search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.16k forks source link

aws_cloudfront_distribution.single_region_api_key: diffs didn't match during apply #7954

Closed ghost closed 5 years ago

ghost commented 5 years ago

This issue was originally opened by @ThomasRogersDAZN as hashicorp/terraform#20703. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

v0.11.11

Terraform Configuration Files

resource "aws_cloudfront_distribution" "single_region_api_key" {
  count   = "${!var.multi_region && var.custom_headers ? 1 : 0}"
  aliases = "${var.aliases}"

  origin {
    domain_name = "${var.origin_domain_name}"
    origin_path = "${var.origin_path}"
    origin_id   = "${var.origin_id}"

    custom_origin_config {
      http_port                = "${var.origin_http_port}"
      https_port               = "${var.origin_https_port}"
      origin_protocol_policy   = "https-only"
      origin_ssl_protocols     = "${var.origin_ssl_protocols}"
      origin_keepalive_timeout = "${var.origin_keepalive_timeout}"
      origin_read_timeout      = "${var.origin_read_timeout}"
    }

    custom_header {
      name = "x-api-key"
      value = "${var.api_key}"
    }
  }

  enabled         = "${var.enabled}"
  is_ipv6_enabled = "${var.is_ipv6_enabled}"
  comment         = "${var.comment}"

  default_cache_behavior {
    allowed_methods  = "${var.allowed_methods}"
    cached_methods   = "${var.cached_methods}"
    target_origin_id = "${var.origin_id}"

    forwarded_values {
      query_string = true
      headers      = "${var.forwarded_headers}"

      cookies {
        forward = "none"
      }
    }

    min_ttl                = "${var.cache_ttl["min"]}"
    default_ttl            = "${var.cache_ttl["default"]}"
    max_ttl                = "${var.cache_ttl["max"]}"
    compress               = true
    viewer_protocol_policy = "redirect-to-https"
  }

  price_class = "PriceClass_All"

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    acm_certificate_arn      = "${var.acm_certificate_arn}"
    minimum_protocol_version = "TLSv1_2016"
    ssl_support_method       = "sni-only"
  }

  web_acl_id = "${var.waf_protection == "Enabled" ? data.terraform_remote_state.secops.waf_web_acl_id : ""}"

  tags = "${
    merge(
      var.tags,
      map("WAFProtection", var.waf_protection)
    )
  }"
}

Crash Output

  Terraform Version: 0.11.11
    Resource ID: aws_cloudfront_distribution.single_region_api_key
    Mismatch reason: attribute mismatch: origin.3230331303.custom_header.#
    Diff One (usually from plan): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"origin.~4086050432.custom_origin_config.0.https_port":*terraform.ResourceAttrDiff{Old:"", New:"443", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_origin_config.0.origin_ssl_protocols.#":*terraform.ResourceAttrDiff{Old:"1", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_origin_config.0.origin_ssl_protocols.3981581077":*terraform.ResourceAttrDiff{Old:"TLSv1.2", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.custom_header.#":*terraform.ResourceAttrDiff{Old:"0", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.custom_origin_config.0.http_port":*terraform.ResourceAttrDiff{Old:"", New:"80", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_header.#":*terraform.ResourceAttrDiff{Old:"1", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_origin_config.0.origin_protocol_policy":*terraform.ResourceAttrDiff{Old:"https-only", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.custom_origin_config.#":*terraform.ResourceAttrDiff{Old:"0", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.origin_id":*terraform.ResourceAttrDiff{Old:"", New:"authentication-service-dev-origin-id", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.custom_header.615809506.name":*terraform.ResourceAttrDiff{Old:"", New:"x-api-key", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_origin_config.0.https_port":*terraform.ResourceAttrDiff{Old:"443", New:"0", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.custom_origin_config.0.origin_ssl_protocols.#":*terraform.ResourceAttrDiff{Old:"0", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.custom_header.615809506.value":*terraform.ResourceAttrDiff{Old:"", New:"**8***", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.s3_origin_config.#":*terraform.ResourceAttrDiff{Old:"0", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_header.615809506.value":*terraform.ResourceAttrDiff{Old:"****", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.custom_origin_config.0.origin_keepalive_timeout":*terraform.ResourceAttrDiff{Old:"", New:"5", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_origin_config.#":*terraform.ResourceAttrDiff{Old:"1", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.s3_origin_config.#":*terraform.ResourceAttrDiff{Old:"0", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_origin_config.0.http_port":*terraform.ResourceAttrDiff{Old:"80", New:"0", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.origin_path":*terraform.ResourceAttrDiff{Old:"", New:"${var.origin_path}", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.origin_id":*terraform.ResourceAttrDiff{Old:"authentication-service-dev-origin-id", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.domain_name":*terraform.ResourceAttrDiff{Old:"", New:"${var.origin_domain_name}", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.custom_origin_config.0.origin_protocol_policy":*terraform.ResourceAttrDiff{Old:"", New:"https-only", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.custom_origin_config.0.origin_read_timeout":*terraform.ResourceAttrDiff{Old:"", New:"30", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_header.615809506.name":*terraform.ResourceAttrDiff{Old:"x-api-key", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.domain_name":*terraform.ResourceAttrDiff{Old:"***execute-api.eu-central-1.amazonaws.com", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.origin_path":*terraform.ResourceAttrDiff{Old:"/dev", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.~4086050432.custom_origin_config.0.origin_ssl_protocols.3981581077":*terraform.ResourceAttrDiff{Old:"", New:"TLSv1.2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_origin_config.0.origin_read_timeout":*terraform.ResourceAttrDiff{Old:"30", New:"0", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "origin.3230331303.custom_origin_config.0.origin_keepalive_timeout":*terraform.ResourceAttrDiff{Old:"5", New:"0", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}
    Diff Two (usually from apply): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff(nil), Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}

Expected Behavior

The cloudfront should have successfully updated

Actual Behavior

The cloudfront fails to update, and an attribute mismatch happens.

Steps to Reproduce

Force a step to recreate the cloudfront (IE: Force changes to an api gateway) Terraform apply these changes.

Additional Context

Terraform runs in a CI system, but the same problems occur locally.

bflad commented 5 years ago

Hi @ThomasRogersDAZN 👋

Sorry you ran into this confusing error and thank you for reporting it. There have been a lot of relevant changes in the Terraform Core and Terraform AWS Provider codebases since this issue was originally reported so as a first step it might be best to try updating to recent versions of both and seeing if any of those updates may have resolved this issue.

Attempting to troubleshoot these types of errors is very difficult in Terraform 0.11 and earlier as those versions will report this problem (diffs didn't match during apply error) where a problematic configuration value exists or is referenced and not where the Terraform resource with the underlying problem actually exists. We typically will need much more information than the original error message suggests for filing the issue (e.g. the full Terraform configuration). There are also frequent issues in the Terraform 0.11 error reporting where the error message is due to behavior outside the control of the Terraform resources themselves (e.g. lifecycle configurations).

In Terraform 0.12 and later, the "value did not match" type of error can now be found with the newer Provider produced inconsistent result after apply error, which better reports the source of the problem so the provider maintainers and community can more easily work towards a fix of the issue. Other similar errors that fell previously into diffs didn't match during apply errors, but outside problems within the Terraform provider are also better diagnosed before being displayed.

Since the majority of the Terraform code path and reporting structure of these errors has changed between Terraform 0.11 and 0.12, along with the difficult triage process in Terraform 0.11 and earlier, the maintainers prefer to close these older issues to continue troubleshooting and fixing based on Terraform 0.12's error reporting instead. I apologize for this unsatisfying closure of this particular version of the issue.

That said, if the configuration does happen to reproduce the newer Provider produced inconsistent result after apply error in Terraform 0.12 (which requires Terraform AWS Provider version 2.7.0 or later), please do not hesitate to file a new issue and complete all of the information requested in the Bug Report template so we can hopefully get to the root cause for fixing the issue. Thanks again for this bug report and sorry about the additional steps.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!