aws_api_gateway_method_settings disable throttling when removing optional attributes

[jayanderson]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

→ terraform -v
Terraform v0.11.2
+ provider.aws v1.33.0

Affected Resource(s)

• aws_api_gateway_method_settings

Terraform Configuration Files

Below is a full deployable example. The main part we care about are the throttling attributes in the aws_api_gateway_method_settings resource.

provider "aws" {
  region = "us-east-1"
}

resource "aws_api_gateway_rest_api" "rest_api" {
  name = "rest-api"
}

resource "aws_api_gateway_method" "rest_api-any-method" {
  rest_api_id   = "${aws_api_gateway_rest_api.rest_api.id}"
  resource_id   = "${aws_api_gateway_resource.rest_api-resource.id}"
  http_method   = "ANY"
  authorization = "NONE"
}

resource "aws_api_gateway_integration" "rest_api-post-integration" {
  rest_api_id             = "${aws_api_gateway_rest_api.rest_api.id}"
  resource_id             = "${aws_api_gateway_resource.rest_api-resource.id}"
  http_method             = "${aws_api_gateway_method.rest_api-any-method.http_method}"
  type                    = "HTTP_PROXY"
  integration_http_method = "${aws_api_gateway_method.rest_api-any-method.http_method}"
  passthrough_behavior    = "WHEN_NO_MATCH"
  uri                     = "https://httpbin.org/get"
}

resource "aws_api_gateway_resource" "rest_api-resource" {
  rest_api_id = "${aws_api_gateway_rest_api.rest_api.id}"
  parent_id   = "${aws_api_gateway_rest_api.rest_api.root_resource_id}"
  path_part   = "gateway"
}

resource "aws_api_gateway_method_settings" "settings" {
  rest_api_id = "${aws_api_gateway_rest_api.rest_api.id}"
  stage_name  = "${aws_api_gateway_stage.stage.stage_name}"
  method_path = "*/*"

  settings = {
    # Set throttling values
    throttling_burst_limit = 1000
    throttling_rate_limit  = 5000

    metrics_enabled = true

    # Actually disable throttling
    #throttling_burst_limit = -1
    #throttling_rate_limit  = -1
  }
}

resource "aws_api_gateway_stage" "stage" {
  stage_name    = "dev"
  rest_api_id   = "${aws_api_gateway_rest_api.rest_api.id}"
  deployment_id = "${aws_api_gateway_deployment.rest_api-deploy.id}"
}

resource "aws_api_gateway_deployment" "rest_api-deploy" {
  rest_api_id = "${aws_api_gateway_rest_api.rest_api.id}"
  stage_name  = ""
}

Debug Output

When removing the throttling_burst_limit or throttling_rate_limit fields it sets them to zero instead of -1 to disable them.

  ~ aws_api_gateway_method_settings.settings
      settings.0.throttling_burst_limit: "-1" => "0"
      settings.0.throttling_rate_limit:  "-1" => "0"

Panic Output

N/A

Expected Behavior

When the fields are remove it should set them to -1 instead to correctly disable them.

Actual Behavior

When the fields are removed it sets the values to 0.

Steps to Reproduce

1. terraform apply (I don't have the above example perfectly setup and it has an error the first time. May need to be applied twice to correctly create all resources).
2. aws apigateway get-stage --rest-api-id <id> --stage-name dev Get the current settings
3. Remove the throttling fields and terraform apply
4. aws apigateway get-stage --rest-api-id <id> --stage-name dev Get the current settings

Important Factoids

The -1 isn't documented by amazon ☹️. I don't know what the interaction between the two fields if only one is correctly disabled. I assume they should always be disabled together.

References

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-methodsetting.html#cfn-apigateway-stage-methodsetting-throttlingburstlimit

[bflad]

Hi @jayanderson 👋 Thank you for reporting this and sorry this is giving you trouble. I'm able to confirm the behaviors you describe using a Terraform configuration very similar to yours:

terraform {
  required_providers {
    aws = "2.34.0"
  }

  required_version = "0.12.13"
}

provider "aws" {
  region = "us-east-2"
}

resource "aws_api_gateway_rest_api" "rest_api" {
  name = "rest-api"
}

resource "aws_api_gateway_method" "rest_api-any-method" {
  rest_api_id   = "${aws_api_gateway_rest_api.rest_api.id}"
  resource_id   = "${aws_api_gateway_resource.rest_api-resource.id}"
  http_method   = "ANY"
  authorization = "NONE"
}

resource "aws_api_gateway_integration" "rest_api-post-integration" {
  rest_api_id             = "${aws_api_gateway_rest_api.rest_api.id}"
  resource_id             = "${aws_api_gateway_resource.rest_api-resource.id}"
  http_method             = "${aws_api_gateway_method.rest_api-any-method.http_method}"
  type                    = "HTTP_PROXY"
  integration_http_method = "${aws_api_gateway_method.rest_api-any-method.http_method}"
  passthrough_behavior    = "WHEN_NO_MATCH"
  uri                     = "https://httpbin.org/get"
}

resource "aws_api_gateway_resource" "rest_api-resource" {
  rest_api_id = "${aws_api_gateway_rest_api.rest_api.id}"
  parent_id   = "${aws_api_gateway_rest_api.rest_api.root_resource_id}"
  path_part   = "gateway"
}

resource "aws_api_gateway_method_settings" "settings" {
  rest_api_id = "${aws_api_gateway_rest_api.rest_api.id}"
  stage_name  = "${aws_api_gateway_stage.stage.stage_name}"
  method_path = "*/*"

  settings {
    # Set throttling values
    throttling_burst_limit = 1000
    throttling_rate_limit  = 5000

    metrics_enabled = true

    # Actually disable throttling
    # throttling_burst_limit = -1
    # throttling_rate_limit  = -1
  }
}

resource "aws_api_gateway_stage" "stage" {
  stage_name    = "dev"
  rest_api_id   = "${aws_api_gateway_rest_api.rest_api.id}"
  deployment_id = "${aws_api_gateway_deployment.rest_api-deploy.id}"
  cache_cluster_size = "0.5"
}

resource "aws_api_gateway_deployment" "rest_api-deploy" {
  rest_api_id = "${aws_api_gateway_rest_api.rest_api.id}"
  stage_name  = ""

  depends_on = ["aws_api_gateway_integration.rest_api-post-integration"]
}

Notes:

• If you terraform apply the above, then comment out throttling_burst_limit and throttling_rate_limit, it resets them both to 0 which in the AWS web console shows as enabling throttling with 0 values for both.
• Using the web console to manually edit the settings to disable throttling, then checking the results of that editing via the AWS CLI (aws apigateway get-stage), it does appear the -1 in both values is used for disabling throttling.
• Setting the Terraform configuration to -1 in both values does disable throttling as expected.
• Applying the configuration from scratch without throttling_burst_limit and throttling_rate_limit ever set to values, they show as defaulting to throttling enabled with the account level limits (10000 rate and 5000 burst in my testing account)
• The aws_api_gateway_method_settings resource is not currently refreshing API settings values into the Terraform state properly for drift detection (this should be visible by adding error checking to the calls to d.Set(), setting TF_SCHEMA_PANIC_ON_ERROR=1, or more commonly adding import support and testing it via ImportStateVerify: true)
• The Terraform Plugin SDK does not allow us to differentiate between a TypeInt or TypeFloat zero value (literally 0 in this case) and determining if a value is completely missing from the Terraform configuration

The last few notes in particular leave us in a bit of a bind right now. If we fix the drift detection, Terraform will start reporting a bunch of differences in live configurations unless we get the defaults correct for all the settings. Those defaults may be influenced by other API Gateway functionality or settings, such as the account level limits. Without even worrying about the drift detection problem, the Terraform Plugin SDK limitation would prevent us from fixing this today without changing the defaults for these two arguments to -1, which would be a slight deviation from how the API Gateway service works by default and show up as a difference in many Terraform configurations that omit the settings currently.

I have a feeling that introducing a "breaking" change of defaulting to -1 for both of those attributes might be the only path forward in this case (Terraform will show 0 => -1 for those environments not configuring the settings the first apply). This is presumably okay if folks consider disabling throttling in the stage settings the same as defaulting to the account limits. I'll mark this in our next major version milestone, however given the amount of changes already proposed, its not guaranteed this change would make it in this cycle.

[anGie44]

The breaking-change made to enable a user to configure throttling settings between enabling/disabling values has been merged and will release with the upcoming v3.0.0 release of the Provider.

[ghost]

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!