Terraform-provider-aws: DynamoDB TTL Infinitely Out of Sync

Created on 20 Feb 2018  ·  20Comments  ·  Source: hashicorp/terraform-provider-aws

DynamoDB tables that have a ttl block with enabled = false will never be able to have their state in sync with the infrastructure.

Terraform Version

Terraform v0.11.3
+ provider.aws v1.9.0
+ provider.template v1.0.0

Affected Resource(s)

  • aws_dynamodb_table

Terraform Configuration Files

provider "aws" {
  region = "us-west-2"
}

resource "aws_dynamodb_table" "dynamodb-composite-gsi-composite" {
  count = 1
  name  = "glen-test-ignore"

  read_capacity  = 10
  write_capacity = 10
  hash_key       = "hi"
  range_key      = "me"

  attribute {
    name = "hi"
    type = "S"
  }

  attribute {
    name = "me"
    type = "N"
  }

  attribute {
    name = "x"
    type = "S"
  }

  attribute {
    name = "y"
    type = "N"
  }

  ttl {
    enabled        = false
    attribute_name = ""
  }

  global_secondary_index {
    name            = "glen-test"
    hash_key        = "x"
    range_key       = "y"
    write_capacity  = "10"
    read_capacity   = "10"
    projection_type = "ALL"
  }
}

Debug Output

https://gist.github.com/goakley/c682bf633544bc71cfbe4367df30bfbf

Expected Behavior

Terraform should have determined that no changes needed to be applied, since the DyanmoDB TTL feature is already disabled on the table.

Actual Behavior

Terraform wants to change the TTL to DISABLED, which will end up being a noop. If this is run (and it will succeed), Terraform will determine that the exact same set of changes will need to be made on the next Terraform run. That is, it will never think that the DynamoDB TTL feature is disabled even though it is.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
  2. terraform apply

Important Factoids

This example is a simplified version of our production code, which references variables to set the enabled property of the ttl block. Many of our tables don't use TTL, so enabled is set to false, but this causes Terraform to forever think that the DynamoDB table is out of sync with the Terraform state.

References

None.

bug servicdynamodb
Source
picture goakley
👍36

Most helpful comment

Start having the issue with plugin 2.5.0.

- Downloading plugin for provider "aws" (2.5.0)...

The workaround by christhomas worked.

  ttl {
    # https://github.com/terraform-providers/terraform-provider-aws/issues/3463
    #attribute_name = "${var.ttl_attribute}"
    attribute_name = ""
    enabled        = "${var.enable_ttl}"
  }
picture oonisim on 8 Apr 2019
👍7

All 20 comments

I have same issue

Terraform v0.11.3
+ provider.aws v1.10.0
koooge picture koooge on 9 Mar 2018

+1
Terraform v0.11.7

  • provider.aws: version = "~> 1.21"
epetrovich picture epetrovich on 18 Jul 2018

+1
This issue is consistently reproducible and causes our terraform configuration to always be out of sync

tommahr picture tommahr on 13 Aug 2018

Still reproducible on terraform 0.11.8 and aws provider 1.38.

It appears to me that the issue is probably that the AWS API doesn't return the TTL information, so the tf aws provider doesn't know whether or not it changed.

If you run aws dynamodb describe-table --table-name <blah> you see there's no TTL information in the response. So, more like an AWS bug than a terraform provider bug?

moensch picture moensch on 27 Sep 2018
😕1 👎1

This is still an issue in 1.40.0:

22:10 MacOS: Oncall/ >$ terraform plan Terraform/
...
  ~ aws_dynamodb_table.oncall_incident_database
      ttl.#:                         "0" => "1"
      ttl.2557590691.attribute_name: "" => "TimeToExist"
      ttl.2557590691.enabled:        "" => "false"

  ~ aws_dynamodb_table.oncall_responder_database
      ttl.#:                         "0" => "1"
      ttl.2557590691.attribute_name: "" => "TimeToExist"
      ttl.2557590691.enabled:        "" => "false"
...
22:10 MacOS: Oncall/ >$ terraform version
Terraform v0.11.8
+ provider.archive v1.1.0
+ provider.aws v1.40.0
+ provider.docker v1.0.4
+ provider.null v1.0.0

22:10 MacOS: Oncall/ >$
unacceptable picture unacceptable on 18 Oct 2018

+1 

Terraform v0.11.8
+ provider.aws v1.37.0
tomasholderness picture tomasholderness on 6 Nov 2018

+1

Terraform v0.11.10 
provider.aws v1.35.0
louisbuchbinder picture louisbuchbinder on 8 Nov 2018

+1 

Terraform v0.11.10
provider.aws ~> 1.16
ChrisCooney picture ChrisCooney on 15 Nov 2018

Hi all! Posting a 👍 reaction on the original comment for this issue is the best way to indicate support for it, since we use reaction counts as an input to prioritization. Posting "+1" comments does not have that effect, and also creates notification noise for the people already following this issue.

bflad picture bflad on 15 Nov 2018
😄1

Hi @bflad - there's been a pull request open for this for months ( #3960 ), is there a reason that would be ignored in favour of the team itself triaging this?

goakley picture goakley on 15 Nov 2018
👍5

The fix for this has been merged and will release with version 2.1.0 of the Terraform AWS Provider, likely in the next day or two.

bflad picture bflad on 5 Mar 2019
🎉1

This has been released in version 2.1.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad picture bflad on 8 Mar 2019
🎉1

I'm having this problem still with version 2.1.0

Initializing provider plugins...

  • Checking for available provider plugins on https://releases.hashicorp.com...
  • Downloading plugin for provider "aws" (2.1.0)...
  • Downloading plugin for provider "archive" (1.1.0)...

and at the end of terraform apply

  • aws_dynamodb_table.audit-log: error updating DynamoDB Table (audit-log) time to live: error updating DynamoDB Table (audit-log) Time To Live: ValidationException: TimeToLive is already disabled
christhomas picture christhomas on 8 Mar 2019

Seems that setting the attribute_name = "TimeToExist" like other examples solved the problem. I'm unsure why.

On the terraform docs, you have this example, which you can see the TTL attribute name is "TimeToExist" and this was causing the problem

https://www.terraform.io/docs/providers/aws/r/dynamodb_table.html

When I set the attribute_name = "" the problem went away

Not Working:

ttl {
attribute_name = "TimeToExist"
enabled = false
}

Working:

ttl {
attribute_name = ""
enabled = false
}

christhomas picture christhomas on 8 Mar 2019
👍4

Start having the issue with plugin 2.5.0.

- Downloading plugin for provider "aws" (2.5.0)...

The workaround by christhomas worked.

  ttl {
    # https://github.com/terraform-providers/terraform-provider-aws/issues/3463
    #attribute_name = "${var.ttl_attribute}"
    attribute_name = ""
    enabled        = "${var.enable_ttl}"
  }
oonisim picture oonisim on 8 Apr 2019
👍7

provider - aws version (2.20.0)
Workaround is assigning attribute_name to empty string but this should be addressed.
ttl {
attribute_name = ""
enabled = "false"
}

RANJITHRAJKUMAR picture RANJITHRAJKUMAR on 22 Jul 2019

However, setting attribute_name to "" means that changes to RW capacity settings are not picked up...
Catch22 ;-)

Ian-T-Price picture Ian-T-Price on 20 Sep 2019

This is still happening with ~> 2.21.0. Is there a newer version we should switch to?

djgoku picture djgoku on 23 Sep 2019

Can confirm this bug exists on the latest version:

Terraform v0.12.9
+ provider.aws v2.30.0
anthgur picture anthgur on 2 Oct 2019
👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 1 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  ·  3Comments
joelittlejohn picture joelittlejohn  ·  3Comments
reedloden picture reedloden  ·  3Comments
EmmN picture EmmN  ·  3Comments
hashibot picture hashibot  ·  3Comments