[Bug]: aws_lb_target_group with target_type of instance and ip_address_type of ipv6 gets created as ipv4

[aslatter]

Terraform Core Version

1.6.6

AWS Provider Version

5.31.0

Affected Resource(s)

• aws_lb_target_group

Expected Behavior

When I create a target-group with a target-type of "instance" and ip-address-type of "ipv6", the target-group should get created with an ip-address-type of "ipv6" (or there should be an error).

Actual Behavior

The target group gets created with an ip-address-type of "ipv4".

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

main.tf:

variable "region" {
  default = "us-east-1"
}

provider "aws" {
  region = var.region
}

resource "aws_vpc" "main" {

  cidr_block = "10.0.0.0/16"
  assign_generated_ipv6_cidr_block = true

  // https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html
  enable_dns_support   = true
  enable_dns_hostnames = true

  tags = {
    Name = "vpc"
  }
}

resource "aws_lb_target_group" "http" {
  name_prefix     = "http-"
  target_type     = "instance"
  protocol        = "TCP"
  port            = "80"
  ip_address_type = "ipv6"
  vpc_id          = aws_vpc.main.id

  lifecycle {
    // we can't delete a target-group if its in-use by the
    // listener default-action.
    create_before_destroy = true
  }
}

Lockfile:

# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.

provider "registry.terraform.io/hashicorp/aws" {
  version = "5.31.0"
  hashes = [
    "h1:WwgMbMOhZblxZTdjHeJf9XB2/hcSHHmpuywLxuTWYw0=",
    "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d",
    "zh:2fe4884cb9642f48a5889f8dff8f5f511418a18537a9dfa77ada3bcdad391e4e",
    "zh:36d8bdd72fe61d816d0049c179f495bc6f1e54d8d7b07c45b62e5e1696882a89",
    "zh:539dd156e3ec608818eb21191697b230117437a58587cbd02ce533202a4dd520",
    "zh:6a53f4b57ac4eb3479fc0d8b6e301ca3a27efae4c55d9f8bd24071b12a03361c",
    "zh:6faeb8ff6792ca7af1c025255755ad764667a300291cc10cea0c615479488c87",
    "zh:7d9423149b323f6d0df5b90c4d9029e5455c670aea2a7eb6fef4684ba7eb2e0b",
    "zh:8235badd8a5d0993421cacf5ead48fac73d3b5a25c8a68599706a404b1f70730",
    "zh:860b4f60842b2879c5128b7e386c8b49adeda9287fed12c5cd74861bb659bbcd",
    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
    "zh:b021fceaf9382c8fe3c6eb608c24d01dce3d11ba7e65bb443d51ca9b90e9b237",
    "zh:b38b0bfc1c69e714e80cf1c9ea06e687ee86aa9f45694be28eb07adcebbe0489",
    "zh:c972d155f6c01af9690a72adfb99cfc24ef5ef311ca92ce46b9b13c5c153f572",
    "zh:e0dd29920ec84fdb6026acff44dcc1fb1a24a0caa093fa04cdbc713d384c651d",
    "zh:e3127ebd2cb0374cd1808f911e6bffe2f4ac4d84317061381242353f3a7bc27d",
  ]
}

Steps to Reproduce

Run terraform apply twice.

The first invocation will succeed, but the second invocation will re-create the target-group because it's ip-address-type is "ipv4" not "ipv6". This re-creation will happen during every apply.

Debug Output

In the trace of the provider it looks like we're not specifying the ip-address-type in the CreateTargetGroup API-call:

2023-12-20T08:38:46.562-0600 [DEBUG] provider.terraform-provider-aws_v5.31.0_x5: HTTP Request Sent: @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.46/logger.go:109 aws.region=us-east-1 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.6.6 (+https://www.terraform.io) terraform-provider-aws/5.31.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.49.2 (go1.20.11; linux; amd64)" rpc.service="Elastic Load Balancing v2" tf_req_id=6b855e46-61c3-64f3-421d-0670f6d3956f @module=aws rpc.method=CreateTargetGroup net.peer.name=elasticloadbalancing.us-east-1.amazonaws.com tf_mux_provider="*schema.GRPCProviderServer" tf_rpc=ApplyResourceChange http.flavor=1.1 http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************GXGF/20231220/us-east-1/elasticloadbalancing/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.request_content_length=149 tf_resource_type=aws_lb_target_group http.request.header.x_amz_security_token="*****" http.url=https://elasticloadbalancing.us-east-1.amazonaws.com/ rpc.system=aws-api http.method=POST
  http.request.body=
  | Action=CreateTargetGroup&Name=http-20231220143846117300000001&Port=80&Protocol=TCP&TargetType=instance&Version=2015-12-01&VpcId=vpc-0f3f08e00e4929dd1
   http.request.header.x_amz_date=20231220T143846Z tf_aws.sdk=aws-sdk-go tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-12-20T08:38:46.561-0600
2023-12-20T08:38:47.116-0600 [DEBUG] provider.terraform-provider-aws_v5.31.0_x5: HTTP Response Received: aws.region=us-east-1 rpc.method=CreateTargetGroup tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws http.response.header.x_amzn_requestid=cc29345c-f9c7-430b-a43f-0203065a1f75 http.response_content_length=1191 tf_aws.sdk=aws-sdk-go tf_resource_type=aws_lb_target_group http.duration=554 http.response.header.content_type=text/xml http.response.header.date="Wed, 20 Dec 2023 14:38:46 GMT" @module=aws rpc.service="Elastic Load Balancing v2" tf_req_id=6b855e46-61c3-64f3-421d-0670f6d3956f tf_rpc=ApplyResourceChange http.status_code=200 rpc.system=aws-api @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.46/logger.go:157
  http.response.body=
  | <CreateTargetGroupResponse xmlns="http://elasticloadbalancing.amazonaws.com/doc/2015-12-01/">
  |   <CreateTargetGroupResult>
  |     <TargetGroups>
  |       <member>
  |         <HealthCheckEnabled>true</HealthCheckEnabled>
  |         <TargetGroupArn>arn:aws:elasticloadbalancing:us-east-1:261174026058:targetgroup/http-20231220143846117300000001/df97c2fd8960e06c</TargetGroupArn>
  |         <HealthCheckTimeoutSeconds>10</HealthCheckTimeoutSeconds>
  |         <HealthCheckPort>traffic-port</HealthCheckPort>
  |         <TargetType>instance</TargetType>
  |         <HealthCheckProtocol>TCP</HealthCheckProtocol>
  |         <TargetGroupName>http-20231220143846117300000001</TargetGroupName>
  |         <IpAddressType>ipv4</IpAddressType>
  |         <Protocol>TCP</Protocol>
  |         <Port>80</Port>
  |         <VpcId>vpc-0f3f08e00e4929dd1</VpcId>
  |         <HealthyThresholdCount>5</HealthyThresholdCount>
  |         <HealthCheckIntervalSeconds>30</HealthCheckIntervalSeconds>
  |         <UnhealthyThresholdCount>2</UnhealthyThresholdCount>
  |       </member>
  |     </TargetGroups>
  |   </CreateTargetGroupResult>
  |   <ResponseMetadata>
  |     <RequestId>cc29345c-f9c7-430b-a43f-0203065a1f75</RequestId>
  |   </ResponseMetadata>
  | </CreateTargetGroupResponse>
   timestamp=2023-12-20T08:38:47.116-0600

Panic Output

No response

Important Factoids

It might be related to this bit in target_group.go:

        if targetType == elbv2.TargetTypeEnumIp {
            if v, ok := d.GetOk("ip_address_type"); ok {
                input.IpAddressType = aws.String(v.(string))
            }
        }

That is, we only apply the ip_address_type argument for target-groups with an "ip" target-type.

The REST API docs for ELB doesn't mention this as a restriction of the IpAddressType argument, and the AWS Console seems to allow me to create an "instance" target-group as "ipv6".

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[alberhander]

I'm experiencing the same limitation: I'm not able to create target groups of target_type instance with ip_address_type ipv6 using Terraform, while I can through the AWS console.

In my case I'm creating the target groups through the AWS ALB module but the behaviour is the same. This is a snippet of one of the target groups:

target_groups = {
    target_http = {
      name_prefix = "http-"
      protocol    = "TCP"
      port            = 80
      target_type     = "instance"
      ip_address_type = "ipv6"
      vpc_id          = data.terraform_remote_state.vpc.outputs.vpc_id
      health_check = {
        enabled  = true
        protocol = "TCP"
      }
      create_attachment = false
    }
 ...
 }

The target groups get actually created in ipv4 mode (see screenshot below) and every new terraform plan will show the target groups are going to be re-created.

module.ingress_nlb.aws_lb_target_group.this["http"] must be replaced
+/- resource "aws_lb_target_group" "this" {
      ~ ip_address_type                    = "ipv4" -> "ipv6" # forces replacement

Reading the aws_lb_target_group resource documentation it says this attribute is only supported when target_type is set to ip.

I wonder if there is a temporary workaround for this.

[arianvp]

Is there any plan to work on this? AWS started charging for IPv4 and it's not psosible to create an autoscaling group with an IPv6 target group at the moment which is rather annoying

[arianvp]

Even if this would work; it's currently not possible to create an EC2 instance that is compatible with IPv6 target groups.

You can only add EC2 instances to an IPv6 target group that have a Primary IPV6 address. This feature is not implemented in Terraform. I opened a separate issue for that:

https://github.com/hashicorp/terraform-provider-aws/issues/36424