Can't create CNAME Route53 entry for an instance with Elastic IP in one pass

[stevenewey]

Terraform Version

Terraform v0.11.3

• provider.aws v1.9.0

Affected Resource(s)

• aws_instance
• aws_eip
• aws_route53_record

Terraform Configuration Files

provider "aws" {
  region = "eu-west-2"
}

resource "aws_vpc" "test" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
}

resource "aws_subnet" "test" {
  cidr_block = "10.0.0.0/24"
  vpc_id = "${aws_vpc.test.id}"
  map_public_ip_on_launch = false
}

resource "aws_internet_gateway" "internet" {
  vpc_id = "${aws_vpc.test.id}"
}

resource "aws_route" "igw" {
  route_table_id = "${aws_vpc.test.main_route_table_id}"
  destination_cidr_block = "0.0.0.0/0"
  gateway_id = "${aws_internet_gateway.internet.id}"
}

resource "aws_route53_zone" "test" {
  name = "test.zone"
  vpc_id = "${aws_vpc.test.id}"
  force_destroy = true
}

data "aws_ami" "ubuntu" {
  most_recent = true
  filter {
      name   = "name"
      values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }
  filter {
      name   = "virtualization-type"
      values = ["hvm"]
  }
  owners = ["099720109477"]
}

resource "aws_instance" "test-router" {
  ami = "${data.aws_ami.ubuntu.image_id}"
  instance_type = "t2.small"
  subnet_id = "${aws_subnet.test.id}"
}

resource "aws_eip" "test" {
  vpc = true
  network_interface = "${aws_instance.test-router.primary_network_interface_id}"
}

resource "aws_route53_record" "test" {
  name = "instance.test.zone"
  type = "CNAME"
  ttl = "60"
  records = ["${aws_instance.test-router.public_dns}"]
  zone_id = "${aws_route53_zone.test.id}"
  depends_on = ["aws_eip.test"]
}

Debug Output

https://gist.github.com/stevenewey/34b9276483098be0c92f067f7dcaa71d

Expected Behavior

In a single pass, the route53 entry should be created for the instance EIP.

Actual Behavior

On the first pass, the apply fails:

* aws_route53_record.test: [ERR]: Error building changeset: InvalidChangeBatch: Invalid Resource Record: FATAL problem: DomainNameEmpty (Domain name is empty) encountered with ''
	status code: 400, request id: 9a18b350-172c-11e8-b561-995a5abd51da

On the second pass, the apply is able to complete.

Steps to Reproduce

1. terraform apply
2. terraform apply

Important Factoids

The reason why we need to use the DNS name here to create a CNAME, and not the IP, is so we can use this DNS name internally and externally, and through the magic of AWS DNS, have the name resolve externally to the EIP, and internally to the private IP.

I believe we could work around it if GH-1149 was implemented (aws_eip should have a Public DNS attribute).

References

• aws_eip should have a Public DNS attribute #1149

[ploxiln]

What I do is generate the cname record value based on the eip public_ip, like:

"ec2-${replace(aws_eip.test-router.public_ip, ".", "-")}.eu-west-2.compute.amazonaws.com"

But I agree this situation with EIPs is awkward. You can tell terraform that the route53 record depends on the eip resource, but I don't think there's a way to tell terraform that it additionally needs to refresh the ec2 instance after fully updating the eip resource and before creating/updating the route53 record?

[hrix]

FYI, Cloudformation colud like this.

  somedomainDNSRecordSet:
    Type: AWS::Route53::RecordSet
    Properties:
...
      Type: CNAME
      ResourceRecords:
        - !GetAtt somedomainInstance.PublicDnsName
    DependsOn: somedomainInstanceEIPAssociation

[Gary-Armstrong]

I think I am seeing this issue but since I'm using 0.12.20 I'm not sure. It actually worked fine in 0.11 but I think because 0.12 is faster than 0.11 (???). I'm seeing the R53 on the EIP fail because the EIP isn't complete.

THEN I looked at the (trimmed) output more closely and see this is out of order:

module.master.aws_instance.instance[0]: Creating...
module.master.aws_instance.instance[0]: Still creating... [10s elapsed]
module.master.aws_instance.instance[0]: Creation complete after 19s [id=i-0b5c14a5a43c315f7]
module.master.aws_route53_record.r53-record-ext[0]: Creating...
module.master.aws_eip.eip[0]: Creating...
module.master.aws_route53_record.r53-record[0]: Creating...
module.master.aws_eip.eip[0]: Creation complete after 1s [id=eipalloc-0b368ed6fee707bdb]
module.master.aws_route53_record.reverse-private[0]: Creating...
module.master.aws_route53_record.r53-record[0]: Still creating... [10s elapsed]
module.master.aws_route53_record.reverse-private[0]: Still creating... [10s elapsed]
module.master.aws_route53_record.r53-record[0]: Still creating... [20s elapsed]
module.master.aws_route53_record.reverse-private[0]: Still creating... [20s elapsed]
module.master.aws_eip_association.eip-association[0]: Creating...
module.master.aws_eip_association.eip-association[0]: Creation complete after 1s [id=eipassoc-0a49c2084de55a0d8]
module.master.aws_route53_record.r53-record[0]: Still creating... [30s elapsed]
module.master.aws_route53_record.reverse-private[0]: Still creating... [30s elapsed]
module.master.aws_route53_record.r53-record[0]: Creation complete after 32s [id=ZQ15UCZ08KTN2_radar-dev-1-master-00-us-east-1_A]
module.master.aws_route53_record.reverse-private[0]: Still creating... [40s elapsed]
module.master.aws_route53_record.reverse-private[0]: Still creating... [50s elapsed]
module.master.aws_route53_record.reverse-private[0]: Still creating... [1m0s elapsed]
module.master.aws_route53_record.reverse-private[0]: Still creating... [1m10s elapsed]
module.master.aws_route53_record.reverse-private[0]: Creation complete after 1m11s [id=Z2PSUNJLTWLV0W_78.220.227.10.in-addr.arpa._PTR]
Error: [ERR]: Error building changeset: InvalidChangeBatch: [Invalid Resource Record: FATAL problem: ARRDATAIllegalIPv4Address (Value is not a valid IPv4 address) encountered with '']
	status code: 400, request id: ca7e1cdf-a744-462d-9fbc-49cc2635e7ae

  on .terraform/modules/master/r53.tf line 10, in resource "aws_route53_record" "r53-record-ext":
  10: resource "aws_route53_record" "r53-record-ext" {

Works fine on 2nd run.

I tried referring to both aws_eip.eip.public_ip and aws_instance.instance.public_ip with same results.

[Gary-Armstrong]

I'm still seeing this with TF 0.14.2 and aws v3.20.0

I don't seem to have pasted my HCL here yet.

resource "aws_route53_record" "reverse-private" {
  count   = var.instance-count
  zone_id = var.rev-zone-id

  name = format(
    "%s.%s.%s.%s.in-addr.arpa.",
    element(
      split(
        ".",
        element(aws_instance.instance.*.private_ip, count.index),
      ),
      3,
    ),
    element(
      split(
        ".",
        element(aws_instance.instance.*.private_ip, count.index),
      ),
      2,
    ),
    element(
      split(
        ".",
        element(aws_instance.instance.*.private_ip, count.index),
      ),
      1,
    ),
    element(
      split(
        ".",
        element(aws_instance.instance.*.private_ip, count.index),
      ),
      0,
    ),
  )

  type    = "PTR"
  ttl     = "600"
  records = ["${var.product}-${var.tier}-${var.cluster}-${var.role}-${format("%02d", count.index)}-${var.region}"]
}

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.