search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.65k stars 9.03k forks source link

Active replication configuration causes a "change" to be reported in a plan when no change has occurred #36811

Open pccowboy opened 3 months ago

pccowboy commented 3 months ago

Terraform Core Version

v1.6.2

AWS Provider Version

5.33.0

Affected Resource(s)

aws_efs_file_system

Expected Behavior

After the efs file system replication was started, later plans on the same resources should not show any pending changes

Actual Behavior

After the replication configuration is in place, the plan shows a pending change to the replication destination filesystem efs_2:

Terraform will perform the following actions:

  # aws_efs_file_system.efs_2 will be updated in-place
  ~ resource "aws_efs_file_system" "efs_2" {
        id                              = "<redacted>"
        tags                            = {
            "Application"  = ""
            "CreatedBy"    = "terraform"
            "Environment"  = "research"
            "Organization" = "org"
            "Terraform"    = "true"
            "name"         = "efs_org-research"
        }
        # (12 unchanged attributes hidden)

      ~ protection {
          ~ replication_overwrite = "REPLICATING" -> "DISABLED"
        }

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

provider "aws" {
  region = "us-east-2"
  alias  = "primary_pop"
}

resource "aws_efs_file_system" "efs_1" {
  provider = aws.primary_pop

  creation_token = "efs_1"

  encrypted       = "false"
  throughput_mode = "bursting"

  lifecycle_policy {
    transition_to_ia = "AFTER_30_DAYS"
  }

  lifecycle_policy {
    transition_to_primary_storage_class = "AFTER_1_ACCESS"
  }

  protection {
    replication_overwrite = "ENABLED"
  }

  tags = merge(local.layer_globals.tags, {
    name = "efs_1"
    }
  )
}

resource "aws_efs_file_system" "efs_2" {
  provider = aws.primary_pop

  creation_token = "efs_2"

  encrypted       = "true"
  throughput_mode = "bursting"

  lifecycle_policy {
    transition_to_ia = "AFTER_30_DAYS"
  }

  lifecycle_policy {
    transition_to_primary_storage_class = "AFTER_1_ACCESS"
  }

  protection {
    replication_overwrite = "DISABLED"
  }

  tags = merge(local.layer_globals.tags, {
    name = "efs_2"
    }
  )

# make sure efs_1 is created first for this example
# IRL, efs_1 had been running for hours before efs_2 and the replication config were added
depends_on = [
    aws_efs_file_system.efs_1
  ]
}

resource "aws_efs_replication_configuration" "efs" {
  provider = aws.primary_pop

  source_file_system_id = aws_efs_file_system.efs_1.id

  destination {
    file_system_id = aws_efs_file_system.efs_2.id
    region         = "us-east-2"
  }
}

Steps to Reproduce

  1. save the above configuration
  2. terraform apply
  3. terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

I'm sure we could add

 lifecycle {
    ignore_changes = [
        protection
    ]
}

to efs_2 as a workaround, but hardcoding an exception seems a poor way to go. I think it would be better if terraform reported this "change" as an expected state in the plan, so that an actual change still gets reported (instead of being blocked by the ignore_changes statement).

References

No response

Would you like to implement a fix?

No

github-actions[bot] commented 3 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

amh-mw commented 1 month ago

This is a blocking behavior. Attempting to apply an affected plan with v5.40.0 errors out with:

│ Error: updating EFS file system (fs-REDACTED) protection: ReplicationAlreadyExists: ReplicationOverwriteProtection cannot be changed while the file system is a replication destination.