search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.76k stars 9.12k forks source link

After manually deleting an `aws_apprunner_custom_domain_association`, recreation fails with unexpected state #20222

Closed lsorber closed 2 years ago

lsorber commented 3 years ago

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.2
+ provider registry.terraform.io/hashicorp/aws v3.50.0

Affected Resource(s)

Terraform Configuration Files

Relevant part of our App Runner service module:

# Associate a domain name with the App Runner service.
resource "aws_apprunner_custom_domain_association" "domain_association" {
  count = var.domain_name == null ? 0 : 1
  domain_name = var.domain_name
  enable_www_subdomain = false
  service_arn = aws_apprunner_service.service.arn
}

# Validate the domain name with DNS validation records.
resource "aws_route53_record" "domain_name_validation" {
  count           = var.domain_name == null ? 0 : 2
  allow_overwrite = true
  name            = element(aws_apprunner_custom_domain_association.domain_association[0].certificate_validation_records[*].name, count.index)
  records         = [element(aws_apprunner_custom_domain_association.domain_association[0].certificate_validation_records[*].value, count.index)]
  ttl             = 60
  type            = element(aws_apprunner_custom_domain_association.domain_association[0].certificate_validation_records[*].type, count.index)
  zone_id         = var.hosted_zone_id
}

# Associate the domain name with the App Runner service.
resource "aws_route53_record" "dns_target" {
  count           = var.domain_name == null ? 0 : 1
  allow_overwrite = true
  name            = var.domain_name
  records         = [aws_apprunner_custom_domain_association.domain_association[0].dns_target]
  ttl             = 3600
  type            = "CNAME"
  zone_id         = var.hosted_zone_id
}

Debug Output

│ Error: error waiting for App Runner Custom Domain Association (example.com,arn:aws:apprunner:eu-west-1:XXX:service/example-api/9c508a42c5ad45e7a19f8cb388077180) creation: unexpected state 'binding_certificate', wanted target 'pending_certificate_dns_validation'. last error: %!s(<nil>)
│ 
│   with module.app_runner_service.aws_apprunner_custom_domain_association.domain_association[0],
│   on modules/app_runner_service/main.tf line 136, in resource "aws_apprunner_custom_domain_association" "domain_association":
│  136: resource "aws_apprunner_custom_domain_association" "domain_association" {

Expected Behavior

aws_apprunner_custom_domain_association resource should be created.

Actual Behavior

aws_apprunner_custom_domain_association resource is not created because of unexpected state.

Steps to Reproduce

  1. Create an aws_apprunner_custom_domain_association with Terraform.
  2. Create the DNS records required by (1).
  3. Delete the custom domain association resource manually in AWS Console.
  4. Ask Terraform to recreate the custom domain association resource again and Terraform will produce an error.
shutupflanders commented 3 years ago

I had this last night, pulled my hair our for hours on it.

I don't think it's a Terraform bug, but more of an AWS bug - if you try to recreate the custom domain link manually in the AWS app runner console, it gives you an empty list of validation records to add.

In the end I had to change the subdomain I was using in aws_apprunner_custom_domain_association.domain_name for it to work.

nathanblair commented 2 years ago

For the record, I am getting this when creating a domain association from scratch. The domain association ends up being created on AWS App Runner, and the certifcates actually do end up verified. The tf state file even shows the validation records marked as SUCCESS.

benkraus commented 2 years ago

Any workaround? Does changing the subdomain and changing it back work? I've completely destroyed everything and recreated it, and still hitting this :(

johnraz commented 2 years ago

Hi everyone, I opened a PR with a fix that seems to fix it --> #22569 - couldn't find any other way to solve the issue... As I explained on the PR's description, it seems that for some blurry reason the returned state is not always the same and the app_runner module is not able to deal with that...

jvisker commented 2 years ago

@johnraz this will make the terraform work, but does the custom domain work? Even when I do it manually in the console the DNS doesn't work.

johnraz commented 2 years ago

@jvisker it does result in a correct terraform state and a functioning custom domain association, yes. You might be facing another issue different from the one I’m getting because on my side the custom domain was always added (even without my fix) but terraform couldn’t validate the resource’s state and update the terraform state accordingly. Also deleting / adding the custom domain association manually always worked too.

jvisker commented 2 years ago

@johnraz I tried it again and I realized I can get it to work manually, just not with terraform on recreation. Great work.

github-actions[bot] commented 2 years ago

This functionality has been released in v3.73.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] commented 2 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.