-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS ALB Access Logs Dynamic Block Fails Plan Correctly #16674
Comments
I've encountered the exact same issue also while writing an ELB module. Only encountered the problem when Terraform is creating the bucket in the same apply as the ALB / NLB. No problems if the bucket exists already. |
Same exact issue as @seanturner026. I can also confirm that it worked on the second run. Any workaround for this? |
At least here on terraform 0.12.31 this happens even without the use of a Both with the (broken) simplified conditional form: resource "aws_lb" "alb" {
...
access_logs {
enabled = var.access_logs_bucket != null ? true : false
bucket = var.access_logs_bucket
prefix = var.name
}
} As well as with the dynamic "access_logs" {
for_each = var.access_logs_bucket != null ? { enabled = true } : {}
content {
enabled = true
bucket = var.access_logs_bucket
prefix = var.name
}
} The
And the
As in the comments above, this only seems to happens when setting the |
As mentioned in issue description, the below workaround do the job:
|
I experienced this issue using the
The fix was to explicitly set HCL Code Snippet access_logs = {
enabled = true # Explicitly set this to true
bucket = module.s3_bucket.s3_bucket_id
}
|
I've attempted to reproduce this behavior with a configuration similar to that described in the original issue, and believe this has been resolved by upstream changes to Terraform core. To allow time for feedback on the reproduction, we're going to leave this issue open for two weeks (until 2024-04-30). If no ongoing issues with the AWS provider are identified in this time, we'll close this issue as fixed upstream with hashicorp/terraform#28424. BackgroundA reproduction is included below. Because the Terraform CLI and ConfigurationThis section contains the configuration used for this reproduction. Show/Hide Configuration
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# Issue Ref: https://github.com/hashicorp/terraform-provider-aws/issues/16674
#
# No defaults in provided issue config, but we'll set them here.
variable "region" {
default = "us-west-2"
}
variable "bucket_name" {
default = "jb-test-lb-inconsistent-final-plan"
}
provider "aws" {
region = var.region
}
data "aws_availability_zones" "available" {
exclude_zone_ids = ["usw2-az4"]
state = "available"
filter {
name = "opt-in-status"
values = ["opt-in-not-required"]
}
}
# We'll provision a VPC and subnets in the main configuration rather than using variables
# so this reproduction is self-contained.
resource "aws_vpc" "test" {
cidr_block = "10.1.0.0/16"
tags = {
Name = "jb-test"
}
}
resource "aws_subnet" "test" {
count = 2
vpc_id = aws_vpc.test.id
availability_zone = data.aws_availability_zones.available.names[count.index]
cidr_block = cidrsubnet(aws_vpc.test.cidr_block, 8, count.index)
tags = {
Name = "jb-test"
}
}
module "ecs_oauth_proxy_log_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
# 1.17.0 uses syntax that is no longer supported in 1.X versions of Terraform.
# For this reproduction, use the latest module version instead.
# version = "1.17.0"
version = "4.1.2"
bucket = var.bucket_name
acl = "log-delivery-write"
force_destroy = true
attach_elb_log_delivery_policy = true
# Added - now required due to changes to default S3 permissions
control_object_ownership = true
object_ownership = "ObjectWriter"
}
module "lb" {
source = "./alb/"
subnets = aws_subnet.test[*].id
vpc_id = aws_vpc.test.id
lb_access_logs = [
{
enabled = true
bucket = module.ecs_oauth_proxy_log_bucket.s3_bucket_id
}
]
}
variable "lb_access_logs" {}
variable "subnets" {}
variable "vpc_id" {}
resource "aws_lb" "this" {
name = "testing"
internal = true
load_balancer_type = "application"
security_groups = [aws_security_group.lb.id]
subnets = var.subnets
dynamic "access_logs" {
for_each = var.lb_access_logs
content {
bucket = access_logs.value.bucket
enabled = lookup(access_logs.value, "enabled", null)
prefix = lookup(access_logs.value, "prefix", null)
}
}
}
resource "aws_security_group" "lb" {
name = "test-lb-sg"
vpc_id = var.vpc_id
egress {
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
} ReproductionThis section contains the reproduction steps and relevant output. Show/Hide Reproduction% terraform -version
Terraform v1.8.0
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.45.0 % terraform plan
<snip>
+ resource "aws_lb" "this" {
+ arn = (known after apply)
+ arn_suffix = (known after apply)
+ desync_mitigation_mode = "defensive"
+ dns_name = (known after apply)
+ drop_invalid_header_fields = false
+ enable_deletion_protection = false
+ enable_http2 = true
+ enable_tls_version_and_cipher_suite_headers = false
+ enable_waf_fail_open = false
+ enable_xff_client_port = false
+ enforce_security_group_inbound_rules_on_private_link_traffic = (known after apply)
+ id = (known after apply)
+ idle_timeout = 60
+ internal = true
+ ip_address_type = (known after apply)
+ load_balancer_type = "application"
+ name = "testing"
+ name_prefix = (known after apply)
+ preserve_host_header = false
+ security_groups = (known after apply)
+ subnets = (known after apply)
+ tags_all = (known after apply)
+ vpc_id = (known after apply)
+ xff_header_processing_mode = "append"
+ zone_id = (known after apply)
+ access_logs {
+ bucket = (known after apply)
+ enabled = true
}
}
<snip>
Plan: 8 to add, 0 to change, 0 to destroy. From the output above, the dynamic
% terraform apply -auto-approve
<snip>
Plan: 10 to add, 0 to change, 0 to destroy.
aws_vpc.test: Creating...
module.ecs_oauth_proxy_log_bucket.aws_s3_bucket.this[0]: Creating...
aws_vpc.test: Creation complete after 2s [id=vpc-0d0ccee32e65c195c]
aws_subnet.test[0]: Creating...
aws_subnet.test[1]: Creating...
module.lb.aws_security_group.lb: Creating...
module.ecs_oauth_proxy_log_bucket.aws_s3_bucket.this[0]: Creation complete after 2s [id=jb-test-lb-inconsistent-final-plan]
module.ecs_oauth_proxy_log_bucket.data.aws_iam_policy_document.elb_log_delivery[0]: Reading...
module.ecs_oauth_proxy_log_bucket.aws_s3_bucket_public_access_block.this[0]: Creating...
module.ecs_oauth_proxy_log_bucket.data.aws_iam_policy_document.elb_log_delivery[0]: Read complete after 0s [id=521196102]
module.ecs_oauth_proxy_log_bucket.data.aws_iam_policy_document.combined[0]: Reading...
module.ecs_oauth_proxy_log_bucket.data.aws_iam_policy_document.combined[0]: Read complete after 0s [id=521196102]
module.ecs_oauth_proxy_log_bucket.aws_s3_bucket_public_access_block.this[0]: Creation complete after 1s [id=jb-test-lb-inconsistent-final-plan]
module.ecs_oauth_proxy_log_bucket.aws_s3_bucket_policy.this[0]: Creating...
aws_subnet.test[0]: Creation complete after 1s [id=subnet-0018f63c11fabd858]
aws_subnet.test[1]: Creation complete after 1s [id=subnet-01c1172e47a5c05c2]
module.ecs_oauth_proxy_log_bucket.aws_s3_bucket_policy.this[0]: Creation complete after 0s [id=jb-test-lb-inconsistent-final-plan]
module.ecs_oauth_proxy_log_bucket.aws_s3_bucket_ownership_controls.this[0]: Creating...
module.ecs_oauth_proxy_log_bucket.aws_s3_bucket_ownership_controls.this[0]: Creation complete after 1s [id=jb-test-lb-inconsistent-final-plan]
module.ecs_oauth_proxy_log_bucket.aws_s3_bucket_acl.this[0]: Creating...
module.ecs_oauth_proxy_log_bucket.aws_s3_bucket_acl.this[0]: Creation complete after 0s [id=jb-test-lb-inconsistent-final-plan,log-delivery-write]
module.lb.aws_security_group.lb: Creation complete after 2s [id=sg-06fd2a2b78e0c6df0]
module.lb.aws_lb.this: Creating...
module.lb.aws_lb.this: Still creating... [10s elapsed]
module.lb.aws_lb.this: Still creating... [20s elapsed]
module.lb.aws_lb.this: Still creating... [30s elapsed]
module.lb.aws_lb.this: Still creating... [40s elapsed]
module.lb.aws_lb.this: Still creating... [50s elapsed]
module.lb.aws_lb.this: Still creating... [1m0s elapsed]
module.lb.aws_lb.this: Still creating... [1m10s elapsed]
module.lb.aws_lb.this: Still creating... [1m20s elapsed]
module.lb.aws_lb.this: Still creating... [1m30s elapsed]
module.lb.aws_lb.this: Still creating... [1m40s elapsed]
module.lb.aws_lb.this: Still creating... [1m50s elapsed]
module.lb.aws_lb.this: Still creating... [2m0s elapsed]
module.lb.aws_lb.this: Still creating... [2m10s elapsed]
module.lb.aws_lb.this: Still creating... [2m20s elapsed]
module.lb.aws_lb.this: Still creating... [2m30s elapsed]
module.lb.aws_lb.this: Still creating... [2m40s elapsed]
module.lb.aws_lb.this: Creation complete after 2m44s [id=arn:aws:elasticloadbalancing:us-west-2:727561393803:loadbalancer/app/testing/0f33304e5eae06ce]
Apply complete! Resources: 10 added, 0 changed, 0 destroyed. ConclusionAbsent any concerns with this reproduction, we'll close this issue as fixed upstream on 2024-04-30. |
Closing as fixed upstream in Terraform core. |
Warning This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them. Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
We are utilizing a Module with an ALB which exposes the ability to add
access_logs
based upon a variable. To populate the parameters thelookup
function is used on the optional parameters such asenabled
andprefix
. When the lookup function is used on theenabled
parameter thebucket
parameter is not populated in theterraform plan
.We have a work around which consists of setting the
enabled
parameter totrue
in the module.Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform v0.13.5
Affected Resource(s)
Terraform Configuration Files
Calling Terraform
Module
Debug Output
https://gist.github.com/duganth-va/586335f45db17f46a48059a4d4f186b6
Expected Behavior
Actual Behavior
Running terraform plan results in the following output
Running Terraform apply results in:
Steps to Reproduce
terraform plan
terraform apply
Important Factoid
This was tested on Gov Cloud.
The text was updated successfully, but these errors were encountered: