aws_route53_record shows changes made outside of terraform even though there are no changes

[Ason08]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

terraform - v1.1.6 aws - v3.75.1

Affected Resource(s)

• aws_route53_record

Terraform Configuration Files

This is the route53 record configuration which is already created and has the configurations in state file. But after a successfull terraform apply I'm still getting some changes are made outside of terraform.

resource "aws_route53_record" "example" {
  zone_id = "ZONEID" #correct zone id
  name    = "QZIRP.example.com" #record name with uppercase
  type    = "A"
  ttl     = "300"
  records = ["IP"]
}

This is the output of changes made outside of terraform. But can't see anything getting added(+) or removed(-).

~ resource "aws_route53_record" "example" {
     id = "ZONEID_qzirp.example.com"
     name    = "qzirp.example.com"
     #6 unchanged attributes hidden
  }

Will having the names in uppercase could be a cause to this issue? Do we have any other solution for this?

Steps to Reproduce

1. terraform init
2. terraform plan
3. terraform apply

[matt-brewster]

I'm getting the exact same issue but I don't have uppercase characters in the name field. My config is:

terraform {

  required_version = "= 1.1.9"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "= 4.11.0"
    }
  }
}

[rafaelsales]

Same issue here. When I change completely unrelated resources, it tries to read the aws_route53_zone data resource and recreate the aws route 53 record even though none of their dependencies/variables changed:

data "aws_route53_zone" "public" {
  name = var.domain
}

resource "aws_route53_record" "api" {
  zone_id = data.aws_route53_zone.public.zone_id
  name    = "plaft-ploft-api.${var.domain}" # This endpoint uses mTLS and hence uses the Network Load Balancer
  type    = "A"
  alias {
    name                   = aws_lb.mtls_http.dns_name
    zone_id                = aws_lb.mtls_http.zone_id
    evaluate_target_health = false
  }
}

  # module.web_app.data.aws_route53_zone.public will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_route53_zone" "public" {
      + arn                        = (known after apply)
      + caller_reference           = (known after apply)
      + comment                    = (known after apply)
      + id                         = (known after apply)
      + linked_service_description = (known after apply)
      + linked_service_principal   = (known after apply)
      + name                       = "hacker-staging.com"
      + name_servers               = (known after apply)
      + resource_record_set_count  = (known after apply)
      + tags                       = (known after apply)
      + vpc_id                     = (known after apply)
      + zone_id                    = (known after apply)
    }

  # module.web_app.aws_route53_record.api must be replaced
-/+ resource "aws_route53_record" "api" {
      + allow_overwrite = (known after apply)
      ~ fqdn            = "plaf-ploft-api.hacker-staging.com" -> (known after apply)
      ~ id              = "Z04176721A0SI847FROBG_plaft-ploft-api.hacker-staging.com_A" -> (known after apply)
        name            = "plaft-ploft-api.hacker-staging.com"
      - records         = [] -> null
      - ttl             = 0 -> null
      ~ zone_id         = "Z04176721A0SI847FROBG" -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

Notes:

• The var.domain hasn't changed, as you can observe that the name attribute of the route53 record isn't changing.
• This is an alias record, so it doesn't even make sense to see ttl and zone_id here as they can't be specified along with the alias block
• The fqdn and id attributes are generated by AWS, so I have no control over them
• The zone_id is read by the data route53 zone resource, and it shouldn't have changed as the only dependency of the zone is var.domain which hasn't changed

[shannoncarver]

Any update on this. I'm seeing the same issue where getting the route 53 zone id using a data source causes the record to be replaced even though nothing was changed.

[moshiaiz]

As a workaround for this bug, you can use ignore_changes lifecycle on zone_id:

data "aws_route53_zone" "my_zone" {
  name         = var.domain
  private_zone = true
}

resource "aws_route53_record" "my_record" {
  zone_id = data.aws_route53_zone.my_zone.id
  name    = "${var.vm_name}.${var.domain}"
  type    = "A"
  ttl     = 300
  records = [var.ipv4_address]

  lifecycle {
    ignore_changes = [
      zone_id
    ]
  }
}

[arditmorina]

As a workaround for this bug, you can use ignore_changes lifecycle on zone_id:

data "aws_route53_zone" "my_zone" {
  name         = var.domain
  private_zone = true
}

resource "aws_route53_record" "my_record" {
  zone_id = data.aws_route53_zone.my_zone.id
  name    = "${var.vm_name}.${var.domain}"
  type    = "A"
  ttl     = 300
  records = [var.ipv4_address]

  lifecycle {
    ignore_changes = [
      zone_id
    ]
  }
}

I have same issue but I'm using Route53 module, modifying the module by including the suggested workaround fixes the issue but of course that isn't good because I shouldn't modify the module I get from terraform registry, and also I'm not sure if that will cause some other issues. I'm insterested for a fix to.