AWS Synthetics Canary ignoring VPC settings

mpostument commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v4.6.0
+ provider registry.terraform.io/hashicorp/external v2.2.2
+ provider registry.terraform.io/hashicorp/local v2.2.2
+ provider registry.terraform.io/hashicorp/null v3.1.1

Affected Resource(s)

aws_synthetics_canary

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_synthetics_canary" "login" {
  name                 = "${var.env}_login"
  artifact_s3_location = "s3://${aws_s3_bucket.canary.id}/"
  execution_role_arn   = aws_iam_role.canary_lambda.arn
  handler              = "index.handler"
  zip_file             = data.archive_file.login.output_path
  runtime_version      = "syn-nodejs-puppeteer-3.4"
  start_canary         = true

  schedule {
    expression = "rate(5 minutes)"
  }

  run_config {
    timeout_in_seconds    = 300
    environment_variables = var.canary_variables
  }

  dynamic "vpc_config" {
    for_each = var.use_vpc ? [1] : []
    content {
      subnet_ids         = var.subnet_ids
      security_group_ids = var.security_groups
    }
  }

  tags = merge(
    var.common_tags
  )
}

Debug Output

Panic Output

Expected Behavior

VPC config is added to canary test

Actual Behavior

No VPC config added to canary test

Steps to Reproduce

terraform apply to apply VPC config. No error are shown
Check canary on AWS. VPC config is not added
Run terraform apply again will show that vpc config is need to be added

Important Factoids

Issue was with role permissions, once role was fixed VPC config was added. But i would expect terraform to fail when it not able to create VPC config.

If resources is created terraform failing with error, but when trying to add vpc to existing canary no error displayed

References

0000

jon-armen commented 2 years ago

Additionally, if a resource was created with a VPC initially, and that VPC configuration is later removed, the expectation is that the Canary would no longer be in a VPC. This change does not occur.

jleloup commented 1 year ago

Additionally, if a resource was created with a VPC initially, and that VPC configuration is later removed, the expectation is that the Canary would no longer be in a VPC. This change does not occur.

This also happens the other way around: adding VPC configuration on a canary already deployed does not lead to any update of the resource in AWS. Running terraform plan always brings the VPC configuration as a change though terraform apply, while exiting properly, does not update.

hashicorp / terraform-provider-aws