[Bug]: [ERROR] Invalid Attribute Combination Only one of "default_action[0].target_group_arn" or "default_action[0].forward" can be specified.

[Paola1899]

Terraform Core Version

1.5.1

AWS Provider Version

v5.35.0

Affected Resource(s)

aws_lb_listener

Expected Behavior

required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.35.0"
}
}

Actual Behavior

I encountered an error while executing Terraform AWS version 5.35.0, specifically related to the default_action attribute of a load balancer listener. The error message, `[ERROR] provider.terraform-provider-aws_v5.35.0_x5: Response contains error diagnostic: tf_rpc=PlanResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov5/internal/diag/diagnostics.go:62 tf_resource_type=aws_lb_listener diagnostic_summary="Invalid Attribute Combination," prompted me to investigate a solution. After troubleshooting, I found that downgrading the AWS provider to version 5.34.0 resolved the issue. The corrected Terraform configuration includes the following snippet:

required_providers {
aws = {
source = "hashicorp/aws"
version = "5.34.0"
}
}

This adjustment ensured compatibility and allowed for successful execution without encountering the previously mentioned error.

Relevant Error/Panic Output Snippet

[ERROR] provider.terraform-provider-aws_v5.35.0_x5: Response contains error diagnostic: tf_rpc=PlanResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov5/internal/diag/diagnostics.go:62 tf_resource_type=aws_lb_listener diagnostic_summary="Invalid Attribute Combination Only one of "default_action[0].target_group_arn" or "default_action[0].forward" can be specified." tf_proto_version=5.4 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=446d2967-06b5-a69c-ad91-f0dd3c35368c @module=sdk.proto diagnostic_detail= diagnostic_severity=ERROR timestamp=2024-02-02T17:51:16.201Z [ERROR] vertex "module.alb.aws_lb_listener.redirect_front_end[\"blue_sender\"]" error: Invalid Attribute Combination Only one of "default_action[0].target_group_arn" or "default_action[0].forward" can be specified.

Terraform Configuration Files

resource "aws_lb_listener" "redirect_front_end" {
  for_each          = local.listener
  load_balancer_arn = each.value.alb
  port              = each.value.port
  protocol          = each.value.protocol

  default_action {
    type             = "forward"
    target_group_arn = each.value.target
  }

  lifecycle {
    ignore_changes = [
      default_action[0].forward,
      default_action[0].target_group_arn
    ]
  }
}

locals {
listener = {
    "blue" = {
      port     = "80",
      target   = aws_alb_target_group.sonar_target["blue"].arn,
      protocol = "HTTP",
      alb      = aws_lb.sonar_alb.arn
    }
  }
}

Steps to Reproduce

Run Terraform Plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[gdavison]

Thanks for submitting this, @Paola1899. The restriction was added as part of fixing some bugs related to target_group_arn and forward (https://github.com/hashicorp/terraform-provider-aws/issues?q=is%3Aopen+is%3Aissue+label%3Aservice%2Felbv2+assignee%3Agdavison). It was accidentally released without an entry in the CHANGELOG.

Technically, if there is a single target_group in the forward block, the target_group_arn and forward.target_group[0].arn the AWS API allows both be specified if they are equal. However, one or the other can be specified, and the listener will work the same.

If it is possible to fix the bugs listed above and still allow both forward and target_group_arn to be specified, we will remove the restriction

[mvallim]

Hi @gdavison,

I'm having the same problem here.

If my understanding of the explanation given is correct, does the configuration described below stop working?

Context

I'm using an ALB

Error Log

Error: Invalid Attribute Combination

Only one of "action[0].target_group_arn" or "action[0].forward" can be specified.
action[0]

Configuration

resource "aws_lb_listener_rule" "listener_rule_application" {

  listener_arn = aws_lb_listener.main.arn

  action {
    type  = "forward"

    forward {
      target_group {
          arn    = aws_lb_target_group.main["blue"].arn
          weight = 100
      }

      target_group {
        arn    = aws_lb_target_group.main["green"].arn
        weight = 0
      }
    }
  }

  lifecycle {
    ignore_changes = [
      action
    ]
  }
}

What would be the correct procedure for this?

[gdavison]

@mvallim No, that configuration should not be affected by this change, since there is no action[0].target_group_arn

[mvallim]

@mvallim No, that configuration should not be affected by this change, since there is no action[0].target_group_arn

A little more context

resource "aws_lb_listener" "main" {
  load_balancer_arn = var.load_balancer_arn
  certificate_arn   = var.certificate_arn
  protocol          = var.protocol
  port              = var.port

  default_action {
    type = "fixed-response"

    fixed_response {
      content_type = "application/json"
      status_code  = "400"
      message_body = jsonencode({
        message = "Bad Request"
      })
    }
  }

  lifecycle {
    ignore_changes = [
      default_action
    ]
  }
}

So why am I getting this error?

[gabmuniz1995]

Hi
I'm having the same problem too...
Considering the validation returned in the message:
"Invalid Attribute Combination Only one of "default_action[0].target_group_arn" or "default_action[0].forward" can be specified".
Indicates the impossibility of informing 2 target groups to default_action, however such configuration is necessary to use blue-green with albs, as described in:
https://aws.amazon.com/pt/blogs/devops/blue-green-deployments-with-application-load-balancer/.
and
https://aws.amazon.com/pt/blogs/aws/new-application-load-balancer-simplifies-deployment-with-weighted-target-groups/
Examples:

aws elbv2 modify-listener \
    --listener-arn "<LISTENER ARN>" \
    --default-actions \
    '[{
       "Type": "forward",
       "Order": 1,
       "ForwardConfig": {
          "TargetGroups": [
             {"TargetGroupArn": "<Blue Target Group>", "Weight": 0}, \
             {"TargetGroupArn": "<Green Target Group>", "Weight": 100}, \
          ]
       }
    }]'

"ListenerRule1": {
      "Type": "AWS::ElasticLoadBalancingV2::ListenerRule",
      "Properties": {
        "Actions": [{
          "Type": "forward",
          "ForwardConfig": {
            "TargetGroups": [{
              "TargetGroupArn": { "Ref": "TargetGroup1" },
              "Weight": 1
            }, {
              "TargetGroupArn": { "Ref": "TargetGroup2" },
              "Weight": 1
            }]
          }
        }],
        "Conditions": [{
          "Field": "path-pattern",
          "Values": ["foo"]
        }],
        "ListenerArn": { "Ref": "Listener" },
        "Priority": 1
      }
    }

[gdavison]

Hi @gabmuniz1995, I'm not sure I understand what you're suggesting. You can specify from 1 to 5 target_groups inside the forward block. What you can't do is specify both the forward block and target_group_arn in the default_action.

This is supported:

resource "aws_lb_listener" "example" {
  ...
  default_action {
    type             = "forward"
    target_group_arn = <arn>
  }
}

This is also supported:

resource "aws_lb_listener" "example" {
  ...
  default_action {
    type = "forward"
    forward {
      target_group {
        arn = <arn1>
      }
      target_group {
        arn = <arn2>
      }
    }
  }
}

This is not supported:

resource "aws_lb_listener" "example" {
  ...
  default_action {
    type             = "forward"
    target_group_arn = <arn>
    forward {
      target_group {
        arn = <arn>
      }
    }
  }
}

[gdavison]

Hi @Paola1899 and @mvallim. I've noticed that you're using ignore_changes for your resources. How are you able to manage your configuration if changes are ignored? Using ignore_changes in this case does seem to trigger another error which may be causing the confusing error message that you're seeing.

[project0]

I am having the same problem with listener managed by ECS/codedeploy, hence the attributes mutates outside of terraform causing the new issue.

We use "initial" values to get first version running, marked as ignore so it does not trigger a plan change.

resource "aws_alb_listener" "_" {
  load_balancer_arn = var.load_balancer_arn
  port              = var.port
  certificate_arn   = var.certificate_arn
  protocol          = var.protocol

  default_action {
    type             = "forward"
    target_group_arn = var.default_target_group_arns[0]
  }

  lifecycle {
    ignore_changes = [
          default_action.0.target_group_arn, default_action.0.forward # managed by CodeDeploy
    ]
  }
}

[bay73]

@gdavison
You mentioned that two ways are supported, but it seems this is not true with the new version. We have the next code and getting the same error:

resource "aws_lb_listener_rule" "api" {
  listener_arn = aws_lb_listener.api.arn

  condition {
    host_header {
      values = [
        var.edge_hostname,
        var.api_lb_hostname
      ]
    }
  }

  condition {
    http_header {
      http_header_name = "X-LB-Authentication"
      values           = [random_password.lb_authentication_secret.result]
    }
  }

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.api["blue"].arn
  }

  lifecycle {
    ignore_changes = [action]
  }
}

[bay73]

@gdavison
You pointed out to ignore_changes attribute. You are right - the change in the action shouldn't be relevant when updating the resource, but having invalid attribute combination error in this case even more weird. If the change is ignored in any case, why this error causes failure of the whole deployment? invalid attribute combination should be just ignored.

[gdavison]

Thanks for the clarifications, @project0 and @bay73.

In short, ignore_changes doesn't work the way that anyone expects (us included) 🙂 Terraform uses it when planning changes, but doesn't pass it on to the provider. And in this case, when target_group_arn wasn't set, it passed an empty string to the provider instead of no value, as we expected.

[github-actions]

This functionality has been released in v5.36.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.