Terraform-provider-aws: Changing the name of an AWS Config Rule creates a duplicate rule
Terraform Version
+$ terraform -v
Terraform v0.11.7
+ provider.aws v1.16.0
Affected Resource(s)
- aws_config_config_rule
Terraform Configuration Files
{
"provider": {
"aws": {
"__DEFAULT__": {
"region": "us-east-1"
}
}
},
"resource": {
"aws_config_config_rule": {
"jbstest-certcheck": {
"name": "jbstest-certcheck",
"source": {
"owner": "AWS",
"source_identifier": "ACM_CERTIFICATE_EXPIRATION_CHECK"
}
}
}
}
}
Debug Output
https://gist.github.com/jbscare/daa09aceb771e8d6cddcb9931d83e396
Expected Behavior
When I created a Config Rule with a name that had a typo, and then fixed the typo in the name, I expected the Rule's name to change.
Actual Behavior
Terraform created a second Config rule, leaving the old one around.
Steps to Reproduce
I started with no "jbstest" config rules:
+$ aws configservice describe-config-rules --query "ConfigRules[*].ConfigRuleName" | grep jbstest || echo none
none
I created one:
+$ cat jbstest.tf.json
{
"provider": {
"aws": {
"__DEFAULT__": {
"region": "us-east-1"
}
}
},
"resource": {
"aws_config_config_rule": {
"jbstest-certcheck": {
"name": "jbstest-cetrcehck",
"source": {
"owner": "AWS",
"source_identifier": "ACM_CERTIFICATE_EXPIRATION_CHECK"
}
}
}
}
}
+$ terraform apply
aws_config_config_rule.jbstest-certcheck: Refreshing state... (ID: jbstest-certcheck)
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
+ aws_config_config_rule.jbstest-certcheck
id: <computed>
arn: <computed>
name: "jbstest-cetrcehck"
rule_id: <computed>
source.#: "1"
source.0.owner: "AWS"
source.0.source_identifier: "ACM_CERTIFICATE_EXPIRATION_CHECK"
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_config_config_rule.jbstest-certcheck: Creating...
arn: "" => "<computed>"
name: "" => "jbstest-cetrcehck"
rule_id: "" => "<computed>"
source.#: "0" => "1"
source.0.owner: "" => "AWS"
source.0.source_identifier: "" => "ACM_CERTIFICATE_EXPIRATION_CHECK"
aws_config_config_rule.jbstest-certcheck: Creation complete after 0s (ID: jbstest-cetrcehck)
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
Now I've got a jbstest Config Rule:
+$ aws configservice describe-config-rules --query "ConfigRules[*].ConfigRuleName" | grep jbstest || echo none
"jbstest-cetrcehck",
I spot a typo in the name, and fix my .tf.json file:
+$ cat jbstest.tf.json
{
"provider": {
"aws": {
"__DEFAULT__": {
"region": "us-east-1"
}
}
},
"resource": {
"aws_config_config_rule": {
"jbstest-certcheck": {
"name": "jbstest-certcheck",
"source": {
"owner": "AWS",
"source_identifier": "ACM_CERTIFICATE_EXPIRATION_CHECK"
}
}
}
}
}
The only difference from before is the 'name' parameter. terraform plan looks good, it just wants to change the name:
+$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
aws_config_config_rule.jbstest-certcheck: Refreshing state... (ID: jbstest-cetrcehck)
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
~ aws_config_config_rule.jbstest-certcheck
name: "jbstest-cetrcehck" => "jbstest-certcheck"
Plan: 0 to add, 1 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
I apply that:
+$ terraform apply
aws_config_config_rule.jbstest-certcheck: Refreshing state... (ID: jbstest-cetrcehck)
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
~ aws_config_config_rule.jbstest-certcheck
name: "jbstest-cetrcehck" => "jbstest-certcheck"
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_config_config_rule.jbstest-certcheck: Modifying... (ID: jbstest-cetrcehck)
name: "jbstest-cetrcehck" => "jbstest-certcheck"
aws_config_config_rule.jbstest-certcheck: Modifications complete after 0s (ID: jbstest-certcheck)
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
But now I've got two jbstest Config Rules:
+$ aws configservice describe-config-rules --query "ConfigRules[*].ConfigRuleName" | grep jbstest || echo none
"jbstest-certcheck",
"jbstest-cetrcehck",
Important Factoids
none
References
none
jbscare
👍4
😕3
All 2 comments
Can confirm this is still an issue on 2.23.
It would seem the fix here is to make a name change on the resource force recreation.
cob16
on 8 Aug 2019
Any chances for resolution? This bug is also available on:
Terraform v0.12.13
provider.aws v2.39.0
pboruszczak-drgn
on 25 Nov 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings
Related issues
darrenhaken
路
36Comments
oarmstrong
路
44Comments
hashibot
路
38Comments
hashibot
路
36Comments
hashibot
路
45Comments
Most helpful comment
Any chances for resolution? This bug is also available on:
Terraform v0.12.13
provider.aws v2.39.0