[Bug]: AWS SFN Alias not triggering when SFN code or configuration is updated.

[jdwilly2001]

Terraform Core Version

1.7.2

AWS Provider Version

5.34.0

Affected Resource(s)

• aws_sfn_state_machine
• aws_sfn_alias

Expected Behavior

When the definition field of an AWS State Machine is updated and publish is true. The attribute state_machine_version_arn should be marked as changing.

The dependent resource aws_sfn_alias which is referencing the attribute state_machine_version_arn would then be flagged as an updated resource in the plan.

Apply will apply the change to the state machine and then update the alias with the latest version of the state machine

Actual Behavior

When terraform plan is happening, it is noticing that the definiton of the state machine has changed.
The state_machine_version_arn field is not showing as being updated,
The dependent resource aws_sfn_alias is not being flagged for update in the plan

When the apply runs, the state machine is updated, but the alias is not.

When a second plan/apply is run, the alias is flagged for update and the alias is updated correctly.

This can cause a period of unexpected behavior and errors in production systems

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

locals {
  step_function_variables = {
    will_close_model = module.will_close_model.endpoint.name
    will_offer_model = module.will_offer_model.endpoint.name
    closest_amount_model = module.closest_amount_model.endpoint.name
    input_xform_lambda = aws_lambda_alias.input_transform.arn
    output_xform_lambda = aws_lambda_alias.output_transformation.arn
    env = var.target_environment
    account_id = var.aws_account_id
  }
}

resource "aws_sfn_state_machine" "flow" {
  name = "${var.target_environment}-flow"
  type = "EXPRESS"
  definition = templatefile("./stepfunction/flow.json", local.step_function_variables)
  role_arn = aws_iam_role.sfn_execution_role.arn

  publish = true
  tracing_configuration {
    enabled = true
  }

  logging_configuration {
    include_execution_data = true
    level = "ALL"
    log_destination = "${aws_cloudwatch_log_group.sfn_logs.arn}:*"
  }
}

resource "aws_sfn_alias" "flow_stable" {
  name = "stable"
  routing_configuration {
    state_machine_version_arn = aws_sfn_state_machine.flow.state_machine_version_arn
    weight = 100
  }

  depends_on = [ 
    aws_sfn_state_machine.flow
  ]

}

Steps to Reproduce

1. Apply the configuration, it will all work fine the first time since everything is new.
2. Update the definition of the flow
3. Run plan and apply on the config, the alias will not be updated
4. Run plan and apply on the config again, the alias will be updated

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @jdwilly2001 👋 Thank you for taking the time to raise this! Are you able to supply debug logs (redacted as needed) to help whoever picks this up to look into it? Given the external dependencies, the example configuration provided might be a bit involved to use, so that logging might prove to be key.

[briantist]

I am seeing something similar that may be related.

I added publish = true to an existing resource that was created without it. TF plan noticed that change, but when I went to apply it, it failed due an AWS permissions issue.

When I fixed the permissions and re-ran the apply, plan did not detect that the version was unpublished, and so it didn't go to publish the version.

Since this state machine doesn't have any published versions, the subsequent SFN alias resource in my config has also failed since there is no version ARN.

It feels like these things may be related, and I suspect that once I get my alias created, I will also run into the bug described here where the alias will not be updated when the definition changes.

[AnitaErnszt]

We also run into this bug, and it's blocking us ATM. I had a quick look, and it's due to the fact that the resource is unaware that if changes happen both the version arn and the revision id will be updated.

I've managed to fix it locally, and I'll raise an PR shortly, but I may need some assistance on testing

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.62.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.