-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_cloudfront_distribution attribute mismatch: custom_header #6527
Comments
One thing I'm noticing in the diff is the computed hash for the single
Not too sure if this counts for anything - I'm not too sure if since the hash for I also notice a difference in the paths on the two attributes:
Not too sure what the Incidentally, the values for |
@vancluever, I wasn't able to find the code on a quick search but I believe at some point I found code that suggested that the |
Thanks @apparentlymart! So if this is true, then I guess the answer we need is if a child hash is computed, is that communicated to the parent? I'm guessing this gets marked as computed as it's an interpolated value, versus what is in the schema, as none of the values in the |
It looks like you're on the right track; if I hardcode the |
Just a note that I'm unable to re-produce this in a current version of TF (off HEAD). Not too sure if something has changed in core to make this a non-issue now, but just perusing the changelog for |
I spoke too soon on this one. The |
I'm quite sure now that this is a result of computed state not propagating up the graph. So we need to do one of, I think:
The latter seems like it'd be the least invasive, I'm thinking it should be safe (I mean if a set in a set is computed then just by nature the hash of that parent should be computed as well by proxy). However, I think the most proper way to do it would be option 2, but I don't know if there's currently a way for the field reader code to propagate that data up the config. |
Alright, looks like the fix was none of the above here, but kind of in the spirit of option 3. Code already existed in I'm referencing the fix back to this bug. This could possibly fix other issues as well that are kind of related (ie: sub-sets or lists of a set that have computed values where the parent itself has none). |
@vancluever apologies for the delay, I just encountered what I think is this problem again, and I'm on terraform version 0.7.7. I've created a new gist for you to help out, LMK how I can assist: https://gist.github.com/pete0emerson/a16b3b04adcc3c03646ce81bec170570 |
Interesting, I just ran terraform apply a second time (with no modifications to any .tf files) and got different output. I'm trying to grok it now, but am attaching as a new gist here: https://gist.github.com/pete0emerson/9ba75c42cab074d5a7a81af6072bf8f4 |
Okay, I added some more things to my tf files (ssl_support_method = "sni-only" and minimum_protocol_version = "TLSv1") and changed the origin_access_identity to "${aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path}", and it ran clean. I'm destroying and recreating now to see if it runs clean from 0 state, will report back in a few. |
Confirmed, I started with a blank slate, the first run created the attribute mismatch as described above, the second run ran clean. |
Thanks @pete0emerson! Can you merge in 0cc7bcb and see if that fixes things on the first shot? |
I just tried your (@vancluever) fork and it seems to have solved the issue for me. |
Thanks @benlei-neustar! Good to know and should help come review time 👍 |
Not fixed it seems... |
This fixes some edge-ish cases where a set in a config has a set or list in it that contains computed values, but non-set or list values in the parent do not. This can cause "diffs didn't match during apply" errors in a scenario such as when a set's hash is calculated off of child items (including any sub-lists or sets, as it should be), and the hash changes between the plan and apply diffs due to the computed values present in the sub-list or set items. These will be marked as computed, but due to the fact that the function was not iterating over the list or set items properly (ie: not adding the item number to the address, so set.0.set.foo was being yielded instead of set.0.set.0.foo), these computed values were not being properly propagated to the parent set to be marked as computed. Fixes hashicorp#6527. Fixes hashicorp#8271. This possibly fixes other non-CloudFront related issues too.
This fixes some edge-ish cases where a set in a config has a set or list in it that contains computed values, but non-set or list values in the parent do not. This can cause "diffs didn't match during apply" errors in a scenario such as when a set's hash is calculated off of child items (including any sub-lists or sets, as it should be), and the hash changes between the plan and apply diffs due to the computed values present in the sub-list or set items. These will be marked as computed, but due to the fact that the function was not iterating over the list or set items properly (ie: not adding the item number to the address, so set.0.set.foo was being yielded instead of set.0.set.0.foo), these computed values were not being properly propagated to the parent set to be marked as computed. Fixes hashicorp#6527. Fixes hashicorp#8271. This possibly fixes other non-CloudFront related issues too.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
My attempt at creating an AWS CloudFront distribution fronted by S3 is failing, and while my gut says it's a configuration problem on my part, the terraform output says that it's a bug. So, here's a bug report.
Terraform Version
Terraform v0.6.15
Affected Resource(s)
Terraform Configuration Files
Debug Output
https://gist.github.com/pete0emerson/d1182c68317adc4d85fdd95379c09728
Panic Output
None
Expected Behavior
AWS Cloudfront Distribution created, connected privately to an S3 bucket
Actual Behavior
Steps to Reproduce
terraform apply
Important Factoids
The user account used to run terraform has very loose ACLs, I don't think that's in play as a potential problem.
Given that this is the first time using aws_cloudfront_distribution I suspect there's a good chance that PEBKAC is at play, but given that the output thinks it's a terraform bug, I'm submitting this ticket.
References
None
The text was updated successfully, but these errors were encountered: