Terraform tries to replace default value of logging parameter by 'null' for 2nd terraform apply after resource creation in aws_ecs_cluster

[MayuriD89]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform AWS Provider Version

 Terraform v0.12.31
 AWS Provider v3.70.0

Affected Resource(s)

aws_ecs_cluster

Terraform Configuration Files

Please refer following code I have used this type of configuration:

  resource "aws_ecs_cluster" "test" {
  name = "example"

  configuration {
    execute_command_configuration {
      kms_key_id = aws_kms_key.example.arn
    }
  }
    default_capacity_provider_strategy = [
      {
        capacity_provider = "FARGATE"
        weight            = 30
        base              = 20
      },
      {
        capacity_provider = "FARGATE_SPOT"
        weight            = 90
        base              = 0
      }
    ]
    setting = [
      {
        name  = "containerInsights"
        value = "enabled"
      }
    ]
}

Expected Behavior

Terraform should not show any kind of change or update after cluster creation.

Actual Behavior

After the resource creation i.e. after creation of ECS cluster when we execute 2nd terraform apply command, there is update in the configuration. Terraform updates a logging attribute of ecs cluster. aws_ecs_cluster contains a logging parameter in configuration block which is to log setting to use for redirecting logs. This logging parameter have three valid values - NONE, DEFAULT, and OVERRIDE, within which DEFAULT is a default value, when no value is specified for logging default value gets applied. When we execute 2nd terraform apply after resource creation, terraform tries to replace value applied for logging with 'null' value.

Steps to Reproduce

1. terraform apply

[Groggy]

Same thing with :

resource "aws_ecs_cluster" "this" {
  name = var.name
  tags = merge({ Name = "${var.name}-ecs-cluster" }, var.tags)
}

Every terraform apply detects changes :

  # module.cluster.aws_ecs_cluster.this will be updated in-place
  ~ resource "aws_ecs_cluster" "this" {
        id                 = "..."
        name               = "..."
        tags               = {
            "Name" = "..."
        }
        # (3 unchanged attributes hidden)

      - configuration {
          - execute_command_configuration {
              - logging = "OVERRIDE" -> null

              - log_configuration {
                  - cloud_watch_encryption_enabled = false -> null
                  - cloud_watch_log_group_name     = "test/ecs_logs" -> null
                  - s3_bucket_encryption_enabled   = false -> null
                }
            }
        }

        # (1 unchanged block hidden)
    }

Versions used :

Terraform v1.2.4
+ provider registry.terraform.io/hashicorp/aws v4.22.0

[dannyibishev]

Im getting the same result as @Groggy.

Basically, I tried the KMS settings for the ecs executor then disabled as I decided I no longer wanted them. Then any subsequent plan always shows that null change.

The only way around this error is to recreate the cluster which isn't ideal for production workloads.

heresa snippet

  ~ resource "aws_ecs_cluster" "this" {
        id                 = "arn:aws:ecs:eu-west-1:9999999999:cluster/diagnostics"
        name               = "diagnostics"
        tags               = {}
        # (3 unchanged attributes hidden)

      - configuration {
          - execute_command_configuration {
              - kms_key_id = "arn:aws:kms:eu-west-1:9999999999:key/57008a68-d6c6-4591-b343-5d9affd03a76" -> null
              - logging    = "OVERRIDE" -> null

              - log_configuration {
                  - cloud_watch_encryption_enabled = true -> null
                  - cloud_watch_log_group_name     = "/ecs/container-execute/audit/diagnostics" -> null
                  - s3_bucket_encryption_enabled   = false -> null
                }
            }
        }

        # (1 unchanged block hidden)
    }