Terraform-provider-aws: RDS VPC Read Replica with different subnet group

I have the same problem.

$ terraform --version
Terraform v0.11.0
+ provider.aws v1.3.1

This is an AWS limitation. Check the docs for --db-subnet-group-name (string)

I am facing this issue as well.

@phoolish, did you manage to work around this? I have the same problem here.
If I can do this through the web console, why not via API?

@jonathortense sorry for the late reply, but I was on an extended vacation. If I remember correctly, we could use the AWS console to make this work and then import the resource into terraform.

How are you able to do this from the web console? I've been trying to find where this is possible without success...

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstanceReadReplica.html

Indeed it is not allowed by the API now (see DBSubnetGroupName and DBSubnetGroupNotAllowedFault). This worked last time I tried it, which was 9/13/2017.

That’s unfortunate. I don’t reallt understand the limitation. Enterprise support gave me a similar answer.

To do this in the console:

1. Go to source DB
2. Actions -> Create Read Replica
3. Change Destination DB subnet group
4. Create

@errriclee I don’t see those options for an Aurora instance.

I had the same issue working with PostgresSql databases.
Turns out it a mistake in the aws-cli (and carried on to terraform docs)

Under replicate_source_db you need pass the rds instance arn NOT identifier.
I've been talking to AWS support and it works, I've created a read-replica via terraform.

EDIT NOTE
After the initial creation of the replica you'll need to change the replicate_source_db to the source identifier otherwise terraform will try to update it to the arn.

@matanlb you were able to create a read replica that's on a different db subnet group? I used the arn and it still gives the same error as the OP

I can confirm that you can create replicas in another subnet group using the ARN, at least via API.

Here's a quick test I did in Ruby:

require 'aws-sdk'
require 'pp'

client = Aws::RDS::Client.new
source_db = "arn:aws:rds:us-west-2:123456789012:db:my-instance"
source_db_subnet_group = "my-subnets"
target_db_subnet_group =  "other-subnets"

resp = client.create_db_instance_read_replica({
  copy_tags_to_snapshot: true,
  db_instance_class: "db.m4.large",
  db_subnet_group_name: target_db_subnet_group,
  db_instance_identifier: "mytest",
  publicly_accessible: false,
  source_db_instance_identifier: source_db,
  storage_type: "gp2"
})

pp resp

I have not tried with Terraform yet, but I was getting the same error as I received earlier from Terraform when I only specified the identifier, not the ARN. I was given this resolution by AWS Support.

@ktham yes, in my case I've created a read replica in a different subnet on the same VPC.

A lot of confusing comments in here... My understanding from the documentation is that you can only create a read replica in a different subnet group from your source database if the RDS instances are in different regions. Is the documentation wrong?

@mconigliaro yes, the docs are wrong on that one (or maybe just out of date).
It is definitely possible to create a read replica in the same region (even the same VPC) but in a different subnet.

Like I've mentioned before this is an error that stamed from wrong documentation of AWS. I've talked to their support and they instructed me to replace the identifier with the ARN. They were referring to the CLI commands but I in terraform as well.

OK, I've confirmed what @matanlb said above. To create a PostgreSQL instance in a different subnet group, but in the same region as the source database, I had to set replicate_source_db to an ARN during creation. Interestingly, I've noticed that this always results in the replica having the same security groups as the source database. But then if I set replicate_source_db back to the id (which you need to do anyway) and run terraform apply again, it fixes the security groups.

Pretty annoying bug(s), but at least we have workarounds.

Hey,

I cannot understand why we need to switch back replicate_source_db to the ID?

Where is the limitation to use ARN rather than ID?

Changing ID to ARN works for me, but in my case, replicating from EC2 classic gives this error now:
At least one security group '*' (Non-VPC) and subnet group '*' (in VPC '**') are not in common VPC.
Although I'm assigning it a security group from the VPC looks like it's assigning the same one on the classic instance.
Any workaround if I want to do from EC2 classic to VPC?

I want to note that the Terraform documentation still seems to be out of date. I tried creating a replica of an RDS database in the same account/region/VPC, but different subnet group. Specifying an identifier for replicate_source_db resulted in a DBSubnetGroupNotAllowedFault error, despite that being what the docs say at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#replicate_source_db . Specifying an arn worked, which I only knew to do by finding this issue.

I also had to change it from arn to identifier after creating the database. If I didn't, terraform state thought that I was changing the source DB to a different one, and threw an error.