aws_ses_receipt_rule.s3store: aws_ses_receipt_rule.s3store: diffs didn't match during apply

[iMilnb]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.10

• provider.aws v1.51.0
• provider.null v1.0.0

Affected Resource(s)

• aws_ses_receipt_rule

Terraform Configuration Files

$ cat route53.tf

provider "aws" {
  profile = "${var.profile}"
  region = "${var.region}"
}

# first create zone if it does not exists
resource "aws_route53_zone" "data_zone" {
  name = "${var.data_host}${var.root_zone}"
}

# record object to add NS if needed
data "aws_route53_zone" "root_zone" {
  name = "${var.root_zone}"
}

# if zone does not exist, add NS records to parent zone
resource "aws_route53_record" "ns" {
  count = "${var.data_host != "" ? 1 : 0}"
  name = "${aws_route53_zone.data_zone.name}"
  zone_id = "${data.aws_route53_zone.root_zone.zone_id}"
  type = "NS"
  ttl = "${var.ttl}"
  records = ["${aws_route53_zone.data_zone.name_servers}"]
}

resource "aws_route53_record" "ses_verification_record" {
  zone_id = "${aws_route53_zone.data_zone.zone_id}"

  name    = "_amazonses.${aws_route53_zone.data_zone.name}"
  type    = "TXT"
  ttl     = "${var.ttl}"
  records = ["${aws_ses_domain_identity.ses_domain_identity.verification_token}"]
}

# create MX record
resource "aws_route53_record" "data_zone_mx" {
  zone_id = "${aws_route53_zone.data_zone.zone_id}"
  name = "${aws_route53_zone.data_zone.name}"
  type = "MX"
  ttl = "${var.ttl}"

  records = ["5 inbound-smtp.${var.region}.amazonaws.com."]
}

$ cat s3.tf

resource "aws_s3_bucket" "bucket_name" {
  bucket = "${var.bucket_name}"

  force_destroy = true
}

data "aws_caller_identity" "current" {}

# inspited from https://github.com/tuxpower/tf_aws_ses/blob/master/main.tf
resource "aws_s3_bucket_policy" "ses_inbox" {
  bucket = "${aws_s3_bucket.bucket_name.id}"

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "${aws_s3_bucket.bucket_name.arn}/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "${data.aws_caller_identity.current.account_id}"
                }
            }
        }
    ]
}
POLICY
}

resource "aws_s3_bucket_notification" "bucket_notification" {
    bucket = "${aws_s3_bucket.bucket_name.id}"
    lambda_function {
        lambda_function_arn = "${aws_lambda_function.lambda_function.arn}"
        events = ["s3:ObjectCreated:*"]
        filter_prefix = "${var.mail_folder}"
    }
}

$ cat ses.tf

resource "aws_ses_domain_identity" "ses_domain_identity" {
  domain = "${aws_route53_zone.data_zone.name}"
}

resource "aws_ses_receipt_rule_set" "rule_set" {
  rule_set_name = "${var.data_host}${var.root_zone}-rule_set"
}

resource "aws_ses_active_receipt_rule_set" "rule_set" {
  rule_set_name = "${aws_ses_receipt_rule_set.rule_set.id}"
}

resource "aws_ses_receipt_rule" "s3store" {
  depends_on    = ["aws_s3_bucket_policy.ses_inbox", "aws_route53_record.data_zone_mx"]

  name          = "mailtos3"
  rule_set_name = "${aws_ses_receipt_rule_set.rule_set.id}"

  recipients = ["${var.recipient}@${aws_route53_zone.data_zone.name}"]
  enabled      = true
  scan_enabled = false
  s3_action {
    bucket_name = "${aws_s3_bucket.bucket_name.id}"
    object_key_prefix = "${var.mail_folder}"
    position    = 1
  }
}

resource "null_resource" "delete_email" {
  provisioner "local-exec" {
    when = "destroy"
      command = "aws ses delete-identity --identity ${aws_ses_receipt_rule.s3store.recipients[0]} --profile ${var.profile}"
  }
}

output "warning" {
  value = "Wait until you receive domain verification success email."
}

output "recipient" {
  value = "${aws_ses_receipt_rule.s3store.recipients[0]}"
}

output "s3path" {
  value = "${var.bucket_name}/${var.mail_folder}"
}

Debug Output

https://gist.github.com/iMilnb/3039cb586af94adb097551d13ec707b4

Panic Output

Expected Behavior

Apply complete! Resources: 17 added, 0 changed, 0 destroyed.

Actual Behavior

Error: Error applying plan:                                                                 
                                                                                            
1 error(s) occurred:                                                                        
                                                                                            
* aws_ses_receipt_rule.s3store: aws_ses_receipt_rule.s3store: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.

Steps to Reproduce

1. terraform apply

Important Factoids

This misbehavior starts with version 1.42, everything work as intended until v1.41. I read the Changelog, I have no reference to vpc_id or vpc_region in my tf files.

References

Found no reference to a similar issue.

[bflad]

Just leaving some notes from briefly looking at this. From the debug logs:

Mismatch reason: attribute mismatch: recipients.2794196360

"recipients.2794196360":*terraform.ResourceAttrDiff{Old:"", New:"test@neovia.red.nbs-aws.com"
"recipients.3977340253":*terraform.ResourceAttrDiff{Old:"", New:"test@neovia.red.nbs-aws.com."

Seems to be related to: (the change, which made the trailing period consistent) #6299, (similar downstream behavior change) #6533 and #6535

My two comments here summarize the problem as it now exists: #6535 (comment)

For this specific issue, a workaround for the diffs didn't match issue would be to strip the trailing period:

resource "aws_ses_receipt_rule" "s3store" {
  # ... other configuration ...

  recipients = ["${var.recipient}@${replace(aws_route53_zone.data_zone.name, "/\\.$/", "")}"]

The fix will likely be to just always strip the trailing period from the attribute when saving it in the Terraform state. This will likely have to wait until 2.0.0 of the AWS provider since it is a major breaking change.

[iMilnb]

Dang... I spent 3 hours my eyes stuck on this trace without seeing the trailing '.'. Thanks a lot, this fixes the issue.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!