aws_servicequotas_service_quota requires modifying tfstate if whitespace is accidently added in quota_code

[Stretch96]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.7

• provider registry.terraform.io/hashicorp/aws v3.31.0
• provider registry.terraform.io/hashicorp/external v2.1.0
• provider registry.terraform.io/hashicorp/null v3.1.0
• provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

• aws_servicequotas_service_quota

Terraform Configuration Files

resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc" {
  quota_code   = " L-83CA0A9D"
  service_code = "vpc"
  value        = 20
}

Expected Behavior

Run terraform apply:

$ terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_servicequotas_service_quota.max_ipv4_per_vpc will be created
  + resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc" {
      + adjustable     = (known after apply)
      + arn            = (known after apply)
      + default_value  = (known after apply)
      + id             = (known after apply)
      + quota_code     = " L-83CA0A9D"
      + quota_name     = (known after apply)
      + request_id     = (known after apply)
      + request_status = (known after apply)
      + service_code   = "vpc"
      + service_name   = (known after apply)
      + value          = 20
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "quota-bug"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_servicequotas_service_quota.max_ipv4_per_vpc: Creating...

Error: error getting Service Quotas Service Quota (vpc/ L-83CA0A9D): ValidationException: 1 validation error detected: Value ' L-83CA0A9D' at 'quotaCode' failed to satisfy constraint: Member must satisfy regular expression pattern: [a-zA-Z][a-zA-Z0-9-]{1,128}
	status code: 400, request id: 09a634c4-8653-412f-bab9-df3ff033c5ff

  on quotas.tf line 1, in resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc":
   1: resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc" {

Fix the resource by removing the whitespace:

resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc" {
  quota_code   = "L-83CA0A9D"
  service_code = "vpc"
  value        = 20
}

Run terraform apply again:

$ terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_servicequotas_service_quota.max_ipv4_per_vpc will be created
  + resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc" {
      + adjustable     = (known after apply)
      + arn            = (known after apply)
      + default_value  = (known after apply)
      + id             = (known after apply)
      + quota_code     = "L-83CA0A9D"
      + quota_name     = (known after apply)
      + request_id     = (known after apply)
      + request_status = (known after apply)
      + service_code   = "vpc"
      + service_name   = (known after apply)
      + value          = 20
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "quota-bug"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

Actual Behaviour

Run terraform apply:

$ terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_servicequotas_service_quota.max_ipv4_per_vpc will be created
  + resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc" {
      + adjustable     = (known after apply)
      + arn            = (known after apply)
      + default_value  = (known after apply)
      + id             = (known after apply)
      + quota_code     = " L-83CA0A9D"
      + quota_name     = (known after apply)
      + request_id     = (known after apply)
      + request_status = (known after apply)
      + service_code   = "vpc"
      + service_name   = (known after apply)
      + value          = 20
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "quota-bug"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_servicequotas_service_quota.max_ipv4_per_vpc: Creating...

Error: error getting Service Quotas Service Quota (vpc/ L-83CA0A9D): ValidationException: 1 validation error detected: Value ' L-83CA0A9D' at 'quotaCode' failed to satisfy constraint: Member must satisfy regular expression pattern: [a-zA-Z][a-zA-Z0-9-]{1,128}
	status code: 400, request id: 09a634c4-8653-412f-bab9-df3ff033c5ff

  on quotas.tf line 1, in resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc":
   1: resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc" {

Fix the resource by removing the whitespace:

resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc" {
  quota_code   = "L-83CA0A9D"
  service_code = "vpc"
  value        = 20
}

Run terraform apply again:

$ terraform apply
aws_servicequotas_service_quota.max_ipv4_per_vpc: Refreshing state... [id=vpc/ L-83CA0A9D]

Error: error getting Service Quotas Service Quota (vpc/ L-83CA0A9D): ValidationException: 1 validation error detected: Value ' L-83CA0A9D' at 'quotaCode' failed to satisfy constraint: Member must satisfy regular expression pattern: [a-zA-Z][a-zA-Z0-9-]{1,128}
	status code: 400, request id: dc5ed91f-131c-4356-95c9-59e5c65b2778

Try untainting and applying:

$ terraform untaint aws_servicequotas_service_quota.max_ipv4_per_vpc
Resource instance aws_servicequotas_service_quota.max_ipv4_per_vpc has been successfully untainted.

$ terraform apply
aws_servicequotas_service_quota.max_ipv4_per_vpc: Refreshing state... [id=vpc/ L-83CA0A9D]

Error: error getting Service Quotas Service Quota (vpc/ L-83CA0A9D): ValidationException: 1 validation error detected: Value ' L-83CA0A9D' at 'quotaCode' failed to satisfy constraint: Member must satisfy regular expression pattern: [a-zA-Z][a-zA-Z0-9-]{1,128}
	status code: 400, request id: 90379c2a-4024-4e0f-939c-c06dd5807dc7

terraform plan has the same result

The resource can only be destroyed

Once fixing the id and quota_code in the tfstate, terraform apply works:

$ terraform apply
aws_servicequotas_service_quota.max_ipv4_per_vpc: Refreshing state... [id=vpc/L-83CA0A9D]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_servicequotas_service_quota.max_ipv4_per_vpc is tainted, so must be replaced
-/+ resource "aws_servicequotas_service_quota" "max_ipv4_per_vpc" {
      ~ adjustable     = true -> (known after apply)
      ~ arn            = "arn:aws:servicequotas:eu-west-2:XXXXXXXXXXXX:vpc/L-83CA0A9D" -> (known after apply)
      ~ default_value  = 5 -> (known after apply)
      ~ id             = "vpc/L-83CA0A9D" -> (known after apply)
      ~ quota_name     = "IPv4 CIDR blocks per VPC" -> (known after apply)
      + request_id     = (known after apply)
      + request_status = (known after apply)
      ~ service_name   = "Amazon Virtual Private Cloud (Amazon VPC)" -> (known after apply)
      ~ value          = 5 -> 20
        # (2 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions in workspace "quota-bug"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: 

Steps to Reproduce

Introduce whitespace into the quota_code

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/servicequotas_service_quota

[Stretch96]

Note that this bug will also occur if it doesn't satisfy the regex [a-zA-Z][a-zA-Z0-9-]{1,128}, not only whitespace ... I just needed a snazzy PR tititle ...

[anGie44]

Hi @Stretch96, thank you for raising this issue and apologies you came across this behavior. In the resource create operation, under the hood we initially call GetServiceQuota
https://github.com/hashicorp/terraform-provider-aws/blob/main/aws/resource_aws_servicequotas_service_quota.go#L70-L88
so I believe you're hitting that error right away even though errors that contain error getting... are generally associated with the resource read operations. Luckily i believe we can prevent these apply time AWS API validation exceptions by adding some plan-time ValidateFunc fields to the quota_code and service_code arguments. If you'd like to work on this bug, reach out if you have any questions!

[Stretch96]

Thanks for that info, I'll give it a whirl

My Go knowledge is limitied, so this may take some time ... but hey, what are lockdowns for right 😬 ...

[Stretch96]

Hi @anGie44, I believe this PR fixes the issue 👍

[ghost]

This has been released in version 3.37.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!