scott-doyland-burrows commented 1 year ago

Terraform Core Version

v1.5.1

AWS Provider Version

v4.67.0

Affected Resource(s)

aws_route53_record

Expected Behavior

Route53 records do not get destroyed at the end of the apply.

Actual Behavior

Route53 records are getting destroyed.

Relevant Error/Panic Output Snippet

N/A

Terraform Configuration Files

locals {
  alternative_domains = [
    "theandpartnership.dk",
    "*.theandpartnership.dk",
    "theandpartnership.com",
    "*.theandpartnership.com",
    "muster.co.uk",
    "*.muster.co.uk",
  ]
}

resource "aws_acm_certificate" "primary_domain" {

  provider          = aws.ou
  domain_name       = "*.${var.environment}.${data.aws_route53_zone.root.name}"
  validation_method = "DNS"

  subject_alternative_names = local.alternative_domains
}

# ALB certificate records
resource "aws_route53_record" "cert_validation" {
  provider = aws.ou
  for_each = {
    for dvo in aws_acm_certificate.primary_domain.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.root.zone_id
}

# ALB certificate validation
resource "aws_acm_certificate_validation" "primary_domain" {
  provider = aws.ou

  certificate_arn         = aws_acm_certificate.primary_domain.arn
  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.name]
}

# Cloudfront certificate
resource "aws_acm_certificate" "primary_domain_cdn" {
  lifecycle {
    create_before_destroy = true
  }

  count    = var.with_cdn == true ? 1 : 0
  provider = aws.cdn

  domain_name       = "*.${var.environment}.${data.aws_route53_zone.root.name}"
  validation_method = "DNS"

  subject_alternative_names = local.alternative_domains
}

# cloudfront certificate validation
resource "aws_acm_certificate_validation" "primary_domain_cdn" {
  count    = var.with_cdn == true ? 1 : 0
  provider = aws.cdn

  certificate_arn         = aws_acm_certificate.primary_domain_cdn[0].arn
  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.name]
}

Steps to Reproduce

terraform apply

Debug Output

Here is an apply when I am adding in a new local.alternative_domains to the list, as can be see, terraform destroys the route53 records, and there are mentions of deposed object.

It is a lot of output, but essentially at the end you can see it is destroying all the route53 records, even though they should be replaced (destroyed/created) according to the output from the plan.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement
+/- create replacement and then destroy

Terraform will perform the following actions:

  # module.terraform-module-environment.aws_acm_certificate.primary_domain must be replaced
+/- resource "aws_acm_certificate" "primary_domain" {
      ~ arn                       = "arn:aws:acm:eu-west-1:[redacted]:certificate/f14a6dcc-518c-468d-a6a0-7a7264e3639f" -> (known after apply)
      ~ domain_validation_options = [
          - {
              - domain_name           = "*.muster.co.uk"
              - resource_record_name  = "[redacted].muster.co.uk."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zykwrxlgwv.acm-validations.aws."
            },
          - {
              - domain_name           = "*.prod.tandp.[redacted].digital"
              - resource_record_name  = "[redacted].prod.tandp.[redacted].digital."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zsqxqtfsbl.acm-validations.aws."
            },
          - {
              - domain_name           = "*.theandpartnership.com"
              - resource_record_name  = "[redacted].theandpartnership.com."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zykwrxlgwv.acm-validations.aws."
            },
          - {
              - domain_name           = "*.theandpartnership.dk"
              - resource_record_name  = "[redacted].theandpartnership.dk."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zykwrxlgwv.acm-validations.aws."
            },
          - {
              - domain_name           = "muster.co.uk"
              - resource_record_name  = "[redacted].muster.co.uk."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zykwrxlgwv.acm-validations.aws."
            },
          - {
              - domain_name           = "prod-corp.tandp.[redacted].digital"
              - resource_record_name  = "[redacted].prod-corp.tandp.[redacted].digital."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zsqxqtfsbl.acm-validations.aws."
            },
          - {
              - domain_name           = "prod.tandp.[redacted].digital"
              - resource_record_name  = "[redacted].prod.tandp.[redacted].digital."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zsqxqtfsbl.acm-validations.aws."
            },
          - {
              - domain_name           = "theandpartnership.com"
              - resource_record_name  = "[redacted].theandpartnership.com."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zykwrxlgwv.acm-validations.aws."
            },
          + {
              + domain_name           = "*.muster.co.uk"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "*.prod.tandp.[redacted].digital"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "*.theandpartnership.com"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "*.theandpartnership.dk"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "muster.co.uk"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "prod-corp.tandp.[redacted].digital"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "prod.tandp.[redacted].digital"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "theandpartnership.com"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "theandpartnership.dk"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
        ]
      ~ id                        = "arn:aws:acm:eu-west-1:[redacted]:certificate/f14a6dcc-518c-468d-a6a0-7a7264e3639f" -> (known after apply)
      ~ key_algorithm             = "RSA_2048" -> (known after apply)
      ~ not_after                 = "2024-08-08T23:59:59Z" -> (known after apply)
      ~ not_before                = "2023-07-11T00:00:00Z" -> (known after apply)
      ~ pending_renewal           = false -> (known after apply)
      ~ renewal_eligibility       = "ELIGIBLE" -> (known after apply)
      ~ renewal_summary           = [] -> (known after apply)
      ~ status                    = "ISSUED" -> (known after apply)
      ~ subject_alternative_names = [ # forces replacement
          + "theandpartnership.dk",
            # (8 unchanged elements hidden)
        ]
      - tags                      = {} -> null
      ~ type                      = "AMAZON_ISSUED" -> (known after apply)
      ~ validation_emails         = [] -> (known after apply)
        # (3 unchanged attributes hidden)

      - options {
          - certificate_transparency_logging_preference = "ENABLED" -> null
        }
    }

  # module.terraform-module-environment.aws_acm_certificate.primary_domain_cdn[0] must be replaced
+/- resource "aws_acm_certificate" "primary_domain_cdn" {
      ~ arn                       = "arn:aws:acm:us-east-1:[redacted]:certificate/76097512-6bbe-489f-b615-b3e3267fb535" -> (known after apply)
      ~ domain_validation_options = [
          - {
              - domain_name           = "*.muster.co.uk"
              - resource_record_name  = "[redacted].muster.co.uk."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zykwrxlgwv.acm-validations.aws."
            },
          - {
              - domain_name           = "*.prod.tandp.[redacted].digital"
              - resource_record_name  = "[redacted].prod.tandp.[redacted].digital."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zsqxqtfsbl.acm-validations.aws."
            },
          - {
              - domain_name           = "*.theandpartnership.com"
              - resource_record_name  = "[redacted].theandpartnership.com."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zykwrxlgwv.acm-validations.aws."
            },
          - {
              - domain_name           = "*.theandpartnership.dk"
              - resource_record_name  = "[redacted].theandpartnership.dk."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zykwrxlgwv.acm-validations.aws."
            },
          - {
              - domain_name           = "muster.co.uk"
              - resource_record_name  = "[redacted].muster.co.uk."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zykwrxlgwv.acm-validations.aws."
            },
          - {
              - domain_name           = "prod-corp.tandp.[redacted].digital"
              - resource_record_name  = "[redacted].prod-corp.tandp.[redacted].digital."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zsqxqtfsbl.acm-validations.aws."
            },
          - {
              - domain_name           = "prod.tandp.[redacted].digital"
              - resource_record_name  = "[redacted].prod.tandp.[redacted].digital."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zsqxqtfsbl.acm-validations.aws."
            },
          - {
              - domain_name           = "theandpartnership.com"
              - resource_record_name  = "[redacted].theandpartnership.com."
              - resource_record_type  = "CNAME"
              - resource_record_value = "[redacted].zykwrxlgwv.acm-validations.aws."
            },
          + {
              + domain_name           = "*.muster.co.uk"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "*.prod.tandp.[redacted].digital"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "*.theandpartnership.com"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "*.theandpartnership.dk"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "muster.co.uk"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "prod-corp.tandp.[redacted].digital"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "prod.tandp.[redacted].digital"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "theandpartnership.com"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
          + {
              + domain_name           = "theandpartnership.dk"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
        ]
      ~ id                        = "arn:aws:acm:us-east-1:[redacted]:certificate/76097512-6bbe-489f-b615-b3e3267fb535" -> (known after apply)
      ~ key_algorithm             = "RSA_2048" -> (known after apply)
      ~ not_after                 = "2024-08-08T23:59:59Z" -> (known after apply)
      ~ not_before                = "2023-07-11T00:00:00Z" -> (known after apply)
      ~ pending_renewal           = false -> (known after apply)
      ~ renewal_eligibility       = "ELIGIBLE" -> (known after apply)
      ~ renewal_summary           = [] -> (known after apply)
      ~ status                    = "ISSUED" -> (known after apply)
      ~ subject_alternative_names = [ # forces replacement
          + "theandpartnership.dk",
            # (8 unchanged elements hidden)
        ]
      - tags                      = {} -> null
      ~ type                      = "AMAZON_ISSUED" -> (known after apply)
      ~ validation_emails         = [] -> (known after apply)
        # (3 unchanged attributes hidden)

      - options {
          - certificate_transparency_logging_preference = "ENABLED" -> null
        }
    }

  # module.terraform-module-environment.aws_acm_certificate_validation.primary_domain must be replaced
+/- resource "aws_acm_certificate_validation" "primary_domain" {
      ~ certificate_arn         = "arn:aws:acm:eu-west-1:[redacted]:certificate/f14a6dcc-518c-468d-a6a0-7a7264e3639f" # forces replacement -> (known after apply) # forces replacement
      ~ id                      = "2023-07-11 12:04:59.22 +0000 UTC" -> (known after apply)
      ~ validation_record_fqdns = [ # forces replacement
          - "[redacted].prod-corp.tandp.[redacted].digital",
          - "[redacted].prod.tandp.[redacted].digital",
          - "[redacted].theandpartnership.com",
          - "[redacted].muster.co.uk",
          - "[redacted].theandpartnership.dk",
        ] -> (known after apply) # forces replacement
    }

  # module.terraform-module-environment.aws_acm_certificate_validation.primary_domain_cdn[0] must be replaced
-/+ resource "aws_acm_certificate_validation" "primary_domain_cdn" {
      ~ certificate_arn         = "arn:aws:acm:us-east-1:[redacted]:certificate/76097512-6bbe-489f-b615-b3e3267fb535" # forces replacement -> (known after apply) # forces replacement
      ~ id                      = "2023-07-11 12:04:57.414 +0000 UTC" -> (known after apply)
      ~ validation_record_fqdns = [ # forces replacement
          - "[redacted].prod-corp.tandp.[redacted].digital",
          - "[redacted].prod.tandp.[redacted].digital",
          - "[redacted].theandpartnership.com",
          - "[redacted].muster.co.uk",
          - "[redacted].theandpartnership.dk",
        ] -> (known after apply) # forces replacement
    }

  # module.terraform-module-environment.aws_lb_listener.https will be updated in-place
  ~ resource "aws_lb_listener" "https" {
      ~ certificate_arn   = "arn:aws:acm:eu-west-1:[redacted]:certificate/f14a6dcc-518c-468d-a6a0-7a7264e3639f" -> (known after apply)
        id                = "arn:aws:elasticloadbalancing:eu-west-1:[redacted]:listener/app/tandp-prod-alb/79b686aff10238e0/2c76a0220386e54f"
        tags              = {}
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.terraform-module-environment.aws_route53_record.cert_validation["*.muster.co.uk"] must be replaced
+/- resource "aws_route53_record" "cert_validation" {
      ~ fqdn                             = "[redacted].muster.co.uk.tandp.[redacted].digital" -> (known after apply)
      ~ id                               = "Z1015136EEMLEKYDPSO8[redacted].muster.co.uk._CNAME" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "[redacted].muster.co.uk" # forces replacement -> (known after apply) # forces replacement
      ~ records                          = [
          - "[redacted].zykwrxlgwv.acm-validations.aws.",
        ] -> (known after apply)
      ~ type                             = "CNAME" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # module.terraform-module-environment.aws_route53_record.cert_validation["*.prod.tandp.[redacted].digital"] must be replaced
+/- resource "aws_route53_record" "cert_validation" {
      ~ fqdn                             = "[redacted].prod.tandp.[redacted].digital" -> (known after apply)
      ~ id                               = "Z1015136EEMLEKYDPSO8[redacted].prod.tandp.[redacted].digital._CNAME" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "[redacted].prod.tandp.[redacted].digital" # forces replacement -> (known after apply) # forces replacement
      ~ records                          = [
          - "[redacted].zsqxqtfsbl.acm-validations.aws.",
        ] -> (known after apply)
      ~ type                             = "CNAME" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.com"] must be replaced
+/- resource "aws_route53_record" "cert_validation" {
      ~ fqdn                             = "[redacted].theandpartnership.com.tandp.[redacted].digital" -> (known after apply)
      ~ id                               = "Z1015136EEMLEKYDPSO8[redacted].theandpartnership.com._CNAME" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "[redacted].theandpartnership.com" # forces replacement -> (known after apply) # forces replacement
      ~ records                          = [
          - "[redacted].zykwrxlgwv.acm-validations.aws.",
        ] -> (known after apply)
      ~ type                             = "CNAME" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"] must be replaced
+/- resource "aws_route53_record" "cert_validation" {
      ~ fqdn                             = "[redacted].theandpartnership.dk.tandp.[redacted].digital" -> (known after apply)
      ~ id                               = "Z1015136EEMLEKYDPSO8[redacted].theandpartnership.dk._CNAME" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "[redacted].theandpartnership.dk" # forces replacement -> (known after apply) # forces replacement
      ~ records                          = [
          - "[redacted].zykwrxlgwv.acm-validations.aws.",
        ] -> (known after apply)
      ~ type                             = "CNAME" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"] must be replaced
+/- resource "aws_route53_record" "cert_validation" {
      ~ fqdn                             = "[redacted].muster.co.uk.tandp.[redacted].digital" -> (known after apply)
      ~ id                               = "Z1015136EEMLEKYDPSO8[redacted].muster.co.uk._CNAME" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "[redacted].muster.co.uk" # forces replacement -> (known after apply) # forces replacement
      ~ records                          = [
          - "[redacted].zykwrxlgwv.acm-validations.aws.",
        ] -> (known after apply)
      ~ type                             = "CNAME" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"] must be replaced
+/- resource "aws_route53_record" "cert_validation" {
      ~ fqdn                             = "[redacted].prod-corp.tandp.[redacted].digital" -> (known after apply)
      ~ id                               = "Z1015136EEMLEKYDPSO8[redacted].prod-corp.tandp.[redacted].digital._CNAME" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "[redacted].prod-corp.tandp.[redacted].digital" # forces replacement -> (known after apply) # forces replacement
      ~ records                          = [
          - "[redacted].zsqxqtfsbl.acm-validations.aws.",
        ] -> (known after apply)
      ~ type                             = "CNAME" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"] must be replaced
+/- resource "aws_route53_record" "cert_validation" {
      ~ fqdn                             = "[redacted].prod.tandp.[redacted].digital" -> (known after apply)
      ~ id                               = "Z1015136EEMLEKYDPSO8[redacted].prod.tandp.[redacted].digital._CNAME" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "[redacted].prod.tandp.[redacted].digital" # forces replacement -> (known after apply) # forces replacement
      ~ records                          = [
          - "[redacted].zsqxqtfsbl.acm-validations.aws.",
        ] -> (known after apply)
      ~ type                             = "CNAME" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"] must be replaced
+/- resource "aws_route53_record" "cert_validation" {
      ~ fqdn                             = "[redacted].theandpartnership.com.tandp.[redacted].digital" -> (known after apply)
      ~ id                               = "Z1015136EEMLEKYDPSO8[redacted].theandpartnership.com._CNAME" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "[redacted].theandpartnership.com" # forces replacement -> (known after apply) # forces replacement
      ~ records                          = [
          - "[redacted].zykwrxlgwv.acm-validations.aws.",
        ] -> (known after apply)
      ~ type                             = "CNAME" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.dk"] will be created
  + resource "aws_route53_record" "cert_validation" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = (known after apply)
      + records         = (known after apply)
      + ttl             = 60
      + type            = (known after apply)
      + zone_id         = "Z1015136EEMLEKYDPSO8"
    }

  # module.terraform-module-environment.module.cdn[0].aws_cloudfront_distribution.default[0] will be updated in-place
  ~ resource "aws_cloudfront_distribution" "default" {
      ~ aliases                        = [
          + "theandpartnership.dk",
            # (7 unchanged elements hidden)
        ]
        id                             = "E27HVDH4Y62S08"
        tags                           = {
            "Attributes" = "default"
            "Name"       = "tandp-prod-cfd-default"
        }
        # (18 unchanged attributes hidden)

      ~ viewer_certificate {
          ~ acm_certificate_arn            = "arn:aws:acm:us-east-1:[redacted]:certificate/76097512-6bbe-489f-b615-b3e3267fb535" -> (known after apply)
          ~ cloudfront_default_certificate = false -> (known after apply)
          ~ ssl_support_method             = "sni-only" -> (known after apply)
            # (1 unchanged attribute hidden)
        }

        # (9 unchanged blocks hidden)
    }

Plan: 13 to add, 2 to change, 12 to destroy.

Do you want to perform these actions in workspace "di-devops-terraform-dynamic-sites__prod-tandp"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.terraform-module-environment.aws_acm_certificate_validation.primary_domain_cdn[0]: Destroying... [id=2023-07-11 12:04:57.414 +0000 UTC]
module.terraform-module-environment.aws_acm_certificate_validation.primary_domain_cdn[0]: Destruction complete after 0s
module.terraform-module-environment.aws_acm_certificate.primary_domain_cdn[0]: Creating...
module.terraform-module-environment.aws_acm_certificate.primary_domain: Creating...
module.terraform-module-environment.aws_acm_certificate.primary_domain: Still creating... [10s elapsed]
module.terraform-module-environment.aws_acm_certificate.primary_domain_cdn[0]: Still creating... [10s elapsed]
module.terraform-module-environment.aws_acm_certificate.primary_domain: Creation complete after 10s [id=arn:aws:acm:eu-west-1:[redacted]:certificate/f604c396-b31e-41ee-9c28-1962f0efab9e]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Creating...
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.com"]: Creating...
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Creating...
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.dk"]: Creating...
module.terraform-module-environment.aws_route53_record.cert_validation["*.muster.co.uk"]: Creating...
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Creating...
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Creating...
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"]: Creating...
module.terraform-module-environment.aws_route53_record.cert_validation["*.prod.tandp.[redacted].digital"]: Creating...
module.terraform-module-environment.aws_acm_certificate.primary_domain_cdn[0]: Creation complete after 11s [id=arn:aws:acm:us-east-1:[redacted]:certificate/a5bcaab8-7f5b-4868-96b4-7f74f99bce07]
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Still creating... [10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Still creating... [10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.com"]: Still creating... [10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Still creating... [10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Still creating... [10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.muster.co.uk"]: Still creating... [10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.dk"]: Still creating... [10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.prod.tandp.[redacted].digital"]: Still creating... [10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"]: Still creating... [10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Still creating... [20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Still creating... [20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.com"]: Still creating... [20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Still creating... [20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.muster.co.uk"]: Still creating... [20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Still creating... [20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.dk"]: Still creating... [20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.prod.tandp.[redacted].digital"]: Still creating... [20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"]: Still creating... [20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.dk"]: Creation complete after 26s [id=Z1015136EEMLEKYDPSO8[redacted].theandpartnership.dk._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Still creating... [30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Still creating... [30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.com"]: Still creating... [30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.muster.co.uk"]: Still creating... [30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Still creating... [30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.prod.tandp.[redacted].digital"]: Still creating... [30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Still creating... [30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"]: Still creating... [30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.muster.co.uk"]: Creation complete after 32s [id=Z1015136EEMLEKYDPSO8[redacted].muster.co.uk._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"]: Creation complete after 36s [id=Z1015136EEMLEKYDPSO8[redacted].theandpartnership.dk._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["*.prod.tandp.[redacted].digital"]: Creation complete after 39s [id=Z1015136EEMLEKYDPSO8[redacted].prod.tandp.[redacted].digital._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.com"]: Creation complete after 40s [id=Z1015136EEMLEKYDPSO8[redacted].theandpartnership.com._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Still creating... [40s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Still creating... [40s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Still creating... [40s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Still creating... [40s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Creation complete after 41s [id=Z1015136EEMLEKYDPSO8[redacted].prod-corp.tandp.[redacted].digital._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Creation complete after 41s [id=Z1015136EEMLEKYDPSO8[redacted].prod.tandp.[redacted].digital._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Creation complete after 42s [id=Z1015136EEMLEKYDPSO8[redacted].theandpartnership.com._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Creation complete after 42s [id=Z1015136EEMLEKYDPSO8[redacted].muster.co.uk._CNAME]
module.terraform-module-environment.aws_acm_certificate_validation.primary_domain: Creating...
module.terraform-module-environment.aws_acm_certificate_validation.primary_domain_cdn[0]: Creating...
module.terraform-module-environment.aws_acm_certificate_validation.primary_domain: Creation complete after 1s [id=2023-07-11 12:34:28.203 +0000 UTC]
module.terraform-module-environment.aws_lb_listener.https: Modifying... [id=arn:aws:elasticloadbalancing:eu-west-1:[redacted]:listener/app/tandp-prod-alb/79b686aff10238e0/2c76a0220386e54f]
module.terraform-module-environment.aws_acm_certificate_validation.primary_domain_cdn[0]: Creation complete after 1s [id=2023-07-11 12:34:32.087 +0000 UTC]
module.terraform-module-environment.module.cdn[0].aws_cloudfront_distribution.default[0]: Modifying... [id=E27HVDH4Y62S08]
module.terraform-module-environment.aws_lb_listener.https: Modifications complete after 1s [id=arn:aws:elasticloadbalancing:eu-west-1:[redacted]:listener/app/tandp-prod-alb/79b686aff10238e0/2c76a0220386e54f]module.terraform-module-environment.aws_acm_certificate_validation.primary_domain (deposed object 63dcefba): Destroying... [id=2023-07-11 12:04:59.22 +0000 UTC]
module.terraform-module-environment.aws_acm_certificate_validation.primary_domain: Destruction complete after 0s
module.terraform-module-environment.module.cdn[0].aws_cloudfront_distribution.default[0]: Still modifying... [id=E27HVDH4Y62S08, 4m40s elapsed]
module.terraform-module-environment.module.cdn[0].aws_cloudfront_distribution.default[0]: Modifications complete after 4m50s [id=E27HVDH4Y62S08]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"] (deposed object 0662b899): Destroying... [id=Z1015136EEMLEKYDPSO8[redacted].theandpartnership.dk._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"] (deposed object 1f57cd4f): Destroying... [id=Z1015136EEMLEKYDPSO8[redacted].theandpartnership.com._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["*.prod.tandp.[redacted].digital"] (deposed object ad81a1c0): Destroying... [id=Z1015136EEMLEKYDPSO8[redacted].prod.tandp.[redacted].digital._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"] (deposed object 52d95a06): Destroying... [id=Z1015136EEMLEKYDPSO8[redacted].prod-corp.tandp.[redacted].digital._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.com"] (deposed object b5d23e9d): Destroying... [id=Z1015136EEMLEKYDPSO8[redacted].theandpartnership.com._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["*.muster.co.uk"] (deposed object 2f854307): Destroying... [id=Z1015136EEMLEKYDPSO8[redacted].muster.co.uk._CNAME]module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"] (deposed object ab1ae551): Destroying... [id=Z1015136EEMLEKYDPSO8[redacted].prod.tandp.[redacted].digital._CNAME]
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"] (deposed object 496c469a): Destroying... [id=Z1015136EEMLEKYDPSO8[redacted].muster.co.uk._CNAME]
module.terraform-module-environment.aws_acm_certificate.primary_domain_cdn[0] (deposed object d71c7ae8): Destroying... [id=arn:aws:acm:us-east-1:[redacted]:certificate/76097512-6bbe-489f-b615-b3e3267fb535]
module.terraform-module-environment.aws_acm_certificate.primary_domain_cdn[0]: Destruction complete after 0s
module.terraform-module-environment.aws_route53_record.cert_validation["*.muster.co.uk"]: Destruction complete after 1s
module.terraform-module-environment.aws_route53_record.cert_validation["*.prod.tandp.[redacted].digital"]: Destruction complete after 1s
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.com"]: Destruction complete after 1s
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__fea3f925e07efb413...9a0d57f7c7.theandpartnership.dk._CNAME, 10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__ad3acdfbd055ca93b...437296f70.theandpartnership.com._CNAME, 10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__387dd76a4927c98d9...bd.prod.tandp.[redacted].digital._CNAME, 10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Still destroying... [id=Z1015136EEMLEKYDPSO8[redacted].muster.co.uk._CNAME, 10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__2e15d358b917628f4...od-corp.tandp.[redacted].digital._CNAME, 10s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__387dd76a4927c98d9...bd.prod.tandp.[redacted].digital._CNAME, 20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__fea3f925e07efb413...9a0d57f7c7.theandpartnership.dk._CNAME, 20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__ad3acdfbd055ca93b...437296f70.theandpartnership.com._CNAME, 20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Still destroying... [id=Z1015136EEMLEKYDPSO8[redacted].muster.co.uk._CNAME, 20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__2e15d358b917628f4...od-corp.tandp.[redacted].digital._CNAME, 20s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__2e15d358b917628f4...od-corp.tandp.[redacted].digital._CNAME, 30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Still destroying... [id=Z1015136EEMLEKYDPSO8[redacted].muster.co.uk._CNAME, 30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__ad3acdfbd055ca93b...437296f70.theandpartnership.com._CNAME, 30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__387dd76a4927c98d9...bd.prod.tandp.[redacted].digital._CNAME, 30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__fea3f925e07efb413...9a0d57f7c7.theandpartnership.dk._CNAME, 30s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__2e15d358b917628f4...od-corp.tandp.[redacted].digital._CNAME, 40s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__ad3acdfbd055ca93b...437296f70.theandpartnership.com._CNAME, 40s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__387dd76a4927c98d9...bd.prod.tandp.[redacted].digital._CNAME, 40s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"]: Still destroying... [id=Z1015136EEMLEKYDPSO8__fea3f925e07efb413...9a0d57f7c7.theandpartnership.dk._CNAME, 40s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Still destroying... [id=Z1015136EEMLEKYDPSO8[redacted].muster.co.uk._CNAME, 40s elapsed]
module.terraform-module-environment.aws_route53_record.cert_validation["prod.tandp.[redacted].digital"]: Destruction complete after 44s
module.terraform-module-environment.aws_route53_record.cert_validation["*.theandpartnership.dk"]: Destruction complete after 46s
module.terraform-module-environment.aws_route53_record.cert_validation["prod-corp.tandp.[redacted].digital"]: Destruction complete after 46s
module.terraform-module-environment.aws_route53_record.cert_validation["theandpartnership.com"]: Destruction complete after 47s
module.terraform-module-environment.aws_route53_record.cert_validation["muster.co.uk"]: Destruction complete after 47s
module.terraform-module-environment.aws_acm_certificate.primary_domain (deposed object bf0adcb1): Destroying... [id=arn:aws:acm:eu-west-1:[redacted]:certificate/f14a6dcc-518c-468d-a6a0-7a7264e3639f]
module.terraform-module-environment.aws_acm_certificate.primary_domain: Destruction complete after 1s

Apply complete! Resources: 13 added, 2 changed, 12 destroyed.

Panic Output

N/A

Important Factoids

The code generates a certificate, route53 certificate validation records, and lastly a certificate validation.

There are a few other things that happen in other .tf files, essentially various AWS infrastructure uses the certifcates.

If I update the local.alternative_domains by adding/deleting a domain, and then apply, it all works OK, except the route53 records are destroyed at the end of the apply, and I need a second apply to add them back again.

I cannot work out why the route53 records are destroyed. The plan does not say this will happen.

Note the mention of various deposed object as well.

This happens every time I make a local.alternative_domains update - and of course I have made sure I start from clean environment to check there is nothing broken in the statefile.

References

https://github.com/hashicorp/terraform/issues/33507#issuecomment-1630984060

Would you like to implement a fix?

None

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please see our prioritization guide for information on how we prioritize.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

smacswain commented 10 months ago

I'm seeing this when using "allow_overwrite" = true. I was unable to update a r53 entry as after 8 months it started with "Error: creating Route 53 Record: InvalidChangeBatch: [Tried to create resource record set [name='SOMEURL.', type='A'] but it already exists]. After setting "allow_overwrite" = true. It sets the correct r53 entry and tears it down right after. This is an alias record point to cloudfront. If I apply a second time it creates successfully but on next apply it will create then destroy.

module.api-gateway.aws_route53_record.route_53_record: Still creating... [10s elapsed] module.api-gateway.aws_route53_record.route_53_record: Still creating... [20s elapsed] module.api-gateway.aws_route53_record.route_53_record: Still creating... [30s elapsed] module.api-gateway.aws_route53_record.route_53_record: Creation complete after 32s [id=] module.api-gateway.aws_route53_record.route_53_record (deposed object 0ba71cfb): Destroying... [id=] module.api-gateway.aws_route53_record.route_53_record: Still destroying... [id=] module.api-gateway.aws_route53_record.route_53_record: Still destroying... [id=] module.api-gateway.aws_route53_record.route_53_record: Still destroying... [id=] module.api-gateway.aws_route53_record.route_53_record: Still destroying... [id=]

apparentlymart commented 5 months ago

The +/- "icon" on the proposed changes suggests that these resources are in a dependency chain with something that has create_before_destroy = true set, and so they too must use that ordering of the replacement steps to make the resulting order of operations coherent.

However, you can't have two Route53 record objects with the same name at the same time. This should therefore fail at the create step due to the conflict with an existing object, except that these resources are all configured as allow_overwrite = true which allows the create step to overwrite the existing object.

Therefore the effective order of operations is:

Overwrite the existing [redacted].theandpartnership.com.tandp.[redacted].digital record with a new one.
Delete the record for [redacted].theandpartnership.com.tandp.[redacted].digital.

Step 2 deleted the object created by step 1, leaving you with no records at all.

Therefore the observed behavior seems to be correct per the configuration, although of course I understand that it's undesirable.

Removing the allow_overwrite = true argument should at least make step 1 fail and thus block step 2 from happening at all. But to make this actually work would require the destroy to happen before the create and thus for you to tolerate a brief interval where there's no DNS record at all, which might be problematic if the absence of a record gets cached somewhere.

I think this situation could only be improved by somehow arranging for aws_acm_certificate to return a known value for the resource_record_name attribute of each of the domain_validation_options objects, which would therefore allow the aws_route53_record resource instances to see that the Route53 record names are (presumably?) not actually changing and so could treat those as in-place update instead of replace. However, I don't know if the provider can gather enough information for aws_acm_certificate to be able to predict the resource_record_name during the planning step.

hashicorp / terraform-provider-aws

aws_route53_record - records being destroyed when they should be just replaced #32460