search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.17k forks source link

Cloudfront Function will be removed before assignment had been updated (Dependency issue?) #25249

Open DJAlPee opened 2 years ago

DJAlPee commented 2 years ago

Community Note

Terraform CLI and Terraform AWS Provider Version

$ terraform --version
Terraform v1.2.1
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.16.0

Affected Resources

Terraform Configuration Files

Just an example from the docs:

resource "aws_cloudfront_function" "example" {
  name    = "test"
  runtime = "cloudfront-js-1.0"
  comment = "my function"
  publish = true
  code    = file("${path.module}/function.js")
}

resource "aws_cloudfront_distribution" "example" {
  # ... other configuration ...

  # lambda_function_association is also supported by default_cache_behavior
  ordered_cache_behavior {
    # ... other configuration ...

    lambda_function_association {
      event_type   = "viewer-request"
      lambda_arn   = aws_cloudfront_function.example.arn
    }
  }
}

Debug Output

Error: error deleting CloudFront Function (test): FunctionInUse: Cannot delete function test, it is in use by x distributions
        status code: 409, request id: <Uuid>

Expected Behavior

After updating the config for the function with a breaking change (e.g. change function name or the resource name), it should create the new function first, update the assignment in CloudFront and remove the old function as last step.

Actual Behavior

When rolling out the change, the creation of the new function and the deletion of the old function is done in parallel. The deletion fails because of the still existing assignment to Cloudfront. On second rollout it tries to delete the old function first and fails immediately. The update of the assignment in Cloudfront is pending... At least on the second rollout, terraform should be able to update the assignment, which would "unblock" the old function for deletion.

Steps to Reproduce

  1. terraform apply
  2. Breaking change in aws_cloudfront_function
  3. terraform apply (creates new function, but fails deleting the old one. Update of Cloudfront distribution is part of the plan with a placeholder for the ARN of the new function)
  4. terraform apply (still fails to delete old function. Update of the Cloudfront distribution is still part of the plan, but now with the known ARN of the new function)

Important Factoids

DrFaust92 commented 2 years ago

try to add create_before_destroy for aws_cloudfront_function

DJAlPee commented 2 years ago

try to add create_before_destroy for aws_cloudfront_function

Works with this, thx! But it feels a bit strange, to set this explicitly for (breaking) updates. I would assume, that on terraform destroy, all resources will be deleted in reverse order of the creation, because of the dependencies. Why not using the same behavior for resource updates, which causes a replacement?

11qu1d commented 2 years ago

I am getting the same error but in my case i can't use create_before_destroy because im trying to conditionally remove the function from the cloudfront distribution. The provider should in my case first update the distribution by removing the function_association block and then delete the function. It's similar to the issue described in https://github.com/hashicorp/terraform-provider-aws/issues/21730, currently the only solution seems to be to remove the assignment manually.

sidekick-eimantas commented 1 year ago

Just hit this as well at destroy time. Have to revert to clickops

lijok commented 4 months ago

This is still an issue. As it stands, this provider cannot manage the complete lifecycle of a cloudfront distribution with functions.