Terraform-provider-aws: Spurious diff on aws_load_balancer_policy using predefined security policy

Created on 4 Jan 2018  路  7Comments  路  Source: hashicorp/terraform-provider-aws

Terraform Version

Terraform v0.11.1

  • provider.aws v1.6.0
  • provider.consul v1.0.0

Affected Resource(s)

Please list the resources as a list, for example:

  • aws_load_balancer_policy

Terraform Configuration Files

resource "aws_load_balancer_policy" "elb_policy" {
  count = "1"
  load_balancer_name = "foo"
  policy_name        = "bar"
  policy_type_name   = "SSLNegotiationPolicyType"

  policy_attribute = {
    name  = "Reference-Security-Policy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
  }
}

Expected Behavior

We are specifying one of Amazon's predefined security policies as documented here: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html

Terraform should be able to work with one of these policies just like any other.

Actual Behavior

Terraform correctly applies the security policy, but subsequent calls to terraform plan show a spurious diff: https://gist.github.com/seanjfellows/3afc87ab00c0e164a10efeef29ad2a3b . The diff shows the fanned-out version of the policy (15 specific ciphers) being replaced with the single entry for the predefined security policy. But these two are in fact equivalent and there is no semantic diff in reality.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan
  2. terraform apply plan
  3. terraform plan

Important Factoids

References

bug servicelb
Source
picture seanjfellows
👍10

All 7 comments

I'm having the exact same issue using 0.11.7 - so it seems this has not been updated. With all the hype about moving away from TLS 1.0, 1.1 to 1.2 only - this is probably annoying many people.

bemowski picture bemowski on 7 Jun 2018

Still here in 2019. Is there any sort of workaround?

$ terraform -v
Terraform v0.11.13
+ provider.aws v2.4.0
boldandbusted picture boldandbusted on 2 Apr 2019
👀1 😄1

Still happening on provider version 2.28. Have not gotten a chance to upgrade to Terraform 0.12 yet, does anyone know if that fixes it?

shivknight picture shivknight on 16 Sep 2019

Confirmed that the issue still persists on Terraform 0.12.9 and provider version 2.31

shivknight picture shivknight on 9 Oct 2019

Still a problem with 0.12.13. Is there any known workaround?

tmccombs picture tmccombs on 4 Nov 2019

I have a sort of workaround by putting this in the policy resource:

  lifecycle {
    ignore_changes = [policy_attribute]
  }

However this is not a very good solution, since now if I ever change the policy I need to manually taint the resource.

tmccombs picture tmccombs on 4 Nov 2019
👍1

Verified still an issue with
Terraform v0.12.29
provider.aws v3.13.0

libertyy picture libertyy on 3 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

reedloden picture reedloden  路  3Comments
hashibot picture hashibot  路  3Comments
joelittlejohn picture joelittlejohn  路  3Comments
hazmeister picture hazmeister  路  3Comments
ghost picture ghost  路  3Comments