-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_acm_certificate subject_alternative_names & domain_validation_options get returned in a different order each time #8531
Comments
We've been running plans & applies regularly in a state containing many aws_acm_certificates and aws_route53_records for their validation records. It appears the ordering started varying recently, I assume its related to an AWS API change. I think one potential solution would be to have the provider sort the records internally prior to storing them in state. This could result in many aws_route53_record recreations for anyone using this workflow, however it would only be a one-time issue after upgrading the aws provider. I have yet to test it, but I would assume using Terraform's |
I thought about |
I agree that Terraform AWS provider should be sorting the AWS record by record_name prior to any kind of comparison. FWIW, I did try the terraform sort() approach as a workaround and it worked for me because I only had one SAN and was prepared to enumerate the SANs in a local variable. Here is a summary of what I did:
|
Here's an easy way to confirm this change in behavior, run this on a cert with multiple SANs:
|
Is there any workaround for this? I'm wary of allowing validation records to be created/destroyed because I have critical (ALB) resources that transitively depend on them via an |
@eriksw There’s no harm in momentarily destroying the validation records per se; the only thing it will likely do is prevent renewal of the certificate when it is close to expiry - so obviously you don’t want to remove the records forever, but removing/replacing them in a plan/apply is not going to affect anything. |
Hi, I tested proposed bypass by jonseymour Important: on a new terraform project, count() can't be used in aws_route53_record.cert_validation_record locals { resource "aws_acm_certificate" "frontend_cert" { resource "aws_route53_record" "cert_validation_record" { resource "aws_acm_certificate_validation" "cert" { validation_record_fqdns = [ |
We faced the same problem in us-east-1 & eu-west-1 while in us-west-1 we do not face such an issue. |
This is less than ideal... |
Has anyone raised this to AWS/asked on the forum? Also having this generate a lot of noise in TF runs, and whilst it might not do any harm it does make it challenging to convince people to review changes when there are some that need to be overlooked like this. |
We just opened a support case after running into this issue in eu-central-1 today. They have reached out to their internal service team for investigation. |
@mlafeldt Cool, thanks for the info - would you be able to share their response please? |
Of course. |
@mlafeldt Great, thanks! |
I received this response:
It sounds like the terraform provider will need to be able to handle inconsistent ordering. |
We got this error recently, but we're using Terraform templates to add (or rename) alternative names (the alternative names is an input variable of type array), so the workaround
is not really useful for us :( |
I just want to add that I don't believe that sorting the returned list is a good enough solution. It will only work if all SANs use the same hosted zone. We have this scenario: Let's say we have the following SANS:
We import the hosted zones and create our certs like this: variable "uri_prefix" {
default = "example"
}
variable "domains" {
type = "list"
default = ["hosted.zone.one","hosted.zone.two"]
}
data "aws_route53_zone" "example" {
count = "${length(var.domains)}"
name = "${var.domains[count.index]}"
}
resource "aws_acm_certificate" "example" {
domain_name = "${var.uri_prefix}.${var.domains[0]}"
subject_alternative_names = "${formatlist("${var.uri_prefix}.%s", slice(var.domains,1,length(var.domains)))}"
validation_method = "DNS"
}
resource "aws_route53_record" "example" {
count = "${length(var.domains)}"
name = "${lookup(aws_acm_certificate.example.domain_validation_options[count.index], "resource_record_name")}"
type = "${lookup(aws_acm_certificate.example.domain_validation_options[count.index], "resource_record_type")}"
zone_id = "${element(data.aws_route53_zone.example.*.id, count.index)}"
records = ["${lookup(aws_acm_certificate.example.domain_validation_options[count.index], "resource_record_value")}"]
ttl = 300
} What will happen (current state): If we are lucky and we get stuff in the right order the cert validated with the following route53 records:
If we are unlucky and get them in the wrong order, they will be assigned to the wrong hosted zone, resulting in this:
AWS (or Terraform) seems to assume we missed adding the domain name for our selected zone and helpfully add it for us. Adding sort to the same scenario would guarantee the following:
If we are lucky, of course, the random id will coalign with the order of our domains. With the current state, we can atleast rerun terraform apply until it gets right (which is cumbersome and stupid, but still possible). If the sort solution is added, you can rerun for infinity without it ever getting right. The risk of getting stuff wrong increases with every additional SAN you add to the above description. |
I guess if Here is my current workaround:
|
@Frogvall This is partially due to the way DNS works. If you include a What you could do, though, is look up the You'll still have the ordering issue wanting to replace the records at each apply, but at least it'll work. |
@tdmalone I don't know how I missed that dns validation options also comes with a domain field. |
@breathingdust is it not possible to do the quick patch proposed by @stack72 on an issue that's been open for a year for a fairly critical resource in the provider, and THEN refactor the implementation? Certs bound to listeners can't be deleted, and targetted applies aren't possible with Terraform Cloud or Enterprise.. so I have to take an outage when this happens, and I assume others do as well |
Hi all! 👋 Just wanted to update that we have completed the research phase for the redesign and begun the implementation work. This research is covered here: #13053. We appreciate your patience, and hope to have a resolution for this and the other ACM issues soon. |
I'm sharing my full solution using Terraform 0.11.x and AWS 1.x based on @jonseymour The two things that are different in my solution:
locals {
certificate_domains = [
"*.${local.foo_domain_name}",
"*.admin.${local.foo_domain_name}",
"*.${local.bar_domain_name}"
]
certificate_domain_zones = {
"${local.certificate_domains[0]}" = "${data.aws_route53_zone.foo.id}"
"${local.certificate_domains[1]}" = "${data.aws_route53_zone.foo.id}"
"${local.certificate_domains[2]}" = "${data.aws_route53_zone.bar.id}"
}
}
resource "aws_acm_certificate" "company" {
domain_name = "${local.certificate_domains[0]}"
subject_alternative_names = ["${slice(local.certificate_domains, 1, length(local.certificate_domain_zones))}"]
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
locals {
# NOTE: Improve on Terraform 0.12
# Unfortunately there's no way to iterate over domain_validation_options in Terraform 0.11 and AWS 1.x and so we need to
# create a list from it manually from each element index
# Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/10997
unsorted_validation_domains_with_indices = {
"${aws_acm_certificate.company.domain_validation_options.0.resource_record_name}" = 0
"${aws_acm_certificate.company.domain_validation_options.1.resource_record_name}" = 1
"${aws_acm_certificate.company.domain_validation_options.2.resource_record_name}" = 2
}
sorted_validation_domains = "${sort(keys(local.unsorted_validation_domains_with_indices))}"
validation_domain_indices = [
"${local.unsorted_validation_domains_with_indices[local.sorted_validation_domains[0]]}",
"${local.unsorted_validation_domains_with_indices[local.sorted_validation_domains[1]]}",
"${local.unsorted_validation_domains_with_indices[local.sorted_validation_domains[2]]}",
]
}
resource "aws_route53_record" "certificate_validation" {
count = "${length(local.certificate_domains)}"
name = "${lookup(aws_acm_certificate.company.domain_validation_options[local.validation_domain_indices[count.index]], "resource_record_name")}"
type = "${lookup(aws_acm_certificate.company.domain_validation_options[local.validation_domain_indices[count.index]], "resource_record_type")}"
records = ["${lookup(aws_acm_certificate.company.domain_validation_options[local.validation_domain_indices[count.index]], "resource_record_value")}"]
zone_id = "${local.certificate_domain_zones[lookup(aws_acm_certificate.company.domain_validation_options[local.validation_domain_indices[count.index]], "domain_name")]}"
ttl = 60
}
resource "aws_acm_certificate_validation" "company" {
certificate_arn = "${aws_acm_certificate.company.arn}"
validation_record_fqdns = ["${aws_route53_record.certificate_validation.*.fqdn}"]
} |
I only have 2 SANs but they seem to be coming back in alphabetical order each time. |
that was not my experience. For me the ordering wasn't even consistent across multiple calls. |
Yes I just tested again, and can confirm that not only are they not in alphabetical order, but the order is not consistent across multiple runs. |
We only have 2 SANs ( most certs are one name and we create one for each use) so it was coming back in the same order each time. |
…peSet and calculate elements during plan Reference: #8531 Reference: #10098 Reference: #10404 Reference: #13053 Output from acceptance testing: ``` --- PASS: TestAccAWSAcmCertificate_imported_IpAddress (11.48s) --- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (15.53s) --- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (15.53s) --- PASS: TestAccAWSAcmCertificate_root (15.62s) --- PASS: TestAccAWSAcmCertificate_emailValidation (15.91s) --- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (16.38s) --- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (16.43s) --- PASS: TestAccAWSAcmCertificate_san_single (16.51s) --- PASS: TestAccAWSAcmCertificate_dnsValidation (16.85s) --- PASS: TestAccAWSAcmCertificate_disableCTLogging (17.06s) --- PASS: TestAccAWSAcmCertificate_wildcard (18.71s) --- PASS: TestAccAWSAcmCertificate_san_multiple (19.49s) --- PASS: TestAccAWSAcmCertificate_privateCert (20.85s) --- PASS: TestAccAWSAcmCertificate_imported_DomainName (26.86s) --- PASS: TestAccAWSAcmCertificate_tags (42.99s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsEmail (11.56s) --- PASS: TestAccAWSAcmCertificateValidation_timeout (19.20s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdns (107.31s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsSan (110.62s) --- PASS: TestAccAWSAcmCertificateValidation_basic (143.58s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcardAndRoot (153.05s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRoot (212.21s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRootAndWildcard (212.95s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcard (247.43s) ``` Please note that this was also tested manually with a few iterations of this configuration: ```hcl terraform { required_providers { aws = "2.70.0" } required_version = "0.12.28" } provider "aws" { region = "us-east-2" } variable "public_root_domain" { description = "Publicly accessible domain for ACM testing" type = string } data "aws_route53_zone" "public_root_domain" { name = var.public_root_domain } resource "aws_acm_certificate" "new" { domain_name = "new.${var.public_root_domain}" subject_alternative_names = [ "new1.${var.public_root_domain}", "new2.${var.public_root_domain}", "new3.${var.public_root_domain}", ] validation_method = "DNS" } resource "aws_route53_record" "new" { for_each = { for dvo in aws_acm_certificate.new.domain_validation_options: dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } allow_overwrite = true name = each.value.name records = [each.value.record] ttl = 60 type = each.value.type zone_id = data.aws_route53_zone.public_root_domain.zone_id } resource "aws_acm_certificate_validation" "new" { certificate_arn = aws_acm_certificate.new.arn validation_record_fqdns = [for record in aws_route53_record.new: record.fqdn] } resource "aws_acm_certificate" "wildcard" { domain_name = var.public_root_domain subject_alternative_names = ["*.${var.public_root_domain}"] validation_method = "DNS" } resource "aws_route53_record" "wildcard" { for_each = { for dvo in aws_acm_certificate.wildcard.domain_validation_options: dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } allow_overwrite = true name = each.value.name records = [each.value.record] ttl = 60 type = each.value.type zone_id = data.aws_route53_zone.public_root_domain.zone_id } resource "aws_acm_certificate_validation" "wildcard" { certificate_arn = aws_acm_certificate.wildcard.arn validation_record_fqdns = [for record in aws_route53_record.wildcard: record.fqdn] } ```
…peSet and calculate elements during plan (#14199) * resource/aws_acm_certificate: Convert domain_validation_options to TypeSet and calculate elements during plan Reference: #8531 Reference: #10098 Reference: #10404 Reference: #13053 Output from acceptance testing: ``` --- PASS: TestAccAWSAcmCertificate_imported_IpAddress (11.48s) --- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (15.53s) --- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (15.53s) --- PASS: TestAccAWSAcmCertificate_root (15.62s) --- PASS: TestAccAWSAcmCertificate_emailValidation (15.91s) --- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (16.38s) --- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (16.43s) --- PASS: TestAccAWSAcmCertificate_san_single (16.51s) --- PASS: TestAccAWSAcmCertificate_dnsValidation (16.85s) --- PASS: TestAccAWSAcmCertificate_disableCTLogging (17.06s) --- PASS: TestAccAWSAcmCertificate_wildcard (18.71s) --- PASS: TestAccAWSAcmCertificate_san_multiple (19.49s) --- PASS: TestAccAWSAcmCertificate_privateCert (20.85s) --- PASS: TestAccAWSAcmCertificate_imported_DomainName (26.86s) --- PASS: TestAccAWSAcmCertificate_tags (42.99s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsEmail (11.56s) --- PASS: TestAccAWSAcmCertificateValidation_timeout (19.20s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdns (107.31s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsSan (110.62s) --- PASS: TestAccAWSAcmCertificateValidation_basic (143.58s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcardAndRoot (153.05s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRoot (212.21s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRootAndWildcard (212.95s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcard (247.43s) ``` Please note that this was also tested manually with a few iterations of this configuration: ```hcl terraform { required_providers { aws = "2.70.0" } required_version = "0.12.28" } provider "aws" { region = "us-east-2" } variable "public_root_domain" { description = "Publicly accessible domain for ACM testing" type = string } data "aws_route53_zone" "public_root_domain" { name = var.public_root_domain } resource "aws_acm_certificate" "new" { domain_name = "new.${var.public_root_domain}" subject_alternative_names = [ "new1.${var.public_root_domain}", "new2.${var.public_root_domain}", "new3.${var.public_root_domain}", ] validation_method = "DNS" } resource "aws_route53_record" "new" { for_each = { for dvo in aws_acm_certificate.new.domain_validation_options: dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } allow_overwrite = true name = each.value.name records = [each.value.record] ttl = 60 type = each.value.type zone_id = data.aws_route53_zone.public_root_domain.zone_id } resource "aws_acm_certificate_validation" "new" { certificate_arn = aws_acm_certificate.new.arn validation_record_fqdns = [for record in aws_route53_record.new: record.fqdn] } resource "aws_acm_certificate" "wildcard" { domain_name = var.public_root_domain subject_alternative_names = ["*.${var.public_root_domain}"] validation_method = "DNS" } resource "aws_route53_record" "wildcard" { for_each = { for dvo in aws_acm_certificate.wildcard.domain_validation_options: dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } allow_overwrite = true name = each.value.name records = [each.value.record] ttl = 60 type = each.value.type zone_id = data.aws_route53_zone.public_root_domain.zone_id } resource "aws_acm_certificate_validation" "wildcard" { certificate_arn = aws_acm_certificate.wildcard.arn validation_record_fqdns = [for record in aws_route53_record.wildcard: record.fqdn] } ``` * docs/service/acm: Fix terrafmt reports Previously: ``` website/docs/r/acm_certificate.html.markdown:83 website/docs/r/acm_certificate_validation.html.markdown:25 website/docs/r/acm_certificate_validation.html.markdown:67 ```
Hi folks 👋 Thank you for your patience and understanding on this manner. As part of #13053 and the extensive feedback provided in this issue (thank you again!), it was determined that a few changes were in order with the
We certainly do not take breaking configuration changes lightly, so we wanted to be sure that if anything was going to cause any sort of effort to change your configurations, that those changes would be worth the effort. We think we hit a good balance here and hope that you find the updated handling to be much more pleasant and work as expected. Given the above, most environments will now be able to do the following directly: resource "aws_route53_zone" "example_com" {
name = "example.com"
}
resource "aws_acm_certificate" "example_com" {
domain_name = "example.${aws_route53_zone.example_com.name}"
subject_alternative_names = [
"example1.${aws_route53_zone.example_com.name}",
"example2.${aws_route53_zone.example_com.name}",
"example3.${aws_route53_zone.example_com.name}",
]
validation_method = "DNS"
}
resource "aws_route53_record" "example_validation" {
for_each = {
for dvo in aws_acm_certificate.example_com.domain_validation_options: dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = aws_route53_zone.example_com.zone_id
}
resource "aws_acm_certificate_validation" "example_com" {
certificate_arn = aws_acm_certificate.example_com.arn
validation_record_fqdns = [for record in aws_route53_record.example_validation: record.fqdn]
} These changes will land as part of the Terraform AWS Provider version 3.0.0, next week. I have copied information that will be present in the Version 3 Upgrade Guide below for these changes, that will be fully updated when the release occurs. If you find unexpected behavior after upgrading to version 3.0.0 when its released, please create a new GitHub issue following the bug template and we will take a fresh look given the new resource handling. Cheers. subject_alternative_names Changed from List to SetPreviously the domain_validation_options Changed from List to SetPreviously, the
The Configuration references to this attribute will likely require updates since sets cannot be indexed (e.g. For example, given this previous configuration using a data "aws_route53_zone" "public_root_domain" {
name = var.public_root_domain
}
resource "aws_acm_certificate" "existing" {
domain_name = "existing.${var.public_root_domain}"
subject_alternative_names = [
"existing1.${var.public_root_domain}",
"existing2.${var.public_root_domain}",
"existing3.${var.public_root_domain}",
]
validation_method = "DNS"
}
resource "aws_route53_record" "existing" {
count = length(aws_acm_certificate.existing.subject_alternative_names) + 1
allow_overwrite = true
name = aws_acm_certificate.existing.domain_validation_options[count.index].resource_record_name
records = [aws_acm_certificate.existing.domain_validation_options[count.index].resource_record_value]
ttl = 60
type = aws_acm_certificate.existing.domain_validation_options[count.index].resource_record_type
zone_id = data.aws_route53_zone.public_root_domain.zone_id
}
resource "aws_acm_certificate_validation" "existing" {
certificate_arn = aws_acm_certificate.existing.arn
validation_record_fqdns = aws_route53_record.existing[*].fqdn
} It will receive errors like the below after upgrading:
Since the resource "aws_route53_record" "existing" {
for_each = {
for dvo in aws_acm_certificate.existing.domain_validation_options: dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = data.aws_route53_zone.public_root_domain.zone_id
}
resource "aws_acm_certificate_validation" "existing" {
certificate_arn = aws_acm_certificate.existing.arn
validation_record_fqdns = [for record in aws_route53_record.existing: record.fqdn]
} After the configuration has been updated, a plan should no longer error and may look like the following:
Due to the type of configuration change, Terraform does not know that the previous If using In larger or more complex environments though, this process can be tedius to match the old resource address to the new resource address and run all the necessary -> This guide is showing the simpler $ terraform state rm aws_route53_record.existing
Removed aws_route53_record.existing[0]
Removed aws_route53_record.existing[1]
Removed aws_route53_record.existing[2]
Removed aws_route53_record.existing[3]
Successfully removed 4 resource instance(s). Now the Terraform plan will show only the additions of new Route 53 records (which are exactly the same as before the upgrade) and the proposed recreation of the
Once applied, no differences should be shown and no additional steps should be necessary. |
author Brian Flad <bflad417@gmail.com> 1594769808 -0400 committer Angie Pinilla <angelinepinilla@gmail.com> 1595878294 -0400 parent b69af0579e0415631faa9b77559a55a5f6e7c208 author Brian Flad <bflad417@gmail.com> 1594769808 -0400 committer Angie Pinilla <angelinepinilla@gmail.com> 1595878093 -0400 tests/provider: Update testacc target to error when provided example test pattern (#14091) * tests/provider: Update testacc target to error when provided example test pattern Reference: https://github.com/terraform-providers/terraform-provider-aws/blob/master/.github/PULL_REQUEST_TEMPLATE.md The pull request template suggests an example of how to run acceptance testing, but uses a placeholder example since its not feasible to reliably determine this automatically via git, etc. Also given that we have begun adding many more Go packages beyond just the top level provider one, the output can look potentially valid when it really is not meaningful: ```console $ $ make testacc TESTARGS='-run=TestAccXXX' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./... -v -count 1 -parallel 20 -run=TestAccXXX -timeout 120m ? github.com/terraform-providers/terraform-provider-aws [no test files] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/aws 2.594s [no tests to run] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/aws/internal/flatmap 0.409s [no tests to run] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags 0.792s [no tests to run] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/aws/internal/naming 1.619s [no tests to run] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/apigatewayv2/waiter [no test files] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/aws/internal/service/batch/equivalency 0.373s [no tests to run] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/ec2/waiter [no test files] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/ecs/waiter [no test files] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/aws/internal/service/eks/token 0.343s [no tests to run] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/guardduty/waiter [no test files] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/iam/waiter [no test files] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/kinesisanalytics/waiter [no test files] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/kms/waiter [no test files] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/neptune/waiter [no test files] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/rds/waiter [no test files] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/secretsmanager/waiter [no test files] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/servicediscovery/waiter [no test files] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/sfn/waiter [no test files] ? github.com/terraform-providers/terraform-provider-aws/aws/internal/service/workspaces/waiter [no test files] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/aws/internal/tfawsresource 1.022s [no tests to run] ? github.com/terraform-providers/terraform-provider-aws/awsproviderlint [no test files] ? github.com/terraform-providers/terraform-provider-aws/awsproviderlint/helper/awsprovidertype/keyvaluetags [no test files] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes 2.115s [no tests to run] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/AWSAT001 2.212s [no tests to run] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/AWSAT002 0.326s [no tests to run] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/AWSR001 0.412s [no tests to run] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/AWSR002 2.086s [no tests to run] testing: warning: no tests to run PASS ok github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/fmtsprintfcallexpr 0.248s [no tests to run] ``` This now focuses the acceptance testing on the top level package to remove the extraneous package output and returns an error when attempting to use the example verbatim: ```console $ make testacc TESTARGS='-run=TestAccXXX' ==> Checking that code complies with gofmt requirements... Error: Skipping example acceptance testing pattern. Update TESTARGS to match the test naming in the relevant *_test.go file. For example if updating aws/resource_aws_acm_certificate.go, use the test names in aws/resource_aws_acm_certificate_test.go starting with TestAcc and up to the underscore: make testacc TESTARGS='-run=TestAccAWSAcmCertificate_' See the contributing guide for more information: https://github.com/terraform-providers/terraform-provider-aws/blob/master/docs/contributing/running-and-writing-acceptance-tests.md make: *** [testacc] Error 1 $ make testacc TESTARGS='-run=TestAccAWSAvailabilityZones_' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAvailabilityZones_ -timeout 120m === RUN TestAccAWSAvailabilityZones_basic ... ``` * docs/provider: Remove TEST=./aws usage in running acceptance testing section resource/aws_s3_bucket: Convert region to read-only attribute (#14127) Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/592 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/1656 Output from acceptance testing (NOTE: CUR data source and resource need to be tested in standalone account due to Organization permissions and appear to be failing due to new validation in the API that's not handled in the resource yet): ``` --- PASS: TestAccAWSS3Bucket_acceleration (65.86s) --- PASS: TestAccAWSS3Bucket_AclToGrant (67.94s) --- PASS: TestAccAWSS3Bucket_basic (37.25s) --- PASS: TestAccAWSS3Bucket_Bucket_EmptyString (35.95s) --- PASS: TestAccAWSS3Bucket_Cors_Delete (31.78s) --- PASS: TestAccAWSS3Bucket_Cors_EmptyOrigin (37.29s) --- PASS: TestAccAWSS3Bucket_Cors_Update (65.22s) --- PASS: TestAccAWSS3Bucket_disableDefaultEncryption_whenDefaultEncryptionIsEnabled (62.31s) --- PASS: TestAccAWSS3Bucket_enableDefaultEncryption_whenAES256IsUsed (37.28s) --- PASS: TestAccAWSS3Bucket_enableDefaultEncryption_whenTypical (43.14s) --- PASS: TestAccAWSS3Bucket_forceDestroy (31.61s) --- PASS: TestAccAWSS3Bucket_forceDestroyWithEmptyPrefixes (31.54s) --- PASS: TestAccAWSS3Bucket_forceDestroyWithObjectLockEnabled (37.95s) --- PASS: TestAccAWSS3Bucket_generatedName (35.53s) --- PASS: TestAccAWSS3Bucket_GrantToAcl (57.50s) --- PASS: TestAccAWSS3Bucket_LifecycleBasic (86.93s) --- PASS: TestAccAWSS3Bucket_LifecycleExpireMarkerOnly (62.03s) --- PASS: TestAccAWSS3Bucket_LifecycleRule_Expiration_EmptyConfigurationBlock (31.01s) --- PASS: TestAccAWSS3Bucket_Logging (55.35s) --- PASS: TestAccAWSS3Bucket_namePrefix (35.81s) --- PASS: TestAccAWSS3Bucket_objectLock (60.93s) --- PASS: TestAccAWSS3Bucket_Policy (88.67s) --- PASS: TestAccAWSS3Bucket_Replication (147.39s) --- PASS: TestAccAWSS3Bucket_ReplicationConfiguration_Rule_Destination_AccessControlTranslation (86.62s) --- PASS: TestAccAWSS3Bucket_ReplicationConfiguration_Rule_Destination_AddAccessControlTranslation (84.62s) --- PASS: TestAccAWSS3Bucket_ReplicationExpectVersioningValidationError (28.14s) --- PASS: TestAccAWSS3Bucket_ReplicationSchemaV2 (152.22s) --- PASS: TestAccAWSS3Bucket_ReplicationWithoutPrefix (52.74s) --- PASS: TestAccAWSS3Bucket_ReplicationWithoutStorageClass (51.40s) --- PASS: TestAccAWSS3Bucket_RequestPayer (63.26s) --- PASS: TestAccAWSS3Bucket_shouldFailNotFound (15.41s) --- PASS: TestAccAWSS3Bucket_tagsWithNoSystemTags (118.49s) --- PASS: TestAccAWSS3Bucket_tagsWithSystemTags (163.94s) --- PASS: TestAccAWSS3Bucket_UpdateAcl (58.70s) --- PASS: TestAccAWSS3Bucket_UpdateGrant (91.75s) --- PASS: TestAccAWSS3Bucket_Versioning (90.14s) --- PASS: TestAccAWSS3Bucket_Website_Simple (89.22s) --- PASS: TestAccAWSS3Bucket_WebsiteRedirect (86.48s) --- PASS: TestAccAWSS3Bucket_WebsiteRoutingRules (63.97s) --- PASS: TestAccAWSSsmResourceDataSync_basic (15.77s) --- PASS: TestAccAWSSsmResourceDataSync_update (28.49s) TestAccAwsCurReportDefinition_basic: testing.go:684: Step 0 error: errors during apply: Error: Error creating AWS Cost And Usage Report Definition: ValidationException: Failed to verify customer bucket permission. accountId= --OMITTED--, bucket name: tf-test-bucket-3532084976228094739, bucket region: us-east-1 TestAccDataSourceAwsCurReportDefinition_basic: testing.go:684: Step 0 error: errors during apply: Error: Error creating AWS Cost And Usage Report Definition: ValidationException: Failed to verify customer bucket permission. accountId= --OMITTED--, bucket name: tf-test-bucket-9147728765044904331, bucket region: us-east-1 ``` Update CHANGELOG for #14127 Corrects name of Workspaces Workspace sweeper let subject_alternative_names be a set re-add computed: true to subject_alternative_names attribute resource/aws_acm_certificate: Finalize subject_alternative_names change from TypeList to TypeSet Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/11300 Output from acceptance testing: ``` --- PASS: TestAccAWSAcmCertificate_imported_IpAddress (11.98s) --- PASS: TestAccAWSAcmCertificate_wildcard (14.66s) --- PASS: TestAccAWSAcmCertificate_emailValidation (14.79s) --- PASS: TestAccAWSAcmCertificate_root (15.12s) --- PASS: TestAccAWSAcmCertificate_disableCTLogging (15.15s) --- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (15.80s) --- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (16.01s) --- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (16.44s) --- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (18.30s) --- PASS: TestAccAWSAcmCertificate_san_single (18.38s) --- PASS: TestAccAWSAcmCertificate_dnsValidation (18.62s) --- PASS: TestAccAWSAcmCertificate_san_multiple (19.06s) --- PASS: TestAccAWSAcmCertificate_privateCert (22.34s) --- PASS: TestAccAWSAcmCertificate_imported_DomainName (26.46s) --- PASS: TestAccAWSAcmCertificate_tags (37.20s) ``` Remove hardcoded AMI IDs from launch_config data source Removing import of aws_security_group_rule for rules associated with aws_security_group implicitly during its import. Acceptance tests updated to account for removed rules in import state check. rebased and addressed review feedback Update CHANGELOG for #12616 update documentation attributes add missing validation value for comparison_operator argument delete_on_termination on ENI has to be optional like the EBS delete_on_termination this can be optional and cannot be treated like a real bool but has to be treated as a string which can be empty or a bool representation testing all possible inputs now testing as well `delete_on_termination = ""` and `delete_on_termination = null` which both should not set the value to anything. adding upgrade instructions version 3 upgrade details Update CHANGELOG for #8612 add private_ips field change private_ips to secondary_private_ips and enable update update to using expandstringset method Update CHANGELOG for #14079 Removed hardcoded AMI IDs from AutoscalingAttachment docs/resource/aws_codebuild_webhook: Add COMMIT_MESSAGE to acceptable codebuild filter types (#14207) Co-authored-by: mikiya771 <norep> Fixes aws_lambda_alias import to set function_name attribute correctly instead of function's ARN resource/aws_lambda_alias: Finalize resource import adjustments Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/12876 Output from acceptance testing: ``` --- PASS: TestAccAWSLambdaAlias_FunctionName_Name (35.53s) --- PASS: TestAccAWSLambdaAlias_basic (53.18s) --- PASS: TestAccAWSLambdaAlias_nameupdate (62.70s) --- PASS: TestAccAWSLambdaAlias_routingconfig (63.82s) ``` Update CHANGELOG for #12876 remove trailing period from domainname/name attributes update to using TrimSuffix strings method isolate changes to only route53_zone return error for singular data source Error when data.aws_ecr_repository cannot find repository Fixes https://github.com/terraform-providers/terraform-provider-aws/issues/10071. adjust error messaging return error for singular data source add angie and dirk consolidate maintainer lists Ignore hardcoded AMI because not actually used Add underscore to acceptance test names, minor naming convention fixes provider: Remove unnecessary fmt.Sprint()/fmt.Sprintf() (#14242) Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/14239 Update Terraform github to v2.9.2 (#14021) * Update Terraform github to v2.9.2 * infrastructure/repository: Use organization argument instead of owner in github provider configuration Appears that the provider reverted the deprecation of the `organization` argument and inclusion of the new `owner` argument in 2.9.x, delaying until 3.0.0. Previously: ``` Error: Unsupported argument on main.tf line 14, in provider "github": 14: owner = "terraform-providers" An argument named "owner" is not expected here. ``` Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Brian Flad <bflad417@gmail.com> add-q3-roadmap-draft add old roadmap section fix milestone link remove currently in progress in case it causes confusion r/aws_apigatewayv2_integration: suppress diff for passthrough_behavior Update CHANGELOG for #13062 Update ROADMAP.md to fix formatting omissions docs/provider: Setup and document release/* branch convention, link 2.x and earlier changelog entries (#14177) * docs/provider: Setup and document release/* branch convention, link 2.x and earlier changelog entries Reference: https://github.com/terraform-providers/terraform-provider-aws/tree/release/2.x * tests/provider: Ensure release/* branches are ran on push via GitHub Actions docs/provider: Document max_retries default (#14256) adjust error formatting and handling tests/resource/aws_s3_bucket: Add S3 Same-Region Replication acceptance test (#10170) Output from acceptance testing in AWS Commercial: ``` --- PASS: TestAccAWSS3Bucket_SameRegionReplicationSchemaV2 (52.57s) ``` Output from acceptance testing in AWS GovCloud (US): ``` --- PASS: TestAccAWSS3Bucket_SameRegionReplicationSchemaV2 (56.62s) ``` tests/resource/aws_rds_cluster: Remove aws_s3_bucket region argument from TestAccAWSRDSCluster_s3Restore (#14272) Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/14127 Missed during test configuration cleanup after the referenced argument removal. Fixes the initial configuration issue, but does not fix the (still) broken test which is presumably something to do with the backup file or engine version. Previously: ``` --- FAIL: TestAccAWSRDSCluster_s3Restore (0.99s) testing.go:684: Step 0 error: config is invalid: "region": this field cannot be set ``` Output from acceptance testing: ``` === CONT TestAccAWSRDSCluster_s3Restore TestAccAWSRDSCluster_s3Restore: testing.go:684: Step 0 error: errors during apply: Error: Error waiting for RDS Cluster state to be "available": unexpected state 'migration-failed', wanted target 'available'. last error: %!s(<nil>) ``` refactor resource import set virtual attributes in import func Update CHANGELOG for #10520 and #10521 update default value for min_capacity in scaling_configuration block of rds_cluster Update CHANGELOG for #14268 keep throttling disabled by default in api gateway method settings resource update import ID pattern Update CHANGELOG for #14266 add plan time validation to `self_managed_active_directory.dns_ips` add support for multi az deployment add deployment type to test add computed flag to deployment_type add docs fix docs remove computed fix multi az test disappears fix lint issue add support for `SINGLE_AZ_2` type Update website/docs/r/fsx_windows_file_system.html.markdown Co-authored-by: Simon Davis <simon@breathingdust.com> Update website/docs/r/fsx_windows_file_system.html.markdown Co-authored-by: Simon Davis <simon@breathingdust.com> Update website/docs/r/fsx_windows_file_system.html.markdown Co-authored-by: Simon Davis <simon@breathingdust.com> Update CHANGELOG.md for #12676 Fix schema set errors (#14167) * Fix schema set errors * Fix wrong attribute * Fix type * Flatten ssm parameters * resource/elasticsearch_domain: update method to set advanced_security_options (#14198) * set advanced security options only if enabled * refactor and set values depending on enabled field Co-authored-by: angie pinilla <angelinepinilla@gmail.com> tests/provider: Enable AWSAT004 check for CI (#14216) Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/14097 resource/aws_launch_configuration: Remove DescribeLaunchConfigurations retries on all errors (#14260) Reference: https://github.com/hashicorp/terraform/issues/302 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409 Does not seem to be occurring anymore, but could require additional load to manifest. Can re-add explicit retries as necessary. Output from acceptance testing: ``` --- PASS: TestAccAWSLaunchConfiguration_withSpotPrice (11.31s) --- PASS: TestAccAWSLaunchConfiguration_ebs_noDevice (13.17s) --- PASS: TestAccAWSLaunchConfiguration_withBlockDevices (13.44s) --- PASS: TestAccAWSLaunchConfiguration_withInstanceStoreAMI (13.67s) --- PASS: TestAccAWSLaunchConfiguration_withEncryption (14.02s) --- PASS: TestAccAWSLaunchConfiguration_basic (22.34s) --- PASS: TestAccAWSLaunchConfiguration_withIAMProfile (24.19s) --- PASS: TestAccAWSLaunchConfiguration_encryptedRootBlockDevice (25.59s) --- PASS: TestAccAWSLaunchConfiguration_userData (28.60s) --- PASS: TestAccAWSLaunchConfiguration_RootBlockDevice_VolumeSize (28.91s) --- PASS: TestAccAWSLaunchConfiguration_updateEbsBlockDevices (30.96s) --- PASS: TestAccAWSLaunchConfiguration_withVpcClassicLink (32.72s) --- PASS: TestAccAWSLaunchConfiguration_RootBlockDevice_AmiDisappears (353.93s) ``` resource/aws_spot_fleet_request: Only retry RequestSpotFleet on IAM eventual consistency errors, use standard 2 minute timeout (#14265) Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/7740 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409 Output from acceptance testing: ``` --- PASS: TestAccAWSSpotFleetRequest_associatePublicIpAddress (251.97s) --- PASS: TestAccAWSSpotFleetRequest_basic (314.23s) --- PASS: TestAccAWSSpotFleetRequest_changePriceForcesNewRequest (612.33s) --- PASS: TestAccAWSSpotFleetRequest_disappears (261.47s) --- PASS: TestAccAWSSpotFleetRequest_diversifiedAllocation (403.92s) --- PASS: TestAccAWSSpotFleetRequest_fleetType (316.94s) --- PASS: TestAccAWSSpotFleetRequest_iamInstanceProfileArn (251.69s) --- PASS: TestAccAWSSpotFleetRequest_instanceInterruptionBehavior (253.29s) --- PASS: TestAccAWSSpotFleetRequest_LaunchSpecification_EbsBlockDevice_KmsKeyId (112.90s) --- PASS: TestAccAWSSpotFleetRequest_LaunchSpecification_RootBlockDevice_KmsKeyId (142.33s) --- PASS: TestAccAWSSpotFleetRequest_launchSpecToLaunchTemplate (467.97s) --- PASS: TestAccAWSSpotFleetRequest_launchTemplate (253.11s) --- PASS: TestAccAWSSpotFleetRequest_launchTemplate_multiple (254.84s) --- PASS: TestAccAWSSpotFleetRequest_launchTemplateToLaunchSpec (468.45s) --- PASS: TestAccAWSSpotFleetRequest_launchTemplateWithOverrides (253.43s) --- PASS: TestAccAWSSpotFleetRequest_lowestPriceAzInGivenList (274.51s) --- PASS: TestAccAWSSpotFleetRequest_lowestPriceAzOrSubnetInRegion (314.01s) --- PASS: TestAccAWSSpotFleetRequest_lowestPriceSubnetInGivenList (276.90s) --- PASS: TestAccAWSSpotFleetRequest_multipleInstancePools (486.46s) --- PASS: TestAccAWSSpotFleetRequest_multipleInstanceTypesInSameAz (406.36s) --- PASS: TestAccAWSSpotFleetRequest_multipleInstanceTypesInSameSubnet (231.26s) --- PASS: TestAccAWSSpotFleetRequest_overriddingSpotPrice (295.29s) --- PASS: TestAccAWSSpotFleetRequest_placementTenancyAndGroup (57.48s) --- PASS: TestAccAWSSpotFleetRequest_tags (342.55s) --- PASS: TestAccAWSSpotFleetRequest_updateExcessCapacityTerminationPolicy (597.13s) --- PASS: TestAccAWSSpotFleetRequest_updateTargetCapacity (753.34s) --- PASS: TestAccAWSSpotFleetRequest_withEBSDisk (255.16s) --- PASS: TestAccAWSSpotFleetRequest_WithELBs (277.96s) --- PASS: TestAccAWSSpotFleetRequest_withoutSpotPrice (232.56s) --- PASS: TestAccAWSSpotFleetRequest_withTags (282.39s) --- PASS: TestAccAWSSpotFleetRequest_WithTargetGroups (427.61s) --- PASS: TestAccAWSSpotFleetRequest_withWeightedCapacity (335.33s) ``` Update CHANGELOG for #14265 resource/aws_codepipeline: Only retry CreatePipeline errors for IAM eventual consistency (#14264) Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409 Output from acceptance testing: ``` --- PASS: TestAccAWSCodePipeline_emptyStageArtifacts (33.11s) --- PASS: TestAccAWSCodePipeline_WithNamespace (35.13s) --- PASS: TestAccAWSCodePipeline_multiregion_basic (36.83s) --- PASS: TestAccAWSCodePipeline_deployWithServiceRole (42.85s) --- PASS: TestAccAWSCodePipeline_basic (57.83s) --- PASS: TestAccAWSCodePipeline_multiregion_Update (61.32s) --- PASS: TestAccAWSCodePipeline_tags (76.28s) --- PASS: TestAccAWSCodePipeline_multiregion_ConvertSingleRegion (79.20s) ``` Update CHANGELOG for #14264 resource/aws_ssm_activation: Only retry CreateActivation on IAM eventual consistency error, allow retries for standard 2 minutes (#14263) Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409 API does not seem to validate IAM Role permissions on creation. Output from acceptance testing: ``` --- PASS: TestAccAWSSSMActivation_expirationDate (19.17s) --- PASS: TestAccAWSSSMActivation_disappears (25.22s) --- PASS: TestAccAWSSSMActivation_basic (27.39s) --- PASS: TestAccAWSSSMActivation_update (37.23s) ``` Update CHANGELOG for #14263 resource/aws_network_acl_rule: Immediately return DescribeNetworkAcls errors on creation (#14261) Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409 Output from acceptance testing: ``` --- PASS: TestAccAWSNetworkAclRule_allProtocol (44.33s) --- PASS: TestAccAWSNetworkAclRule_basic (32.50s) --- PASS: TestAccAWSNetworkAclRule_disappears (32.83s) --- PASS: TestAccAWSNetworkAclRule_disappears_NetworkAcl (27.16s) --- PASS: TestAccAWSNetworkAclRule_ingressEgressSameNumberDisappears (30.24s) --- PASS: TestAccAWSNetworkAclRule_ipv6 (29.23s) --- PASS: TestAccAWSNetworkAclRule_ipv6ICMP (28.65s) --- PASS: TestAccAWSNetworkAclRule_ipv6VpcAssignGeneratedIpv6CidrBlockUpdate (47.71s) --- PASS: TestAccAWSNetworkAclRule_missingParam (15.14s) --- PASS: TestAccAWSNetworkAclRule_tcpProtocol (40.32s) ``` Update CHANGELOG for #14261 Add function to check TypeSet pairs Add unit tests for TestCheckTypeSetElemAttrPair tests/resource/aws_rds_cluster: Fix TestAccAWSRDSCluster_EngineVersion (#14286) isolate changes to only route53_record resource update additional domian name example in upgrade guide Co-authored-by: Brian Flad <bflad417@gmail.com> update with CR comments isolate changes to only resolver rule isolate changes to only acm_certificate isolate changes to only ses_domain_identity re-add trailing period acctest merge with parent branch and update statefuncs to use global method update statefuncs to use global method and update tests w/trailingp period domains r/aws_apigatewayv2_stage: Make deployment_id a computed attribute. Update CHANGELOG.md for #13644 bump to go v1.14.5 r/aws_apigatewayv2_integration: Add 'request_parameters' attribute. Update CHANGELOG.md for #14080 r/aws_apigatewayv2_route: Update route key. Update CHANGELOG.md for #13833 Revert "Remove 'tls_config' attribute. It doesn't seem to do anything right now." This reverts commit ffbce32f931a9b33adc8407a267ba176c510bd44. r/aws_apigatewayv2_integration: Test HTTP API VPC Link integration. r/aws_apigatewayv2_integration: Additional import test step in 'TestAccAWSAPIGatewayV2Integration_VpcLinkHttp'. Update CHANGELOG.md Update CHANGELOG.md for #13013 Update CHANGELOG.md add atleastoneof property to filter attributes Update CHANGELOG for #14230 Remove hardcoded AMI and AZ Improve static check for hardcoded partition in ARN resource/aws_lambda_function: Increase IAM retry timeout for create to 2 minutes (#14291) References: * https://github.com/terraform-providers/terraform-provider-aws/issues/14285 Increased the retry timeout for eventual consistency IAM errors during a lambda function create from 1 minute to 2 minute. Output from acceptance testing: ``` make testacc TEST=./aws TESTARGS='-run=TestAccAWSLambdaFunction_' ... --- PASS: TestAccAWSLambdaFunction_basic (28.86s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_java8 (34.46s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfigUpdated (160.32s) --- PASS: TestAccAWSLambdaFunction_VpcConfig_ProperIamDependencies (208.54s) --- PASS: TestAccAWSLambdaFunction_VPC_withInvocation (567.54s) --- PASS: TestAccAWSLambdaFunction_VPCRemoval (596.13s) --- PASS: TestAccAWSLambdaFunction_LayersUpdate (49.02s) --- PASS: TestAccAWSLambdaFunction_VPC (362.84s) --- PASS: TestAccAWSLambdaFunction_VPCUpdate (797.25s) --- PASS: TestAccAWSLambdaFunction_nilDeadLetterConfig (120.01s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfig (51.30s) --- PASS: TestAccAWSLambdaFunction_envVariables (153.15s) --- PASS: TestAccAWSLambdaFunction_versioned (39.16s) --- PASS: TestAccAWSLambdaFunction_versionedUpdate (61.80s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python37 (31.16s) --- PASS: TestAccAWSLambdaFunction_encryptedEnvVariables (51.77s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_dotnetcore31 (36.20s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_ruby27 (40.86s) --- PASS: TestAccAWSLambdaFunction_Layers (38.54s) --- PASS: TestAccAWSLambdaFunction_tracingConfig (51.87s) --- PASS: TestAccAWSLambdaFunction_KmsKeyArn_NoEnvironmentVariables (36.57s) --- PASS: TestAccAWSLambdaFunction_concurrencyCycle (54.03s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_ruby25 (36.53s) --- PASS: TestAccAWSLambdaFunction_expectFilenameAndS3Attributes (13.34s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python38 (28.27s) --- PASS: TestAccAWSLambdaFunction_tags (51.19s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_java11 (36.59s) --- PASS: TestAccAWSLambdaFunction_updateRuntime (51.42s) --- PASS: TestAccAWSLambdaFunction_s3Update_unversioned (43.77s) --- PASS: TestAccAWSLambdaFunction_localUpdate (39.80s) --- PASS: TestAccAWSLambdaFunction_s3Update_basic (44.15s) --- PASS: TestAccAWSLambdaFunction_localUpdate_nameOnly (40.02s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python36 (32.09s) --- PASS: TestAccAWSLambdaFunction_FileSystemConfig (721.87s) --- PASS: TestAccAWSLambdaFunction_s3 (31.68s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_provided (36.48s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python27 (33.63s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs10x (38.17s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_noRuntime (0.91s) --- PASS: TestAccAWSLambdaFunction_concurrency (46.63s) --- PASS: TestAccAWSLambdaFunction_EmptyVpcConfig (38.38s) --- PASS: TestAccAWSLambdaFunction_disappears (36.13s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs12x (38.47s) ``` Update CHANGELOG for #14291 error when iops provided for unsupported type improve upgrade docs for iops Update CHANGELOG for #14310 Update CHANGELOG with Go versioning Remove hardcoded AMIs and AZs Remove hardcoded AMIs and AZs Removed hardcoded AMIs and AZs Remove hardcoded AMI and AZ Remove hardcoded AMI r/aws_apigatewayv2_stage: 'data_trace_enabled' and 'logging_level' are only valid for WebSocket APIs. r/aws_apigatewayv2_stage: No need for diff-suppression for new resources. r/aws_apigatewayv2_stage: Additional route_settings and default_route_settings test cases. r/aws_apigatewayv2_stage: Add computed 'api_protocol_type' attribute. r/aws_apigatewayv2_stage: Pass API protocol type to 'flattenApiGatewayV2RouteSettings'. Revert "r/aws_apigatewayv2_stage: Pass API protocol type to 'flattenApiGatewayV2RouteSettings'." This reverts commit 9337272b7842879cdbae5be19ec076bea314b20c. Revert "r/aws_apigatewayv2_stage: Add computed 'api_protocol_type' attribute." This reverts commit a7eb7cf9976ecabb04696dbe2f39805cc0ec1401. Fix mess from rebase. r/aws_apigatewayv2_stage: Change 'route_setting.logging_level' to computed to address different defaults for WebSocket vs. HTTP. Update CHANGELOG.md for #13809 resource/aws_acm_certificate: Convert domain_validation_options to TypeSet and calculate elements during plan (#14199) * resource/aws_acm_certificate: Convert domain_validation_options to TypeSet and calculate elements during plan Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/8531 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/10098 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/10404 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13053 Output from acceptance testing: ``` --- PASS: TestAccAWSAcmCertificate_imported_IpAddress (11.48s) --- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (15.53s) --- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (15.53s) --- PASS: TestAccAWSAcmCertificate_root (15.62s) --- PASS: TestAccAWSAcmCertificate_emailValidation (15.91s) --- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (16.38s) --- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (16.43s) --- PASS: TestAccAWSAcmCertificate_san_single (16.51s) --- PASS: TestAccAWSAcmCertificate_dnsValidation (16.85s) --- PASS: TestAccAWSAcmCertificate_disableCTLogging (17.06s) --- PASS: TestAccAWSAcmCertificate_wildcard (18.71s) --- PASS: TestAccAWSAcmCertificate_san_multiple (19.49s) --- PASS: TestAccAWSAcmCertificate_privateCert (20.85s) --- PASS: TestAccAWSAcmCertificate_imported_DomainName (26.86s) --- PASS: TestAccAWSAcmCertificate_tags (42.99s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsEmail (11.56s) --- PASS: TestAccAWSAcmCertificateValidation_timeout (19.20s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdns (107.31s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsSan (110.62s) --- PASS: TestAccAWSAcmCertificateValidation_basic (143.58s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcardAndRoot (153.05s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRoot (212.21s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRootAndWildcard (212.95s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcard (247.43s) ``` Please note that this was also tested manually with a few iterations of this configuration: ```hcl terraform { required_providers { aws = "2.70.0" } required_version = "0.12.28" } provider "aws" { region = "us-east-2" } variable "public_root_domain" { description = "Publicly accessible domain for ACM testing" type = string } data "aws_route53_zone" "public_root_domain" { name = var.public_root_domain } resource "aws_acm_certificate" "new" { domain_name = "new.${var.public_root_domain}" subject_alternative_names = [ "new1.${var.public_root_domain}", "new2.${var.public_root_domain}", "new3.${var.public_root_domain}", ] validation_method = "DNS" } resource "aws_route53_record" "new" { for_each = { for dvo in aws_acm_certificate.new.domain_validation_options: dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } allow_overwrite = true name = each.value.name records = [each.value.record] ttl = 60 type = each.value.type zone_id = data.aws_route53_zone.public_root_domain.zone_id } resource "aws_acm_certificate_validation" "new" { certificate_arn = aws_acm_certificate.new.arn validation_record_fqdns = [for record in aws_route53_record.new: record.fqdn] } resource "aws_acm_certificate" "wildcard" { domain_name = var.public_root_domain subject_alternative_names = ["*.${var.public_root_domain}"] validation_method = "DNS" } resource "aws_route53_record" "wildcard" { for_each = { for dvo in aws_acm_certificate.wildcard.domain_validation_options: dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } allow_overwrite = true name = each.value.name records = [each.value.record] ttl = 60 type = each.value.type zone_id = data.aws_route53_zone.public_root_domain.zone_id } resource "aws_acm_certificate_validation" "wildcard" { certificate_arn = aws_acm_certificate.wildcard.arn validation_record_fqdns = [for record in aws_route53_record.wildcard: record.fqdn] } ``` * docs/service/acm: Fix terrafmt reports Previously: ``` website/docs/r/acm_certificate.html.markdown:83 website/docs/r/acm_certificate_validation.html.markdown:25 website/docs/r/acm_certificate_validation.html.markdown:67 ``` Update CHANGELOG for #14199 Implement Disappears test for API Gateway resources (#13243) * add disappears test case for APIGW API Key * add disappears test case for APIGW Authorizer * add disappears test case for APIGW Base Path * add disappears test case for APIGW Client Cert * add disappears test case for APIGW Deployment * add disappears test case for APIGW Doc Part * add disappears test case for APIGW Doc Ver * add disappears test case for APIGW Domain Name * add disappears test case for APIGW Gateway Response * add disappears test case for APIGW Integration Response * add disappears test case for APIGW Integration * add disappears test case for APIGW Method * add disappears test case for APIGW Method Response * add disappears test case for APIGW Method Settings * add disappears test case for APIGW Model * add disappears test case for APIGW Request Validator * add disappears test case for APIGW Resource * add disappears test case for APIGW Rest API * add disappears test case for APIGW Stage * add disappears test case for APIGW Usage Plan Key * add disappears test case for APIGW Usage Plan * add disappears test case for APIGW VPC Link * fix * fix lint docs/resource/aws_codebuild_project: Add SECRETS_MANAGER to the CodeBuild environment_variable type (#14200) Updates alexa example Updates api-gateway-websocket-chat-app example Updates asg example Updates cloudhsm example Updates cloudwatch-events kinesis and sns examples Updates cognito-user-pool example Updates count example Updates dx-gateway-cross-account-vgw-association example Updates ecs-alb example Updates eip example Updates eks-getting-started example Updates elasticsearch-domain example Updates elb example Updates lambda example Updates lambda-file-system example Updates networking example Updates rds example Updates s3-api-gateway-integration example Updates s3-cross-account-access Updates sagemaker example Updates transit-gateway-cross-account-peering-attachment example Updates transit-gateway-cross-account-vpc-attachment example Updates two-tier example Updates workspaces example Updates example action workflow to validate only with Terraform 0.12. Adds error for testing Restore `terraform validate` output Only check for warnings if there are no errors Fixes bash conditional Wraps jq result in quotes to force it into a string to avoid "unary operator expected" error Tightens warning check Updates warning equality Simplify warning check since it will exit on syntax errors Resetting warning test to debug it Add back terraform validate -json Adds back jq Echoes warning count Step-by-step Baby steps One step back Again Try anything Drops checks for warnings Removes error added for testing Got it! resource/aws_ssm_maintenance_window_task: Remove deprecated logging_info and task_parameters configuration blocks (#14311) Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/7823 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398 Output from acceptance testing: ``` --- PASS: TestAccAWSSSMMaintenanceWindowTask_emptyNotificationConfig (13.56s) --- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationStepFunctionParameters (14.66s) --- PASS: TestAccAWSSSMMaintenanceWindowTask_updateForcesNewResource (22.46s) --- PASS: TestAccAWSSSMMaintenanceWindowTask_basic (22.75s) --- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationLambdaParameters (36.30s) --- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationAutomationParameters (36.56s) --- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationRunCommandParameters (39.53s) ``` Update CHANGELOG for #14311 resource/aws_lb_listener_rule: Remove deprecated condition configuration block field and values arguments (#14309) Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/8268 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398 Already documented in the version 3 upgrade guide. Output from acceptance testing: ``` --- PASS: TestAccAWSLBListenerRule_Action_Order (242.39s) --- PASS: TestAccAWSLBListenerRule_Action_Order_Recreates (172.01s) --- PASS: TestAccAWSLBListenerRule_BackwardsCompatibility (192.52s) --- PASS: TestAccAWSLBListenerRule_basic (205.77s) --- PASS: TestAccAWSLBListenerRule_changeListenerRuleArnForcesNew (234.49s) --- PASS: TestAccAWSLBListenerRule_cognito (190.75s) --- PASS: TestAccAWSLBListenerRule_conditionAttributesCount (10.86s) --- PASS: TestAccAWSLBListenerRule_conditionHostHeader (227.40s) --- PASS: TestAccAWSLBListenerRule_conditionHttpHeader (194.36s) --- PASS: TestAccAWSLBListenerRule_conditionHttpHeader_invalid (1.43s) --- PASS: TestAccAWSLBListenerRule_conditionHttpRequestMethod (195.55s) --- PASS: TestAccAWSLBListenerRule_conditionMultiple (269.78s) --- PASS: TestAccAWSLBListenerRule_conditionPathPattern (199.17s) --- PASS: TestAccAWSLBListenerRule_conditionQueryString (195.57s) --- PASS: TestAccAWSLBListenerRule_conditionSourceIp (186.73s) --- PASS: TestAccAWSLBListenerRule_conditionUpdateMixed (274.24s) --- PASS: TestAccAWSLBListenerRule_conditionUpdateMultiple (267.11s) --- PASS: TestAccAWSLBListenerRule_fixedResponse (213.36s) --- PASS: TestAccAWSLBListenerRule_forwardWeighted (213.62s) --- PASS: TestAccAWSLBListenerRule_oidc (206.04s) --- PASS: TestAccAWSLBListenerRule_priority (377.75s) --- PASS: TestAccAWSLBListenerRule_redirect (248.43s) --- PASS: TestAccAWSLBListenerRule_updateFixedResponse (189.01s) --- PASS: TestAccAWSLBListenerRule_updateRulePriority (206.44s) ``` Update CHANGELOG for #14309 resource/aws_cognito_user_pool: Remove deprecated admin_create_user_config.unused_account_validity_days argument (#14294) Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/10890 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398 Output from acceptance testing: ``` --- PASS: TestAccAWSCognitoUserPool_basic (16.93s) --- PASS: TestAccAWSCognitoUserPool_MfaConfiguration_SmsConfiguration (47.75s) --- PASS: TestAccAWSCognitoUserPool_MfaConfiguration_SmsConfigurationAndSoftwareTokenMfaConfiguration (50.45s) --- PASS: TestAccAWSCognitoUserPool_MfaConfiguration_SmsConfigurationToSoftwareTokenMfaConfiguration (46.37s) --- PASS: TestAccAWSCognitoUserPool_MfaConfiguration_SoftwareTokenMfaConfiguration (41.83s) --- PASS: TestAccAWSCognitoUserPool_MfaConfiguration_SoftwareTokenMfaConfigurationToSmsConfiguration (35.22s) --- PASS: TestAccAWSCognitoUserPool_SmsAuthenticationMessage (36.72s) --- PASS: TestAccAWSCognitoUserPool_SmsConfiguration (45.69s) --- PASS: TestAccAWSCognitoUserPool_SmsConfiguration_ExternalId (43.87s) --- PASS: TestAccAWSCognitoUserPool_SmsConfiguration_SnsCallerArn (41.27s) --- PASS: TestAccAWSCognitoUserPool_SmsVerificationMessage (21.39s) --- PASS: TestAccAWSCognitoUserPool_update (38.77s) --- PASS: TestAccAWSCognitoUserPool_withAdminCreateUserConfiguration (26.14s) --- PASS: TestAccAWSCognitoUserPool_withAdminCreateUserConfigurationAndPasswordPolicy (13.70s) --- PASS: TestAccAWSCognitoUserPool_withAdvancedSecurityMode (32.33s) --- PASS: TestAccAWSCognitoUserPool_withAliasAttributes (23.59s) --- PASS: TestAccAWSCognitoUserPool_withDeviceConfiguration (21.89s) --- PASS: TestAccAWSCognitoUserPool_withEmailVerificationMessage (21.15s) --- PASS: TestAccAWSCognitoUserPool_withLambdaConfig (46.71s) --- PASS: TestAccAWSCognitoUserPool_withPasswordPolicy (36.75s) --- PASS: TestAccAWSCognitoUserPool_withSchemaAttributes (22.83s) --- PASS: TestAccAWSCognitoUserPool_withTags (33.77s) --- PASS: TestAccAWSCognitoUserPool_withUsernameConfiguration (28.12s) --- PASS: TestAccAWSCognitoUserPool_withVerificationMessageTemplate (21.48s) ``` Update CHANGELOG for #14294 tests/provider: Ensure awsproviderlint source is dependency and lint checked (#14131) * tests/provider: Ensure awsproviderlint source is dependency and lint checked Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/14129 * provider: Add awsproviderlint to make fmt target provider: Initial snapshot build workflow (#14140) Using GitHub Actions artifacts, sets up daily snapshot builds of master and allows other snapshot builds. resource/aws_iam_access_key: Remove deprecated ses_smtp_password attribute (#14299) Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/11144 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398 Output from acceptance testing: ``` --- PASS: TestAccAWSAccessKey_basic (5.87s) --- PASS: TestAccAWSAccessKey_encrypted (5.97s) --- PASS: TestAccAWSAccessKey_inactive (9.72s) ``` Update CHANGELOG for #14299 provider: Remove deprecated kinesis_analytics and r53 custom endpoint arguments (#14238) Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398 Output from acceptance testing: ``` --- PASS: TestAccAWSProvider_Region_AwsCommercial (3.64s) --- PASS: TestAccAWSProvider_Region_AwsChina (3.64s) --- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.65s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.00s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.00s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.01s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.01s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.01s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.02s) --- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.01s) --- PASS: TestAccAWSProvider_Endpoints (4.08s) --- PASS: TestAccAWSProvider_AssumeRole_Empty (7.80s) ``` Update CHANGELOG for #14238 resource/aws_glue_job: Remove deprecated allocated_capacity argument (#14296) Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/7340 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398 Output from acceptance testing: ``` --- PASS: TestAccAWSGlueJob_basic (14.45s) --- PASS: TestAccAWSGlueJob_Description (21.70s) --- PASS: TestAccAWSGlueJob_GlueVersion (21.74s) --- PASS: TestAccAWSGlueJob_MaxRetries (21.92s) --- PASS: TestAccAWSGlueJob_Command (21.95s) --- PASS: TestAccAWSGlueJob_DefaultArguments (22.08s) --- PASS: TestAccAWSGlueJob_NotificationProperty (22.10s) --- PASS: TestAccAWSGlueJob_Timeout (22.13s) --- PASS: TestAccAWSGlueJob_ExecutionProperty (22.43s) --- PASS: TestAccAWSGlueJob_MaxCapacity (22.43s) --- PASS: TestAccAWSGlueJob_SecurityConfiguration (22.48s) --- PASS: TestAccAWSGlueJob_WorkerType (29.22s) --- PASS: TestAccAWSGlueJob_Tags (29.29s) --- PASS: TestAccAWSGlueJob_PythonShell (30.12s) ``` Update CHANGELOG for #14296 resource/aws_iam_instance_profile: Remove deprecated roles argument (#14303) Reference: https://github.com/hashicorp/terraform/pull/13130 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398 Output from acceptance testing: ``` --- PASS: TestAccAWSIAMInstanceProfile_withoutRole (6.44s) --- PASS: TestAccAWSIAMInstanceProfile_basic (6.92s) --- PASS: TestAccAWSIAMInstanceProfile_namePrefix (6.94s) --- PASS: TestAccAWSAutoScalingGroup_LaunchTemplate_IAMInstanceProfile (53.25s) --- PASS: TestAccAWSAppautoScalingTarget_emrCluster (790.81s) --- PASS: TestAccAWSBeanstalkEnv_tier (518.46s) --- PASS: TestAccAWSIAMRole_testNameChange (12.80s) --- PASS: TestAccAWSInstance_instanceProfileChange (204.32s) --- PASS: TestAccAWSInstance_withIamInstanceProfile (115.26s) --- PASS: TestAccAWSLaunchConfiguration_withIAMProfile (21.61s) ``` Update CHANGELOG for #14303 Remove hardcoded AMIs and AZs resource/aws_sns_topic_subscription: Use paginated ListSubscriptionsByTopic and return immediately on errors (#14262) * tests/resource/aws_sns_topic_subscription: Fix recurring and unrelated test configuration error Previously: ``` --- FAIL: TestAccAWSSNSTopicSubscription_autoConfirmingSecuredEndpoint (63.28s) testing.go:684: Step 0 error: After applying this step, the plan was not empty: DIFF: UPDATE: aws_api_gateway_authorizer.test ... authorizer_result_ttl_in_seconds: "300" => "0" ``` Output from acceptance testing: ``` --- PASS: TestAccAWSSNSTopicSubscription_autoConfirmingSecuredEndpoint (91.18s) ``` * resource/aws_sns_topic_subscription: Use paginated ListSubscriptionsByTopic and return immediately on errors Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409 Output from acceptance testing: ``` --- PASS: TestAccAWSSNSTopicSubscription_basic (13.47s) --- PASS: TestAccAWSSNSTopicSubscription_rawMessageDelivery (27.13s) --- PASS: TestAccAWSSNSTopicSubscription_filterPolicy (28.12s) --- PASS: TestAccAWSSNSTopicSubscription_deliveryPolicy (28.38s) --- PASS: TestAccAWSSNSTopicSubscription_autoConfirmingEndpoint (48.31s) --- PASS: TestAccAWSSNSTopicSubscription_autoConfirmingSecuredEndpoint (91.18s) ``` Update CHANGELOG for #14262 service/directconnect: vpn_gateway_id Argument Removals and Increase aws_dx_gateway_association Default Timeouts (#14144) * resource/aws_dx_gateway_association: Increase default create/update/delete timeouts to 30 minutes Previously, we were seeing consistent failures across many of acceptance tests: ``` TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewaySingleAccount: testing.go:684: Step 1 error: errors during apply: Error: error waiting for Direct Connect gateway association (ga-a59d30b3-e6de-435e-bb17-cd7ed23f400evgw-06bccd6488d2b8d87) to become available: timeout while waiting for state to become 'associated' (last state: 'updating', timeout: 10m0s) TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewayCrossAccount: testing.go:684: Step 1 error: errors during apply: Error: error waiting for Direct Connect gateway association (ga-a8b1b976-c0a1-4b64-8560-9d9cc45d11a3vgw-0a2e52679acf9c250) to become available: timeout while waiting for state to become 'associated' (last state: 'updating', timeout: 10m0s) --- FAIL: TestAccAwsDxGatewayAssociation_basicTransitGatewaySingleAccount (989.81s) testing.go:684: Step 0 error: errors during apply: Error: error waiting for Direct Connect gateway association (ga-48d0e3d3-e131-443d-9693-e64eff519baatgw-0a2a0ea77f65ed202) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s) --- FAIL: TestAccAwsDxGatewayAssociation_basicTransitGatewayCrossAccount (991.80s) testing.go:684: Step 0 error: errors during apply: Error: error waiting for Direct Connect gateway association (ga-9f9c1ed2-97b6-41c5-8018-0724f6162b59tgw-06f7ce56df96282d7) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s) --- FAIL: TestAccAwsDxGatewayAssociation_basicVpnGatewaySingleAccount (1816.92s) testing.go:684: Step 0 error: errors during apply: Error: error waiting for Direct Connect gateway association (ga-76c9d0f4-b0aa-4b1b-96d9-10ce8c3ca025vgw-0c47a2c63baf7d4d8) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s) testing.go:745: Error destroying resource! WARNING: Dangling resources may exist. The full state and error is shown below. Error: errors during apply: error waiting for Direct Connect gateway association (ga-76c9d0f4-b0aa-4b1b-96d9-10ce8c3ca025vgw-0c47a2c63baf7d4d8) to be deleted: timeout while waiting for state to become 'disassociated, deleted' (last state: 'disassociating', timeout: 15m0s) --- FAIL: TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewaySingleAccount (1816.89s) testing.go:684: Step 0 error: errors during apply: Error: error waiting for Direct Connect gateway association (ga-12a5c1e8-322e-4bc1-8a5a-f4b778a00db3vgw-09c811d121256131b) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s) testing.go:745: Error destroying resource! WARNING: Dangling resources may exist. The full state and error is shown below. Error: errors during apply: error waiting for Direct Connect gateway association (ga-12a5c1e8-322e-4bc1-8a5a-f4b778a00db3vgw-09c811d121256131b) to be deleted: timeout while waiting for state to become 'disassociated, deleted' (last state: 'disassociating', timeout: 15m0s) --- FAIL: TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewayCrossAccount (1819.25s) testing.go:684: Step 0 error: errors during apply: Error: error waiting for Direct Connect gateway association (ga-ccf678f2-5d51-441e-86c5-308c731f26abvgw-063e75f539bc3719c) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s) testing.go:745: Error destroying resource! WARNING: Dangling resources may exist. The full state and error is shown below. Error: errors during apply: error waiting for Direct Connect gateway association (ga-ccf678f2-5d51-441e-86c5-308c731f26abvgw-063e75f539bc3719c) to be deleted: timeout while waiting for state to become 'disassociated, deleted' (last state: 'disassociating', timeout: 15m0s) --- FAIL: TestAccAwsDxGatewayAssociation_multiVpnGatewaysSingleAccount (2487.01s) testing.go:684: Step 0 error: errors during apply: Error: error waiting for Direct Connect gateway association (ga-5d93ccd0-8344-4ee6-95f8-58af27e01301vgw-054e2b0e7ecf45c8d) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s) Error: error waiting for Direct Connect gateway association (ga-5d93ccd0-8344-4ee6-95f8-58af27e01301vgw-057b39dbec7338ec1) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s) testing.go:745: Error destroying resource! WARNING: Dangling resources may exist. The full state and error is shown below. Error: errors during apply: error waiting for Direct Connect gateway association (ga-5d93ccd0-8344-4ee6-95f8-58af27e01301vgw-057b39dbec7338ec1) to be deleted: timeout while waiting for state to become 'disassociated, deleted' (last state: 'disassociating', timeout: 15m0s) --- FAIL: TestAccAwsDxGatewayAssociation_basicVpnGatewayCrossAccount (2529.42s) testing.go:684: Step 0 error: errors during apply: Error: error waiting for Direct Connect gateway association (ga-ad8143a9-657e-4ed2-9ebb-a78dd2bee2c1vgw-0d552249edec48941) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s) testing.go:745: Error destroying resource! WARNING: Dangling resources may exist. The full state and error is shown below. Error: errors during apply: Error waiting for VPN Gateway "vgw-0d552249edec48941" to detach from VPC "vpc-0cbba5ddf6a4ec7ba": timeout while waiting for state to become 'detached' (last state: 'detaching', timeout: 15m0s) --- FAIL: TestAccAwsDxGatewayAssociation_deprecatedSingleAccount (2551.41s) testing.go:684: Step 0 error: errors during apply: Error: error waiting for Direct Connect gateway association (ga-c1c37095-ab8d-4dcd-9f97-b369face1ad4vgw-0576f5ab3096ace51) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s) ``` * service/directconnect: Remove vpn_gateway_id arguments Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398 Changes: ``` * resource/aws_dx_gateway_association: Remove `vpn_gateway_id` argument * resource/aws_dx_gateway_association_proposal: Remove `vpn_gateway_id` argument ``` Output from acceptance testing: ``` --- PASS: TestAccAwsDxGatewayAssociation_basicTransitGatewaySingleAccount (2063.56s) --- PASS: TestAccAwsDxGatewayAssociation_basicTransitGatewayCrossAccount (2556.75s) --- PASS: TestAccAwsDxGatewayAssociation_multiVpnGatewaysSingleAccount (2668.06s) --- PASS: TestAccAwsDxGatewayAssociation_basicVpnGatewaySingleAccount (2674.09s) --- PASS: TestAccAwsDxGatewayAssociation_basicVpnGatewayCrossAccount (2677.20s) --- PASS: TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewaySingleAccount (3612.36s) --- PASS: TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewayCrossAccount (3856.32s) --- PASS: TestAccAwsDxGatewayAssociationProposal_basicVpnGateway (88.64s) --- PASS: TestAccAwsDxGatewayAssociationProposal_disappears (96.50s) --- PASS: TestAccAwsDxGatewayAssociationProposal_AllowedPrefixes (121.18s) --- PASS: TestAccAwsDxGatewayAssociationProposal_basicTransitGateway (182.42s) ``` * tests/resource/aws_dx_gateway_association: Ensure v0 state upgrade is still covered by acceptance testing Output from acceptance testing: ``` --- PASS: TestAccAwsDxGatewayAssociation_V0StateUpgrade (2605.48s) ``` Update CHANGELOG for #14144 docs/resource/aws_security_group: Update `cidr_blocks` value to list (#14329) add support for zero ttl add validation for `authorizer_uri`, `authorizer_credentials` changes for %w remove deprecated func use set len func revert validation for `authorizer_uri` refactor tests refactor tests Update CHANGELOG for #12643 resource/aws_appautoscaling_target: Remove DeregisterScalableTarget retries on all errors and add disappears test (#14259) Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409 Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13826 Output from acceptance testing: ``` --- PASS: TestAccAWSAppautoScalingTarget_multipleTargets (20.68s) --- PASS: TestAccAWSAppautoScalingTarget_optionalRoleArn (25.17s) --- PASS: TestAccAWSAppautoScalingTarget_basic (43.13s) --- PASS: TestAccAWSAppautoScalingTarget_spotFleetRequest (57.42s) --- PASS: TestAccAWSAppautoScalingTarget_disappears (71.79s) --- PASS: TestAccAWSAppautoScalingTarget_emrCluster (840.33s) --- PASS: TestAccAWSAppautoScalingPolicy_multiplePoliciesSameName (24.97s) --- PASS: TestAccAWSAppautoScalingPolicy_dynamodb_table (26.58s) --- PASS: TestAccAWSAppautoScalingPolicy_multiplePoliciesSameResource (28.13s) --- PASS: TestAccAWSAppautoScalingPolicy_dynamodb_index (37.07s) --- PASS: TestAccAWSAppautoScalingPolicy_spotFleetRequest (71.64s) --- PASS: TestAccAWSAppautoScalingPolicy_disappears (75.45s) --- PASS: TestAccAWSAppautoScalingPolicy_basic (77.30s) --- PASS: TestAccAWSAppautoScalingPolicy_scaleOutAndIn (79.17s) --- PASS: TestAccAWSAppautoScalingPolicy_ResourceId_ForceNew (83.72s) ``` Update CHANGELOG for #14259 update statefuncs to use global method update statefuncs to use global method Update provider's S3 bucket lookup to use GetBucketRegion utility (#14221) * Update provider's S3 bucket lookup to use GetBucketRegion utility Replaces the usage of S3's GetBucketLocation with the aws-sdk-go's GetBucketRegion utility. This utility can discover the bucket's region without authentication, and can be configured to be compatible with FIPS endpoints. Fixes https://github.com/terraform-providers/terraform-provider-aws/issues/14217 Related to https://github.com/aws/aws-sdk-go/issues/3115 * Add AWS SDK for Go s3manager dependency Adds a dependency on the AWS SDK for Go's `s3manager`, and `s3iface` packages. These packages make the s3manager packages's GetBucketRegion utility available for discovering a S3 bucket's locations. These packages are used by PR #14221. Update CHANGELOG for #14221 and other minor formatting fixes refactor trimTrailingPeriod method
This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Terraform Version
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
domain_validation_options
output should contain the same results, in the same order, each time it is refreshed.Actual Behavior
The
subject_alternative_names
re-order on each apply, presenting a diff that would recreate the certificate:The
domain_validation_options
appear to come back in a random order each time:Steps to Reproduce
example.com
to a domain that you own/control)terraform apply
and enteryes
when promptedterraform apply
again to note the different order for thesubject_alternative_names
terraform refresh
a couple of times to see the different orders for thedomain_validation_options
Important Factoids
The diff on the
subject_alternative_names
is easy to workaround - simply use:They can't ever change out-of-band anyway, so there's no need to monitor this field for changes.
However, the issue with the
domain_validation_options
is a little harder to work around. I'm using it as input to multipleaws_route53_record
resources, and when the order changes, I'm getting perpetual diffs as Terraform is wanting to replace each of the records with the new order.Of note - this didn't used to happen. I haven't run this particular workflow for ~6 months so it's possible something has changed in this provider in the meantime (there are a few potentially related entries in the changelog here and here and maybe also here), but I've also only just started seeing these diffs in the last week so I'm wondering if it's possible something has changed in the the relevant AWS API.
References
Might be related to another SAN issue I just lodged: #8530
The text was updated successfully, but these errors were encountered: