[Bug]: aws_lb_target_group is created before destruction

[speller]

Terraform Core Version

1.5.0

AWS Provider Version

5.25.0

Affected Resource(s)

aws_lb_target_group

Expected Behavior

When I change aws_lb_target_group parameters, it should be destroyed first.

Actual Behavior

TF tries to create new target group before destruction.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_lb_target_group" "group" {
  name = module.infra_name.name_hyphen
  port = var.port
  protocol = "HTTP"
  vpc_id = var.vpc_id
  health_check {
    enabled = true
    path = var.healthcheck.path
    protocol = "HTTP"
    port = var.port
    unhealthy_threshold = 3
    healthy_threshold = 2
    interval = var.healthcheck.interval
    timeout = var.healthcheck.timeout
  }
}

Steps to Reproduce

Make a change that requires aws_lb_target_group recreation

Debug Output

TF log:

Planning:

...
module.***.target_group.aws_lb_target_group.group: Refreshing state... [id=arn:aws:elasticloadbalancing:ap-northeast-1:***:targetgroup/rev-main-fe/81c1915b8d222f2f]
...

The target group is here and TF refreshed its state.

  # module.***.target_group.aws_lb_target_group.group must be replaced
+/- resource "aws_lb_target_group" "group" {
      ~ arn                                = "arn:aws:elasticloadbalancing:ap-northeast-1:***:targetgroup/rev-main-fe/81c1915b8d222f2f" -> (known after apply)
      ~ arn_suffix                         = "targetgroup/rev-main-fe/81c1915b8d222f2f" -> (known after apply)
      ~ connection_termination             = false -> (known after apply)
      ~ id                                 = "arn:aws:elasticloadbalancing:ap-northeast-1:***:targetgroup/rev-main-fe/81c1915b8d222f2f" -> (known after apply)
      ~ ip_address_type                    = "ipv4" -> (known after apply)
      ~ load_balancing_algorithm_type      = "round_robin" -> (known after apply)
      ~ load_balancing_cross_zone_enabled  = "use_load_balancer_configuration" -> (known after apply)
        name                               = "rev-main-fe"
      + name_prefix                        = (known after apply)
      ~ port                               = 3000 -> 8000 # forces replacement
      + preserve_client_ip                 = (known after apply)
      ~ protocol_version                   = "HTTP1" -> (known after apply)
        # (7 unchanged attributes hidden)
      ~ health_check {
          ~ matcher             = "200" -> (known after apply)
          ~ port                = "3000" -> "8000"
            # (7 unchanged attributes hidden)
        }
      - stickiness {
          - cookie_duration = 86400 -> null
          - enabled         = false -> null
          - type            = "lb_cookie" -> null
        }
      - target_failover {}
      - target_health_state {}
    }

Okay, we've changed the port number and the target group is set to be replaced. The name should be unique.

The first line on apply:

module.***.target_group.aws_lb_target_group.group: Creating...

But the old one was not deleted yet, so obviously we get the following error immediately:

│ Error: ELBv2 Target Group (rev-main-fe) already exists
│ 
│   with module.***.module.target_group.aws_lb_target_group.group,
│   on lb-target-group/main.tf line 13, in resource "aws_lb_target_group" "group":
│   13: resource "aws_lb_target_group" "group" {

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[speller]

The issue persists in all our deployments and not random

[justinretzolk]

Similar https://github.com/hashicorp/terraform/issues/24704

My initial thought is that the order that things are processed is handled by Terraform, so this would presumably be a Terraform issue. On the other hand, there might be something on the provider side that I'm unaware of, so leaving this open for further review.

[josefloressv]

Same issue with TF v1.8.0 and AWS provider 5.45.0

 # module.app_petclinic.aws_lb_target_group.main must be replaced
+/- resource "aws_lb_target_group" "main" {
...
      + name_prefix                        = (known after apply)
      ~ port                               = 3000 -> 8080 # forces replacement
...

module.app_petclinic.aws_lb_target_group.main: Creating...
╷
│ Error: ELBv2 Target Group (demoapp-dev-petclinic) already exists
│ 
│   with module.app_petclinic.aws_lb_target_group.main,
│   on modules/app/target_group.tf line 1, in resource "aws_lb_target_group" "main":

I also confirmed that the resource already exists in Terraform state

      "module": "module.app_petclinic",
      "mode": "managed",
      "type": "aws_lb_target_group",
      "name": "main",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",

[adrianmace]

Stumbled across this issue as I am seeing it with Fargate Profiles too. Same as the above:

[2024-06-17T07:17:25Z]   # module.karpenter.module.fargate_profile.aws_eks_fargate_profile.this[0] must be replaced
[2024-06-17T07:17:25Z] +/- resource "aws_eks_fargate_profile" "this" {
[2024-06-17T07:17:25Z]       ~ are                    = "arn:aws:eks:ap-southeast-2:xxxx:fargateprofile/xxxx-0c0a5653/karpenter/acc81268-d6c7-xxxx-74c3-c0f7c9cae2e9" -> (known after apply)
[2024-06-17T07:17:25Z]       ~ id                     = "xxxx-0c0a5653:karpenter" -> (known after apply)
[2024-06-17T07:17:25Z]       ~ status                 = "ACTIVE" -> (known after apply)
[2024-06-17T07:17:25Z]         tags                   = {
[2024-06-17T07:17:25Z]             "cluster_name"  = "xxxx-0c0a5653"
[2024-06-17T07:17:25Z]             "env"           = "dev"
[2024-06-17T07:17:25Z]         }
[2024-06-17T07:17:25Z]         # (5 unchanged attributes hidden)
[2024-06-17T07:17:25Z]
[2024-06-17T07:17:25Z]       - selector { # forces replacement
[2024-06-17T07:17:25Z]           - labels    = {} -> null
[2024-06-17T07:17:25Z]           - namespace = "karpenter" -> null
[2024-06-17T07:17:25Z]         }
[2024-06-17T07:17:25Z]       + selector { # forces replacement
[2024-06-17T07:17:25Z]           + labels    = {
[2024-06-17T07:17:25Z]               + "app.kubernetes.io/name" = "karpenter"
[2024-06-17T07:17:25Z]             }
[2024-06-17T07:17:25Z]           + namespace = "kube-system"
[2024-06-17T07:17:25Z]         }
[2024-06-17T07:17:25Z]
[2024-06-17T07:17:25Z]         # (1 unchanged block hidden)
[2024-06-17T07:17:25Z]     }
...
[2024-06-17T07:17:25Z] Plan: 3 to add, 8 to change, 3 to destroy.
[2024-06-17T07:17:26Z] module.karpenter.module.fargate_profile.aws_eks_fargate_profile.this[0]: Creating...
...
[2024-06-17T07:17:33Z] │ Error: creating EKS Fargate Profile (xxxx-0c0a5653:karpenter): operation error EKS: CreateFargateProfile, https response error StatusCode: 409, RequestID: xxxx-xxxx-4af5-8b5e-1da33ac26e42, api error ResourceInUseException: A Fargate Profile already exists with this name in this cluster.
--
  | [2024-06-17T07:17:33Z] │
  | [2024-06-17T07:17:33Z] │   with module.karpenter.module.fargate_profile.aws_eks_fargate_profile.this[0],
  | [2024-06-17T07:17:33Z] │   on .terraform/modules/karpenter.fargate_profile/modules/fargate-profile/main.tf line 85, in resource "aws_eks_fargate_profile" "this":
  | [2024-06-17T07:17:33Z] │   85: resource "aws_eks_fargate_profile" "this" {
  | [2024-06-17T07:17:33Z] │