Terraform-provider-aws: When a ELB policy uses Reference-Security-Policy, the policy_attributes change every time

Created on 28 Jun 2017 · 6Comments · Source: hashicorp/terraform-provider-aws

Terraform Version

0.9.9

Affected Resource(s)

aws_load_balancer_policy

Terraform Configuration Files

variable "subnets" {
  type = "list"
}

variable "aws_account_id" {}

variable "cert-elb" {}

resource "aws_elb" "example" {
  name = "example"
  subnets = ["${var.subnets}"]
  internal = true

  listener {
    instance_port = "8443"
    instance_protocol = "https"
    lb_port = "443"
    lb_protocol = "https"
    ssl_certificate_id = "arn:aws:iam::${var.aws_account_id}:server-certificate/${var.cert-elb}"
  }
}

resource "aws_load_balancer_policy" "example-ssl" {
  load_balancer_name = "${aws_elb.example.name}"
  policy_name = "ssl-policy"
  policy_type_name = "SSLNegotiationPolicyType"

  policy_attribute {
    name = "Reference-Security-Policy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
  }

  // annoying workaround
  //lifecycle {
  //  ignore_changes = ["policy_attribute"]
  //}
}

resource "aws_load_balancer_listener_policy" "example" {
  load_balancer_name = "${aws_elb.example.name}"
  load_balancer_port = 443

  policy_names = [
    "${aws_load_balancer_policy.example-ssl.policy_name}",
  ]
}

Expected Behavior

The ELB policy should be created and subsequent plans shouldn't show it changing (unless it actually changed)

Actual Behavior

After applying a plan will show policy attributes that are from the referenced policy being removed. I would think that the terraform.tfstate should've known about those as the result of the first apply.

~ aws_load_balancer_policy.example-ssl
    policy_attribute.#:                "15" => "1"
    policy_attribute.1157710355.name:  "ECDHE-RSA-AES128-SHA256" => ""
    policy_attribute.1157710355.value: "true" => ""
    policy_attribute.1162508121.name:  "ECDHE-RSA-AES128-GCM-SHA256" => ""
    policy_attribute.1162508121.value: "true" => ""
    policy_attribute.1374486838.name:  "ECDHE-ECDSA-AES256-GCM-SHA384" => ""
    policy_attribute.1374486838.value: "true" => ""
    policy_attribute.1401804560.name:  "ECDHE-ECDSA-AES256-SHA384" => ""
    policy_attribute.1401804560.value: "true" => ""
    policy_attribute.1636262000.name:  "ECDHE-ECDSA-AES128-GCM-SHA256" => ""
    policy_attribute.1636262000.value: "true" => ""
    policy_attribute.1648049300.name:  "ECDHE-RSA-AES256-SHA384" => ""
    policy_attribute.1648049300.value: "true" => ""
    policy_attribute.1958193559.name:  "ECDHE-ECDSA-AES128-SHA256" => ""
    policy_attribute.1958193559.value: "true" => ""
    policy_attribute.1965037087.name:  "ECDHE-RSA-AES256-GCM-SHA384" => ""
    policy_attribute.1965037087.value: "true" => ""
    policy_attribute.2179956068.name:  "Protocol-TLSv1.2" => ""
    policy_attribute.2179956068.value: "true" => ""
    policy_attribute.2223865434.name:  "AES128-SHA256" => ""
    policy_attribute.2223865434.value: "true" => ""
    policy_attribute.3306698813.name:  "AES256-GCM-SHA384" => ""
    policy_attribute.3306698813.value: "true" => ""
    policy_attribute.3371002872.name:  "Server-Defined-Cipher-Order" => ""
    policy_attribute.3371002872.value: "true" => ""
    policy_attribute.3454672421.name:  "AES256-SHA256" => ""
    policy_attribute.3454672421.value: "true" => ""
    policy_attribute.3802307018.name:  "Reference-Security-Policy" => "Reference-Security-Policy"
    policy_attribute.3802307018.value: "ELBSecurityPolicy-TLS-1-2-2017-01" => "ELBSecurityPolicy-TLS-1-2-2017-01"
    policy_attribute.4117911931.name:  "AES128-GCM-SHA256" => ""
    policy_attribute.4117911931.value: "true" => ""

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

terraform apply
terraform plan

Workaround

If I uncomment the lifecycle section, then it ignores further changes to the policy_attributes. The downside being that if I actually change them, I have to taint the resource for it to take effect.

References

I ran into this issue as part of solution to the problem described in #822

bug servicelb

Source

b-dean

👍17

Most helpful comment

Please use something like https://github.com/terraform-providers/terraform-provider-aws/issues/1669#issuecomment-332018902 instead, lifecycle.ignore_changes is sweeping the problem under the rug instead of addressing it. It also won't help to fix the policy if it gets changed out from under you, accidentally or intentionally.

007 on 18 May 2018

👍5

All 6 comments

I have the same issue using Terraform v0.9.11
Thanks for the workaround, that works for me.

yogin on 31 Jan 2018

Still having this issue, the workaround however sounds great

hegyre on 18 May 2018

007 on 18 May 2018

👍5

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] on 7 May 2020

I am experiencing this issue as well (not generally a fan of this sort of comment, but since this is still very much an active bug, I didn't want to get automatically closed).

JshWright on 1 Jun 2020

👍4

Also seeing this issue. Any ideas when this can be resolved?

zampettim on 6 Oct 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

aws_cloudfront_distribution - "Only one viewer certificate change may be in progress at a time"

hashibot · 3Comments

S3 Lifecycle Rule Unnecessarily Updates on Each Terraform Apply

hashibot · 3Comments

On plan, redrive_policy is always marked as modified

hashibot · 3Comments

AWS ECS services are force updated on each apply

EmmN · 3Comments

Failed to destroy AWS node with volume: * aws_volume_attachment.jenkins_disk_attachment: Error waiting for Volume (vol-XXXX) to detach from Instance: i-XXXXX

hashibot · 3Comments