[Bug]: API Gateway cache key parameters unset during apply

[felsteadd]

Terraform Core Version

1.3.9

AWS Provider Version

4.55.0

Affected Resource(s)

aws_api_gateway_method
aws_api_gateway_integration

Expected Behavior

When adding a new request_parameters to and existing aws_api_gateway_method and adding the same value to an existing array of cache_key_parameters for the associated aws_api_gateway_integration any existing cache key parameters should be left in place with the additional value added to the array of cache_key_parameters.

Actual Behavior

On adding a header to an API Gateway request method resource and adding it to the list of cache key parameters to the integration request resource, exiting cache key parameters on the integration request were removed once the changes were applied.

The plan indicated it would add the request header / cache key parameters and leave the remaining x unchanged but what it actually did was overwrite the existing cache key parameters with the single, newly added cache key parameter.

After the apply had completed, re-running our CI pipeline using the same code tag resulted in a different plan, this time it showed that it would add the original cache keys leaving the 1 unchanged. On apply, everything was correct and all cache key parameters were set as expected based on the terraform code.

The period of time during which the original cache key parameter were unset presented a significant security risk.

Relevant Error/Panic Output Snippet

Not applicable - plan looked correct based on the code changes made.

Terraform Configuration Files

Not provided due confidentiality concerns.

Steps to Reproduce

With and existing deployed and functional API gateway resource that has at least 1 aws_api_gateway_method and associated aws_api_gateway_integration resource, each containing request parameters that also exist in the cache key parameters array of the integration request.

1. Add a new request parameter to the aws_api_gateway_method
2. Add the same value to the cache_key_parameters array of the aws_api_gateway_integration
3. Run the plan
4. It will show that it will add the new values leaving existing unchanged
5. Run the apply
6. Check AWS Console for the affected resource
7. The pre-existing cache_key_parameters will have been replaced with just the new one
8. Re-run the same plan again
9. It will show that it will add the original cache_key_parameters back into the array
10. Run the apply
11. Check the AWS console and all should be back to expected state with the old and new cache_key_parameters present

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[felsteadd]

Seems to be same issue raised here last July.

[deepan83]

ok, I've done some analysis on this and below is what causes the issue from what I have observed,

1. The issue (confirmed via observing the provider logs when the test runs and debugging the provider code) is that when you add a new supporting request parameter to support a new cache key parameter, Terraform recognises the change in the request parameter set but sends a replace op via an update method call in (https://github.saobby.my.eu.org.mcas.ms/hashicorp/terraform-provider-aws/blob/main/internal/service/apigateway/flex.go) for existing request parameters with unchanged values in addition to add ops for new request parameters. The replace op is effectively remove and add so it recreates the request parameter but this action removes any previous caching setting on the parameter (and from the cacheKeyParameters list on the integration resource)
2. This hence will also be an issue when you add a new request parameter without adding it to the cacheKeyParameters. Any previous request parameters that had caching set on them will lose them.

Proposed fix

1. Stop the replace operation when the request parameter already exists and its value hasn't changed
2. When the parameter exists but the value has changed, then replace needs doing but subsequently it also needs to be added back to the cacheParameterKeys list if it existed originally there

If the analysis and proposed fix approach can be confirmed, happy to work/collaborate on a PR to address

[github-actions]

This functionality has been released in v4.59.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.