Closed martyna-autumn closed 7 months ago
I finally resolved this error (destroy deposed
) for 2 aws_api_gateway_resource
resources. I commented out resources and ran the plan locally (after downloading tfstate from TF cloud) until the error disappeared. Then I uncommented the remaining resources in the following commit/plan/apply. I did implemented the suggestions by @bflad https://github.com/hashicorp/terraform-provider-aws/issues/11344#issuecomment-765138213 but I was still getting the same error. Hopefully by implementing the suggestions we will see less of these type of issues in the future.
I believe the complete fix for this is to upgrade to Terraform 1.3 or later and
1) not have lifecycle.create_before_destroy
on aws_api_gateway_deployment
2) not have stage_name
or stage_description
on aws_api_gateway_deployment
(to disable the implicit stage creation)
3) specify a stage explicitly by adding a aws_api_gateway_stage
resource
4) set lifecycle.replace_triggered_by
to ["aws_api_gateway_deployment.YOUR_DEPLOYMENT.id"]
in the aws_api_gateway_stage
resource
5) set lifecycle.replace_triggered_by
to ["aws_api_gateway_stage.YOUR_STAGE.id"]
in the aws_api_gateway_base_path_mapping
, aws_api_gateway_method_settings
resources, and any other resource that's "downstream" from the stage, such as aws_wafv2_web_acl_association
if you have it
Note for Chalice users: As a fix for https://github.com/aws/chalice/issues/1237, Chalice added lifecycle.create_before_destroy
to aws_api_gateway_deployment
in its generated TF config. I think that was a mistake. You either have to post-process the Chalice-generated TF config or modify Chalice to revert that fix. Also, the Chalice-generated TF config sets stage_description
to a hash so as to trigger redeployment on source code changes. To satisfy step 2 above, you need to ensure that stage_description
is absent and move its value to triggers.redeployment
instead, which is the official mechanism for triggerring redeployment in TF 1.3.
If like me you've come to this issue because you got a cycle error while having implemented the recommended way of doing things in the docs (summarised here), then here follows how I solved things.
I was getting this cycle error when running a terraform plan
to remove a resource from the body
of the API gateway REST API resource (openAPI definition). I spotted the cause of the cycle fairly easily - a lambda behind a separate API Gateway (let's call it B) referenced the invoke_url of the current stage of the main API Gateway (let's call it A) in its environment variables. The deployment resource of both API Gateways had a lifecycle policy of create_before_destroy
, which is a must have to ensure uptime. This caused the cycle, and as such I broke apart the cycle by manually assembling the invoke_url
based on the ID of the REST API resource of API Gateway A and the variable that was used as the stage name in API Gateway A. Great stuff, but unfortunately I simply had a new cycle to contend with, though a shorter one and one where only resources for the API Gateway A were present, mentioning some deposed resources. Basically what I had here is that the remote state still had this coupling between the two API Gateway deployments (because of the stage invoke_url reference), whereas locally I didn't have it. To solve this, what I did was to change the lifecycle policy of the aws_api_gateway_deployment
resource of API Gateway A in the same PR as the change to remove the resource from it:
lifecycle {
create_before_destroy = true
ignore_changes = [
triggers
]
}
What the above does is to simply not trigger a deployment while still removing the resource from the API Gateway in remote state. PR merged, terraform apply executed and in the next PR I simply removed the ignore_changes
block to go back to normal :tada:
Somehow ended up with this cycle error through modification of the IAM policy document attached to our REST API policy resource.
00:02:04.010 β Error: error waiting for API Gateway Stage (*******) to be updated: unexpected state 'NOT_AVAILABLE', wanted target 'AVAILABLE, DELETE_IN_PROGRESS'. last error: %!s(<nil>) 00:02:04.010 β 00:02:04.010 β with aws_api_gateway_stage.rest_api, 00:02:04.010 β on api_main.tf line 352, in resource "aws_api_gateway_stage" "rest_api": 00:02:04.010 β 352: resource "aws_api_gateway_stage" "rest_api" {
Tried destroying, but ran into deposed API Gateway stages error. Was able to successfully destroy it by commenting out this block from my api_gateway_deployment resource:
lifecycle { create_before_destroy = true }
And then running a full build from scratch again.
Still dealing with this years later. I feel like my code is pretty bog standard, too.
Where the only difference is, I'm using Localstack. I don't think that's hugely important in this though.
code/rtb/iac β
βΆ tf --version
Terraform v1.5.6
on darwin_arm64
+ provider registry.terraform.io/hashicorp/archive v2.4.0
+ provider registry.terraform.io/hashicorp/aws v4.67.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
Your version of Terraform is out of date! The latest version
is 1.5.7. You can update by downloading from https://www.terraform.io/downloads.html
Edit: I've got a hacky workaround for my issue -
resource "aws_api_gateway_resource" "resource" {
path_part = ""
parent_id = aws_api_gateway_rest_api.api.root_resource_id
rest_api_id = aws_api_gateway_rest_api.api.id
depends_on = [aws_api_gateway_rest_api.api]
lifecycle {
ignore_changes = [ parent_id ]
}
}
As maintainers of the Terraform AWS Provider, weβve reached a decision to close this longstanding issue. We want to assure you that this decision was made after careful consideration, and weβre committed to transparency in our actions.
Over time, this issue has seen numerous attempts at resolution (#17230, #17099, #17209) and workarounds (such as this, this, this, and, of course, this), but its complexity and longevity present significant challenges. We lack clarity on how many users are still affected and the precise nature of the remaining issues. Given these uncertainties and our limited resources, itβs difficult for us to effectively address the problem in its current state.
However, we value community feedback immensely. If youβre still encountering issues, we encourage you to open a new, focused issue outlining the specific problems youβre facing. We understand the frustration of having to restart the discussion, but the convoluted history of this particular issue necessitates a fresh approach.
While weβve received reports from community members in the past year, itβs unclear how these relate to the broader context of this issueβs history. Moving forward, a new, well-defined problem statement will greatly increase the likelihood of prompt attention from maintainers or fellow community members.
Ultimately, our goal is to ensure that the Terraform AWS Provider remains a dependable tool for realizing your infrastructure goals. Regrettably, this prolonged issue no longer contributes to that objective. By closing it, we aim to clear the path for more effective problem-solving and a smoother experience for all users. We appreciate your understanding and continued support as we work towards a better future for our provider.
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Community Note
Terraform Version
Affected Resource(s)
Terraform Configuration Files
I'm not copying all API Gateway resources' configuration as it's pretty standard but happy to share configuration of whole API Gateway if requested
Expected Behavior
As resource
aws_api_gateway_deployment
is configured as depends_on all API Gateway resources/methods/integrations/responses, it shouldn't be created before all resources in API Gateway are provisioned so outcome should be (and was this way till recently): old API Gateway resources are destroyed, new are created, new deployment created, old deployment destroyed We force replacement ofaws_api_gateway_deployment
so current API Gateway state is always deployed to main stageThis was behaviour in Terraform 0.11.x
Actual Behavior
Cycle Error
Removal off
create_before_destroy = true
in lifecycle of resourceaws_api_gateway_deployment
helps but causes it to fail anyway on different error:If I remove
depends_on
section instead, I have situations that deployment happens before all API methods are properly configured. Example:I tried adding separate resource for stage
aws_api_gateway_stage
but problem persistsSteps to Reproduce
aws_api_gateway_deployment
which depends on API Gateway resources and is recreated with everyterraform apply
terraform apply
terraform apply