Terraform 12 destroys resources in non ordered way and doesnt respect resources dependencies #22928
Comments
hashibot
added
bug
core
v0.12
|
Hi @KursLabIgor! Thanks for reporting this. Unfortunately without seeing the contents of those two modules it's not possible for us to reproduce this issue in order to understand what's going on. Could you share a minimally-reproducible version of this configuration that includes contents of those two modules, so that we could run the reproduction steps you've listed against it? Thanks! |
teamterraform
added
the
waiting-response
|
OK. module "acm_cert_provision" {
source = "./modules/acm_certificate"
common_tags = local.common_tags
env = var.env
fqdn_names = [local.client_zone_dns_name, local.admin_zone_dns_name]
name_prefix = local.name_prefix
cloudflare_email = var.cloudflare_email
domain_name = var.cloudflare_domain_name
region = "us-east-1"
}acm.tf provider "aws"{
version = "~>2.0"
region = var.region
alias = "us-east-1"
}
locals {
name = {
Name = var.fqdn_names
}
}
resource "aws_acm_certificate" "cert" {
count = length(compact(var.fqdn_names))
provider = "aws.us-east-1"
domain_name = compact(var.fqdn_names)[count.index]
validation_method = "DNS"
tags = var.common_tags
lifecycle {
create_before_destroy = true
}
}
output "acm_ids" {
value = aws_acm_certificate.cert[*].id
}
output "acm_arns" {
value = aws_acm_certificate.cert[*].arn
}
output "acm_domain_names" {
value = aws_acm_certificate.cert[*].domain_name
}
output "acm_validation_options" {
value = aws_acm_certificate.cert[*].domain_validation_options
}module "client_zone" {
source = "./modules/frontend_to_s3"
common_tags = local.common_tags
env = var.env
name_prefix = local.name_prefix
office_ips = var.office_ips
branch = var.git_branch
github_token = var.github_token
region = var.region
repo_name = var.git_hub_repository_landing
repo_owner = var.repository_owner
vpc_id = data.terraform_remote_state.infra_state.outputs.vpc_id
vpc_private_subnets = data.terraform_remote_state.infra_state.outputs.private_subnets
only_office_access = false
cdn_cname = local.client_zone_dns_name
cdn_ssl_cert = module.acm_cert_provision.acm_arns[0]
backend_endpoint = local.backend_dns_name
bucket_name = "client-zone"
cdn_description = "Distribution for clientzone"
cdn_origin_id = "clientzone"
cdn_price_class = "PriceClass_All"
enable_cdn_distribution = true
pipeline_name = "ClientZone"
}in module frontend_to_s3 i have cdn.tf file. Where creates cloudfront distribution with provisioned certificate from module acm_cert_provision. Below content of cdn.tf resource "aws_cloudfront_distribution" "cdn_s3" {
count = var.env == "prod" || var.only_office_access != 1 ? 1 : 0
origin {
domain_name = aws_s3_bucket.s3_for_cdn.bucket_regional_domain_name
origin_id = var.cdn_origin_id
}
enabled = var.enable_cdn_distribution
is_ipv6_enabled = true
comment = "${var.cdn_description}-${aws_s3_bucket.s3_for_cdn.website_endpoint}"
default_root_object = "index.html"
aliases = [var.cdn_cname]
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = var.cdn_origin_id
#headers = ["Origin", "Access-Control-Request-Headers", "Access-Control-Request-Method"]
forwarded_values {
query_string = false
headers = ["Origin", "Access-Control-Request-Headers", "Access-Control-Request-Method"]
cookies {
forward = "none"
}
}
viewer_protocol_policy = "https-only"
min_ttl = var.cdn_min_ttl
default_ttl = var.cdn_default_ttl
max_ttl = var.cdn_max_ttl
}
price_class = var.cdn_price_class
restrictions {
geo_restriction {
restriction_type = "none"
}
}
custom_error_response {
error_code = 403
error_caching_min_ttl = 0
response_page_path = "/index.html"
response_code = 200
}
custom_error_response {
error_code = 404
error_caching_min_ttl = 0
response_page_path = "/index.html"
response_code = 200
}
tags = var.common_tags
viewer_certificate {
minimum_protocol_version = "TLSv1.2_2018"
acm_certificate_arn = var.cdn_ssl_cert
ssl_support_method = "sni-only"
#cloudfront_default_certificate = true
}
depends_on = ["aws_s3_bucket.s3_for_cdn"]
}Again when made terraform destroy. It stuck on deletion ACM certificate while CDN resource was active even not started destroying. |
ghost
removed
waiting-response
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Terraform Version
Terraform Configuration Files
Debug Output
Crash Output
No crash
Expected Behavior
Resources dependencies should works as expected and for terraform 0.11
Actual Behavior
I have created complex infrastructure on AWS. Then I decided remove whole resources.
I have cloudfront resources and SSL certificate.
CDN was created in one module certificate was created in another module.
Terraform tried delete SSL certificate before deleting CDN and stuck. Same behaviour i saw for different resources like SG - SG rule - RDS. First was deleted SG rule and terraform fail destroy since postgresql provider lost access to RDS, due deleted SG rule
Summarize: During destroy dependencies between modules doesnt respect
Steps to Reproduce
Additional Context
References
The text was updated successfully, but these errors were encountered: