search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.61k stars 9k forks source link

Route53 Alias Record for S3 VPC Interface Endpoint #21845

Open hungran opened 2 years ago

hungran commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Every time you re-apply the script manually, you will be attend to see the changing of alias record for VPC S3 Interface Endpoint

    ~ resource "aws_route53_record" "r53_alias_vpc_endpoint" {
      id      = "Zxxx_s3.<region>.amazonaws.com_A"
      name    = "s3.<region>.amazonaws.com"
      # (5 unchanged attributes hidden)

    + alias {
        + evaluate_target_health = true
        + name                   = "*.xxx.s3.<region>.vpce.amazonaws.com"
        + zone_id                = "xxx"
      }
    - alias {
        - evaluate_target_health = true -> null
        - name                   = "\\052.xxx.s3.<region>.vpce.amazonaws.com" -> null
        - zone_id                = "xxx" -> null
      }
    }

New or Affected Resource(s)

aws_route53_record Potential Terraform Configuration

resource "aws_route53_record" "r53_alias_vpc_endpoint" {
  zone_id = aws_route53_zone.phz_vpc_endpoints.zone_id
  name    = format("%s.%s.amazonaws.com", contains(split("",var.vpc_endpoint_service_name), ".") ? join(".",[split(".",var.vpc_endpoint_service_name)[1],split(".",var.vpc_endpoint_service_name)[0]]) : var.vpc_endpoint_service_name, data.aws_region.current.name)
  type    = "A"
  alias {
    name                   = aws_vpc_endpoint.vpce.dns_entry[0].dns_name
    zone_id                = aws_vpc_endpoint.vpce.dns_entry[0].hosted_zone_id
    evaluate_target_health = true
  }
}

References

0

justinretzolk commented 2 years ago

Hey @hungran 👋 Thank you for taking the time to file this issue. It looks like this may be a bug report rather than a feature request. So that we have all of the information necessary in order to prioritize and investigate this, can you update the issue description with the information requested in the bug template, including the full (relevant) Terraform configuration? It looks like there's an aws_vpc_endpoint resource that's at play here that may be relevant to know about.

psipider commented 2 years ago

Just a quick comment to say we're seeing the exact same behaviour and were wondering if there's any news yet, or if we can create a workaround?

Thanks.

amenocal commented 2 years ago

@hungran @justinretzolk we are experiencing the same issue:

Terraform Code:

resource "aws_vpc_endpoint" "this" {
  for_each          = {
    for name, endpoint in var.vpc_endpoints: name => endpoint
    if endpoint == "enable"
  }
  vpc_id            = module.vpc.vpc_id
  subnet_ids        = ["${module.vpc.intra_subnets[3]}", "${module.vpc.intra_subnets[4]}", "${module.intra_subnets[5]}"]
  service_name      = "com.amazonaws.${var.region}.${each.key}"
  vpc_endpoint_type = "Interface"

  security_group_ids = ["${aws_security_group.vpc_endpoints.id}"]

  private_dns_enabled = false

} 

resource "aws_route53_record" "this" {
  for_each          = {
    for name, endpoint in var.vpc_endpoints: name => endpoint
    if endpoint == "enable"
  }
  zone_id = aws_route53_zone.this[each.key].zone_id
  name    = "${each.key}.${var.region}.amazonaws.com"
  type    = "A"

  alias {
    name                   = aws_vpc_endpoint.this[each.key].dns_entry[0].dns_name
    zone_id                = aws_vpc_endpoint.this[each.key].dns_entry[0].hosted_zone_id
    evaluate_target_health = true
  }
}

Terraform Plan:

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

# aws_route53_record.this["s3"] has been changed
  ~ resource "aws_route53_record" "this" {
        id      = "XXXXX_s3.us-east-1.amazonaws.com_A"
        name    = "s3.us-east-1.amazonaws.com"
        # (5 unchanged attributes hidden)

      - alias {
          - evaluate_target_health = true -> null
          - name                   = "*.vpce-XXXXX-XXXXX.s3.us-east-1.vpce.amazonaws.com" -> null
          - zone_id                = "XXXXX" -> null
        }
      + alias {
          + evaluate_target_health = true
          + name                   = "\\052.vpce-XXXXX-XXXXX.s3.us-east-1.vpce.amazonaws.com"
          + zone_id                = "XXXXX"
        }
    }

    Terraform will perform the following actions:

  # aws_route53_record.this["s3"] will be updated in-place
  ~ resource "aws_route53_record" "this" {
        id      = "XXXXX_s3.us-east-1.amazonaws.com_A"
        name    = "s3.us-east-1.amazonaws.com"
        # (5 unchanged attributes hidden)

      + alias {
          + evaluate_target_health = true
          + name                   = "*.vpce-XXXXX-XXXXX.s3.us-east-1.vpce.amazonaws.com"
          + zone_id                = "XXXXX"
        }
      - alias {
          - evaluate_target_health = true -> null
          - name                   = "\\052.vpce-XXXXX-XXXXX.s3.us-east-1.vpce.amazonaws.com" -> null
          - zone_id                = "XXXXX" -> null
        }
    }

What we see on AWS Console after apply:

image
amenocal commented 2 years ago

So this could be an underlying problem with the SDK and how the AWS console returns the value.

I checked CloudTrail and it seems that the correct value is being sent:

"changes": [
                {
                    "action": "CREATE",
                    "resourceRecordSet": {
                        "name": "s3.us-east-1.amazonaws.com",
                        "type": "A",
                        "aliasTarget": {
                            "hostedZoneId": "Z7HUB22UULQXV",
                            "dNSName": "*.vpce-XXXXX-XXXXX.s3.us-east-1.vpce.amazonaws.com",
                            "evaluateTargetHealth": true
                        }
                    }
                }
            ]

Tested the S3 record and it worked fine.

However the aws cli when listing the record sets does return \\052 as the DNSName 😵

mliac7 commented 1 year ago

i am running into this issue as well. has anyone been able to find a solution?

justinretzolk commented 1 year ago

Related: #10843

brankodjurkic commented 7 months ago

Would be nice to have this implemented 👍

nsergeev-nomihealth commented 5 months ago

Have the same issue on every terraform plan

skeggse commented 1 month ago

FYI I think I fixed this in https://github.com/hashicorp/terraform-provider-aws/pull/36699; can anyone repro from v5.44.0 on?