Terraform-provider-aws: changing the name of a Route53 record deletes it from the zone

Created on 2 Dec 2017 · 7Comments · Source: hashicorp/terraform-provider-aws

Terraform Version

Terraform v0.10.4

Affected Resource(s)

aws_route53_record

Terraform Configuration Files

resource "aws_route53_record" "gold_endpoint_80" {
  name = "gold.${var.sub_domain}"
  zone_id = "${var.route_zone_id}"
  type = "CNAME"
  ttl = "60"
  records = ["${aws_elb.gold.dns_name}"]
}

I've changed the resource name of that record from gold_endpoint_80 to gold_endpoint_lb.

terraform plan said it will do this:

Terraform will perform the following actions:

  - aws_route53_record.gold_endpoint_80

  + aws_route53_record.gold_endpoint_lb
      id:                                <computed>
      fqdn:                              <computed>
      name:                              "gold.XXXXXXX.XXX"
      records.#:                         "1"
      records.1873753050:                "internal-gold-s1-001-XXXXXXXXXXX.us-west-2.elb.amazonaws.com"
      ttl:                               "60"
      type:                              "CNAME"
      zone_id:                           "XXXXXXXXXXX"

terraform apply plan did this:

aws_route53_record.gold_endpoint_80: Destroying... (ID: XXXXXXXXXXXX_gold.XXXXXXXX.XXX_CNAME)
aws_route53_record.gold_endpoint_lb: Creating...
  fqdn:               "" => "<computed>"
  name:               "" => "gold.XXXXXXX.XXX"
  records.#:          "" => "1"
  records.1873753050: "" => "internal-gold-s1-001-XXXXXXXXXXX.us-west-2.elb.amazonaws.com"
  ttl:                "" => "60"
  type:               "" => "CNAME"
  zone_id:            "" => "XXXXXXXXXX"
module.gold_cluster.aws_instance.main: Modifying... (ID: i-XXXXXXXXXXXXXXX)
  vpc_security_group_ids.#:          "0" => "1"
  vpc_security_group_ids.2810806768: "" => "sg-XXXXXXXXX"
module.gold_cluster.aws_instance.main: Modifications complete after 3s (ID: i-XXXXXXXXXXXXXXX)
aws_route53_record.gold_endpoint_80: Still destroying... (ID: XXXXXXXXXX_gold.XXXXXXXX.XXX_CNAME, 10s elapsed)
aws_route53_record.gold_endpoint_lb: Still creating... (10s elapsed)
aws_route53_record.gold_endpoint_80: Still destroying... (ID: XXXXXXXXXX_gold.XXXXXXXX.XXX_CNAME, 20s elapsed)
aws_route53_record.gold_endpoint_lb: Still creating... (20s elapsed)
aws_route53_record.gold_endpoint_80: Still destroying... (ID: XXXXXXXXXX_gold.XXXXXXXX.XXX_CNAME, 30s elapsed)
aws_route53_record.gold_endpoint_lb: Still creating... (30s elapsed)
aws_route53_record.gold_endpoint_80: Destruction complete after 37s
aws_route53_record.gold_endpoint_lb: Creation complete after 38s

Expected Behavior

I expected to find the same record in R53, since nothing changed except its internal Terraform name.

Actual Behavior

The record was gone. Deleted.

However, when I ran terraform plan again, it said this:

Terraform will perform the following actions:

  + aws_route53_record.gold_endpoint_lb
      id:                                <computed>
      fqdn:                              <computed>
      name:                              "gold.XXXXXXX.XXX"
      records.#:                         "1"
      records.1873753050:                "internal-gold-s1-001-XXXXXXXXXX.us-west-2.elb.amazonaws.com"
      ttl:                               "60"
      type:                              "CNAME"
      zone_id:                           "XXXXXXXXXXXX"

And then terraform apply re-created it.

Steps to Reproduce

Create R53 record.

Change its name in the TF template. Plan. Apply. Boom, it's gone.

bug documentation servicroute53 stale

Source

FlorinAndrei

Most helpful comment

Is there an update or workaround for this issue? I have a hosted zone created by the domain registrar and would like it to remain intact. However, when I import the hosted zone and try to create a record inside it, the hosted zone gets deleted and a new one is created along with the record. This does not serve the purpose, because the name servers created for the new hosted zone are different than the ones associated with my registered domain.

saprakashh on 28 Mar 2018

👍2

All 7 comments

Hi @FlorinAndrei! Sorry for this confusing behavior.

Unfortunately I think what happened here is a race condition: Terraform planned to both destroy and create the same thing, and since the Route53 API doesn't distinguish between create and update for individual records Terraform, we ended up doing a "put" followed by a "delete" of the same name, leaving you with no record at all.

Ideally Terraform would've caught this at least by detecting that the record already exists during the create and failing, but the underlying API here does not support that.

To fix this properly would require Terraform to process both of these actions together and notice they both operate on the same name, but that's not currently supported within Terraform's model, so we'd need to make some core changes to make that work. We'll need to think some more about whether there's something we could do here to better detect and handle this situation.

For now, the correct approach when you rename a resource like this is to use terraform state mv to also update the state to match, which will then cause Terraform to see no difference between diff and state. In general Terraform does not detect renames, and will always handle such changes as a delete and a create, because it can't distinguish between these two situations.

While I agree that the behavior here is non-ideal, there isn't any practical action we can take for it for the forseeable future, so I'm going to just mark this as "documentation" so we can include in the documentation for this resource the limitation around not being able to distinguish Create vs. Update, and the implications of that.

apparentlymart on 19 Dec 2017

Ok, I understand the problem and I'll implement workarounds.

Just a comment - this is especially inconvenient because DNS records are exactly the kind of thing that you want to continue to exist while you change its value. E.g. when migrating from one load balancer to another, etc. I could imagine all kinds of high availability scenarios where this issue would be bad.

But I get it, this is hard to do currently with TF due to AWS API limitations.

FlorinAndrei on 19 Dec 2017

saprakashh on 28 Mar 2018

👍2

@saprakashh can you please open a separate issue filling out the issue template? We'll be looking for an example of your configuration as well as the output from terraform plan in your case

bflad on 28 Mar 2018

Hello, is there any update for this, any solution or workaround? @FlorinAndrei @apparentlymart

saasseckin on 2 Oct 2018

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!