attribute

So Terraform always performs drift detection.

Output from acceptance testing:

```
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ElasticsearchConfigUpdates (708.34s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_Deserializer_Update (204.92s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_Enabled (188.93s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_HiveJsonSerDe_Empty (166.30s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_OpenXJsonSerDe_Empty (154.77s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_OrcSerDe_Empty (180.87s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_ParquetSerDe_Empty (165.68s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_DataFormatConversionConfiguration_Serializer_Update (152.61s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_ErrorOutputPrefix (177.03s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3_ExternalUpdate (152.21s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3basic (162.62s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3KmsKeyArn (225.11s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_ExtendedS3Updates (157.35s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_importBasic (130.87s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_missingProcessingConfiguration (199.02s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_RedshiftConfigUpdates (714.21s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3basic (114.90s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3basicWithSSE (372.95s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3basicWithTags (194.45s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3ConfigUpdates (287.14s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3KinesisStreamSource (136.86s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_s3WithCloudwatchLogging (122.61s)
--- PASS: TestAccAWSKinesisFirehoseDeliveryStream_SplunkConfigUpdates (195.68s)
```

* Add iotevents service to endpointServiceNames

* deps: github.com/aws/aws-sdk-go/service/[email protected]

* Update CHANGELOG for hashicorp#6523

* Remove duplicate nested lists for Global Accelerator resources

* remove status attribute from docdb_cluster_instance doc (hashicorp#9921)

* tests/service/s3: Check S3 Bucket location before attempting other S3 operations in sweepers

To prevent errors in the sweepers such as:

```
2019/08/30 12:23:14 [ERR] error running (aws_s3_bucket_object): error listing S3 Bucket (tf-acc-test-6376821381526517605) Objects: AccessDenied: Access Denied
```

And

```
2019/08/30 11:38:01 [INFO] Skipping S3 Bucket (tf-test-bucket-destination-2585329347318042546): AuthorizationHeaderMalformed: The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'eu-west-1'
```

Output from sweeper:

```console
$ go test ./aws -v -sweep=us-east-1,us-west-2 -sweep-run=aws_s3_bucket -timeout 10h
...
2019/08/30 12:01:08 Sweeper Tests ran:
	- aws_s3_bucket_object
	- aws_s3_bucket
```

* Update module aws/aws-sdk-go to v1.23.13

* Update module hashicorp/terraform to v0.12.7

* resource/ecs_cluster: Add ability to enable ECS Cluster Insights

Fixes: hashicorp#9294

* Fix test names and ignore broken import

* Import test refactor for subnets

* Add the service name in the list of customizable endpoints

* Import acceptance test refactor for SSM resources

* Acceptance test import refactor for SQS queue policy

* Acceptance test import refactor for simpledb domain

* Acceptance test import refactor for SFN activity

* Acceptance test import refactor for SES template

* Acceptance test import refactor for service resources

* service/cloudhsmv2: Implement sweeper

To prevent sweeper errors such as:

```
2019/09/04 02:12:15 [ERR] error running (aws_vpc): Error deleting Subnet (subnet-064c5a7cad5a28b9e): DependencyViolation: The subnet 'subnet-064c5a7cad5a28b9e' has dependencies and cannot be deleted.
```

Output from sweeper in AWS Commercial:

```console
$ go test ./aws -v -sweep=us-east-1,us-west-2 -sweep-run=aws_cloudhsm_v2_cluster -timeout 10h
2019/09/04 10:27:24 [DEBUG] Running Sweepers for region (us-east-1):
...
2019/09/04 10:27:25 [INFO] Deleting CloudHSMv2 Cluster (cluster-wporekks46b) HSM: hsm-y4tvi5ukedh
...
2019/09/04 10:29:06 [INFO] Deleting CloudHSMv2 Cluster: cluster-wporekks46b
...
2019/09/04 10:30:57 Sweeper Tests ran:
  - aws_cloudhsm_v2_cluster
2019/09/04 10:30:57 [DEBUG] Running Sweepers for region (us-west-2):
...
2019/09/04 10:30:59 [INFO] Deleting CloudHSMv2 Cluster: cluster-w56d2uzszjf
...
2019/09/04 10:31:30 [INFO] Deleting CloudHSMv2 Cluster: cluster-zrvllautsay
...
2019/09/04 10:32:01 [INFO] Deleting CloudHSMv2 Cluster: cluster-chxrr77wb2v
...
2019/09/04 10:32:32 Sweeper Tests ran:
  - aws_cloudhsm_v2_cluster
```

Output from sweeper in AWS GovCloud (US):

```console
$ go test ./aws -v -sweep=us-gov-west-1 -sweep-run=aws_cloudhsm_v2_cluster -timeout 10h
2019/09/04 10:28:52 [DEBUG] Running Sweepers for region (us-gov-west-1):
...
2019/09/04 10:28:54 Sweeper Tests ran:
  - aws_cloudhsm_v2_cluster
```

Output from acceptance testing:

```
--- PASS: TestAccAWSCloudHsm2Cluster_basic (285.06s)

--- PASS: TestAccAWSCloudHsm2Hsm_basic (898.88s)
```

* service/ecs: Minor adjustments to finish cluster setting implementation

Output from acceptance testing:

```
--- PASS: TestAccAWSEcsCluster_disappears (9.90s)
--- PASS: TestAccAWSEcsCluster_basic (13.35s)
--- PASS: TestAccAWSEcsCluster_containerInsights (25.56s)
--- PASS: TestAccAWSEcsCluster_Tags (27.62s)

--- PASS: TestAccAWSEcsDataSource_ecsClusterContainerInsights (14.16s)
--- PASS: TestAccAWSEcsDataSource_ecsCluster (14.25s)
```

* Update CHANGELOG for hashicorp#9720

* deps: Update github.com/aws/[email protected]

Updated via:

```
$ go get github.com/aws/[email protected]
$ go mod tidy
$ go mod vendor
```

* Update CHANGELOG for hashicorp#9998

* Add created_add attribute to lightsail instance documentation

* Update website/docs/r/lightsail_instance.html.markdown

Co-Authored-By: Ryn Daniels <[email protected]>

* v2.27.0

* Cleanup after v2.27.0 release

* switch to terraform.NewResourceConfigRaw
@ghost
Copy link

ghost commented Nov 1, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Nov 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/rds Issues and PRs that pertain to the rds service.
Projects
None yet