[Bug]: aws_sns_platform_application: Still modifying... and fails after 50 minutes upon updating certificate

Terraform Core Version

1.3.3

AWS Provider Version

4.40.0

Affected Resource(s)

aws_sns_platform_application

Expected Behavior

When platform_credential and platform_principal updated using certificate-based authentication then the changes are deployed without issue.

Actual Behavior

The deployment fails after the long time:

module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0]: Modifying... [id=arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application]
module.pinpoint.aws_pinpoint_apns_channel.pinpoint_apns_channel[0]: Modifying... [id=DF_ID]
module.pinpoint.aws_pinpoint_apns_channel.pinpoint_apns_channel[0]: Modifications complete after 1s [id=DF_ID]
module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0]: Still modifying... [id=arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application, 10s elapsed]
module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0]: Still modifying... [id=arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application, 20s elapsed]
module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0]: Still modifying... [id=arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application, 30s elapsed]
module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0]: Still modifying... [id=arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application, 40s elapsed]
module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0]: Still modifying... [id=arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application, 50s elapsed]
...
module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0]: Still modifying... [id=arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application, 49m11s elapsed]
module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0]: Still modifying... [id=arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application, 49m21s elapsed]
module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0]: Still modifying... [id=arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application, 49m31s elapsed]

│ Error: updating SNS Platform Application (arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application): InternalFailure: 
│   status code: 500, request id: REQUEST_ID
│ 
│   with module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0],
│   on SNS/sns_application/main.tf line 32, in resource "aws_sns_platform_application" "apns_application":
│   32: resource "aws_sns_platform_application" "apns_application" {
│

Relevant Error/Panic Output Snippet

│ Error: updating SNS Platform Application (arn:aws:sns:us-east-1:XXXX:app/APNS/apns_application): InternalFailure: 
│   status code: 500, request id: REQUEST_ID
│ 
│   with module.SNS.module.sns_application.aws_sns_platform_application.apns_application[0],
│   on SNS/sns_application/main.tf line 32, in resource "aws_sns_platform_application" "apns_application":
│   32: resource "aws_sns_platform_application" "apns_application" {
│

Terraform Configuration Files

Variables declarations:

variable "apns_key" {}

variable "apns_certificate" {}

variable "s3_bucket" {}

variable "flag_apns_sandbox" {
  type = bool
}

variable "flag_deploy_sns_application" {
  type = bool
}

Variables definitions:

s3_bucket                  = "some-bucket-with-certificates"
apns_key                    = "IOSCertificate/private.key"
apns_certificate            = "IOSCertificate/certificate.pem"
flag_apns_sandbox           = false
flag_deploy_sns_application = true

Code:

data "aws_s3_bucket_object" "apns_key" {
  count  = var.flag_deploy_sns_application ? 1 : 0
  bucket = var.s3_bucket
  key    = var.apns_key
}

data "aws_s3_bucket_object" "apns_certificate" {
  count  = var.flag_deploy_sns_application ? 1 : 0
  bucket = var.s3_bucket
  key    = var.apns_certificate
}

resource "aws_sns_platform_application" "apns_application" {
  count                        = var.flag_deploy_sns_application ? 1 : 0
  name                         = var.name_apns_application
  platform                     = var.flag_apns_sandbox ? "APNS_SANDBOX" : "APNS"
  platform_principal           = data.aws_s3_bucket_object.apns_key[count.index].body
  platform_credential          = data.aws_s3_bucket_object.apns_certificate[count.index].body
  success_feedback_sample_rate = 100
}

Steps to Reproduce

We had already deployed these certificates, but received an email that they will expire in 30 days, so we created new certificate via Apple Developer and uploaded new files (pem and key) into the existing s3 bucket and replaced the existing files. Terraform plan shown that the aws_sns_platform_application would change, but upon the apply the error happened after 50 minutes.

Debug Output

No response

Panic Output

No response

Important Factoids

We also use Pinpoint APNS channel resource and use the same certificates during the deployment:

data "aws_s3_bucket_object" "apns_key" {
  count  = var.flag_deploy_sns_application ? 1 : 0
  bucket = var.s3_secret_bucket
  key    = var.apns_key
}

data "aws_s3_bucket_object" "apns_certificate" {
  count  = var.flag_deploy_sns_application ? 1 : 0
  bucket = var.s3_secret_bucket
  key    = var.apns_certificate
}

resource "aws_pinpoint_apns_channel" "pinpoint_apns_channel" {
  count          = var.flag_deploy_sns_application ? 1 : 0
  application_id = aws_pinpoint_app.pinpoint_app.application_id
  private_key    = data.aws_s3_bucket_object.apns_key[count.index].body
  certificate    = data.aws_s3_bucket_object.apns_certificate[count.index].body
}

And the Pinpoint APNS resource applied successfully:

module.pinpoint.aws_pinpoint_apns_channel.pinpoint_apns_channel[0]: Modifying... [id=DF_ID]
module.pinpoint.aws_pinpoint_apns_channel.pinpoint_apns_channel[0]: Modifications complete after 1s [id=DF_ID]

Also after this failure we run the plan/apply the second time and the plan didn't show that SNS application has changed and apply has finished successfully.

References

No response

Would you like to implement a fix?

None

hashicorp / terraform-provider-aws