Terraform-provider-aws: aws_lb_target_group & aws_lb ValidationError : not a valid ARN

Hi There,
Any update on this.? Why this error is coming.?

@micemuni can you please provide additional information about your situation?

• Are these new resources? Were they just imported? Did this problem just start with existing resources?
• Can you provide the associated Terraform configuration?

The errors you are seeing are coming from the AWS API:

ValidationError: 'arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:targetgroup/xxxxxx-us1-alb-target/ebde06216a600581' is not a valid target group ARN

ValidationError: 'arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxxxxxx:loadbalancer/net/xxxxxxx-us1-nlb/f65622b3c4d1bc7c' is not a valid load balancer ARN

It likely points to an issue with your Terraform configuration or how you are invoking Terraform to select the wrong AWS region. Double check your provider configuration is set to region = "us-east-1", that the AWS_DEFAULT_REGION environment variable is set to us-east-1, or if you have an AWS configuration file with a configuration profile that the profile set to region=us-east-1.

@bflad We are experiencing the same error. Have verified the provider and AWS config files are both set to us-east-1.

Has this problem been seen with other regions?

Has this problem been seen with other regions?

Not that I'm aware of.

Can you please provide additional details about the situation in which this happens? Are these new or existing resources? Are the ARNs hardcoded or coming from another resource/datasource?

I wish I could paste in the details, but the errors were from a student in a workshop of mine. We moved him to a different region and were able to proceed. (That may be pure luck & superstition!)

The resources were all new, declared in the .tf files. The ARNs were being pulled from other resources being created in the same plan.

I'm seeing the same issue here. Unfortunately I do not have the luxury of changing regions as the configs are based around other accounts/resources within the us-east-1 region.

To get around the problem noted above, I migrated to manually creating my load balancers and targets then copying the ARNs from the AWS console. I now see the following error. Can we please get an update on this ASAP, it is blocking work.

* aws_lb_target_group_attachment.https: Error registering targets with target group: ValidationError: 'arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxx:targetgroup/github-enterprise-https/xxxxxxxxxxxxxxxx' must be in ARN format

The code block which defines the resource is here:

resource "aws_lb_target_group_attachment" "https" {
  target_group_arn = "${lookup(var.lb_target_groups, "https.arn")}"
  target_id        = "${aws_instance.ghe-server.id}"
  port             = "${lookup(var.lb_target_groups, "https.port")}"
}

Hi @bflad (Nice to see you!)

I am also experiencing the same issue. This is in the eu-central-1 region though, not us-east-1. I am standing up stacks with multiple ALBs and an ELB. This error is from a stack that I stood up yesterday. I verified the ARNs are correct in the tfstate file, but I get the same issue as described by prior posters:

aws_lb_target_group.classroom_alb_tg_discovery: aws_lb_target_group.classroom_alb_tg_discovery: Error retrieving Target Group: ValidationError: 'arn:aws:elasticloadbalancing:eu-central-1:AWSACCOUNT:targetgroup/<omitted>DISCOVERY/9a85528048bbed0f' is not a valid target group ARN\n" status code: 400, request id: 3c788ba1-a6e3-11e8-af30-7b9ac7070e31\n' aws_lb.classroom_alb_discovery: aws_lb.classroom_alb_discovery: Error retrieving ALB: ValidationError: 'arn:aws:elasticloadbalancing:eu-central-1:AWSACCOUNT:loadbalancer/app/<omitted>-DISCOVERY/13d73ed7c7b4f985' is not a valid load balancer ARN\n" status code: 400, request id: 3cff95df-a6e3-11e8-b41c-e1371c5b2c6f\n' aws_lb.classroom_alb_master: aws_lb.classroom_alb_master: Error retrieving ALB: ValidationError: 'arn:aws:elasticloadbalancing:eu-central-1:AWSACCOUNT:loadbalancer/app/<omitted>-MASTER/3313fc34b1f6df21' is not a valid load balancer ARN\n" status code: 400, request id: 3d661fd6-a6e3-11e8-bff4-3170ca5ab773\n' aws_lb.classroom_alb_welcome: aws_lb.classroom_alb_welcome: Error retrieving ALB: ValidationError: 'arn:aws:elasticloadbalancing:eu-central-1:AWSACCOUNT:loadbalancer/app/<omitted>-WELCOME/e0f2b4d44c696613' is not a valid load balancer ARN\n" status code: 400, request id: 3d051407-a6e3-11e8-8bb6-3b639bc542e2\n' aws_lb.classroom_alb_gitlab: aws_lb.classroom_alb_gitlab: Error retrieving ALB: ValidationError: 'arn:aws:elasticloadbalancing:eu-central-1:AWSACCOUNT:loadbalancer/app/<omitted>-GITLAB/6edaffefe6394347' is not a valid load balancer ARN\n" status code: 400, request id: 3d5ef3ee-a6e3-11e8-8bb6-3b639bc542e2\n' aws_lb_target_group.classroom_alb_tg_master_8170: aws_lb_target_group.classroom_alb_tg_master_8170: Error retrieving Target Group: ValidationError: 'arn:aws:elasticloadbalancing:eu-central-1:AWSACCOUNT:targetgroup/<omitted>M-1870/eaac9a97957d5bd9' is not a valid target group ARN\n" status code: 400, request id: 3c761a51-a6e3-11e8-bff4-3170ca5ab773\n' aws_lb_target_group.classroom_alb_tg_welcome: aws_lb_target_group.classroom_alb_tg_welcome: Error retrieving Target Group: ValidationError: 'arn:aws:elasticloadbalancing:eu-central-1:AWSACCOUNT:targetgroup/<omitted>WELCOME/489e264f4faaf084' is not a valid target group ARN\n" status code: 400, request id: 3c777a11-a6e3-11e8-b73a-313bc5ad8ac9\n' aws_lb_target_group.classroom_alb_tg_gitlab: aws_lb_target_group.classroom_alb_tg_gitlab: Error retrieving Target Group: ValidationError: 'arn:aws:elasticloadbalancing:eu-central-1:AWSACCOUNT:targetgroup/<omitted>GITLAB/8e3d5f2a088c384d' is not a valid target group ARN\n" status code: 400, request id: 3c844b24-a6e3-11e8-8bb6-3b639bc542e2\n' aws_lb_target_group.classroom_alb_tg_master: aws_lb_target_group.classroom_alb_tg_master: Error retrieving Target Group: ValidationError: 'arn:aws:elasticloadbalancing:eu-central-1:AWSACCOUNT:targetgroup/<omitted>MASTER/be485603d385931b' is not a valid target group ARN\n"

The interesting thing is this error is happening on a docker container running Terraform on Linux yet I've created and destroyed tons of stacks in the last few weeks with the same process.

When I execute the destroy from my Mac, it worked. Both binaries are at 0.11.7

I know that AWS has lengthened the ARN IDs for a variety of resource types, changing their pattern. Could something like this be the culprit?

Probably the same issue in the eu-west-1 region.

* aws_lb.vault_nlb: aws_lb.vault_nlb: Error retrieving ALB: ValidationError: 'arn:aws:elasticloadbalancing:eu-west-1:<ommited>:loadbalancer/net/vault-elb-prod-1-nlb/<ommited>' is not a valid load balancer ARN
    status code: 400, request id: <ommited>
* aws_lb_target_group.vault_nlb: 1 error(s) occurred:

* aws_lb_target_group.vault_nlb: aws_lb_target_group.vault_nlb: Error retrieving Target Group: ValidationError: 'arn:aws:elasticloadbalancing:eu-west-1:<ommited>:targetgroup/vault-prod-1-nlb/<ommited>' is not a valid target group ARN
    status code: 400, request id: <ommited>

For me the problem was the AWS credential, because I had used two profiles.
I had changed the provider to correct profile and worked fine.

[default]
aws_access_key_id = <secret>
aws_secret_access_key = <secret>
[my_profile]
aws_access_key_id = <secret>
aws_secret_access_key = <secret>

provider "aws" {
  region  = "${var.region}"
  profile = "my_profile"
}

I had this problem with code like the above:

  target_group_arn = "${lookup(var.lb_target_groups, "https.arn")}"
  target_id        = "${aws_instance.ghe-server.id}"

I switched target_id to use an arn instead and it worked

  target_group_arn = "${lookup(var.lb_target_groups, "https.arn")}"
  target_id        = "${aws_instance.ghe-server.arn}" // here

so, for a lambda, target_id should be the arn of the lambda, not the id

Just chiming in... This happened to me when i was using vars in my provider definition. I've noticed lots of inconsistencies if my provider has things like region = var.region in this case I hardcoded the region, same error. I was using assume_role in the provider and the role_arn was in a module that had an account_id var in the arn. When I replaced the assume_role arn with a hardcoded account number everything worked as expected.

I followed @ahaynssen @gavD @dtelaroli all three approaches but still, I receive the same errors again and again.

Error: Error retrieving Target Group: ValidationError: 'arn:aws:elasticloadbalancing:eu-west-1:01234567890:targetgroup/dev1-web-to-http/5e7a9da3057bc30c' is not a valid target group ARN
        status code: 400, request id: 62d7fc52-0636-4c79-a43e-ab2444e8a29d

/// etc
[2020/09/15 12:37:58] Plan complete

I am facing the same issue as well. I checked the ARNs in both the remote state and the console and they seems to be matching. any workaround is appreciated.