Terraform-provider-aws: ALB Target Group non-existant proxy_protocol_v2 option in resource wants to update the resource
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v0.11.7
- provider.aws v1.22.0
Previous provider.aws v1.14.1
Affected Resource(s)
- aws_lb_target_group
Terraform Configuration Files
resource "aws_lb_target_group" "alb_tgrp_pre_nz" {
name = "${var.project}-alb-tgrp-pre-nz"
port = 80
protocol = "HTTP"
vpc_id = "${aws_vpc.main.id}"
deregistration_delay = 120
health_check {
protocol = "HTTP"
path = "/config.php"
healthy_threshold = 4
unhealthy_threshold = 2
timeout = 5
interval = 10
matcher = "200"
}
stickiness {
type = "lb_cookie"
cookie_duration = 600
}
}
Output
```
~ update in-place
Terraform will perform the following actions:
~ aws_lb_target_group.**
proxy_protocol_v2: "" => "false"
~ aws_lb_target_group.**
proxy_protocol_v2: "" => "false"
### Expected Behavior
I expect that there is no change to the resource
### Actual Behavior
Will try to update the resource (well, actually not tried, but this is what it may do)
### Steps to Reproduce
1. Create an ALB target group with provider version 1.14.1
2. Update provider to 1.22
3. `terraform plan`
### Important Factoids
with aws CLI json, we see there is no proxy_protocol_v2 key:
aws elbv2 describe-target-groups --names **
{
"TargetGroups": [
{
"HealthCheckPath": "/config.php",
"HealthCheckIntervalSeconds": 10,
"VpcId": "*",
"Protocol": "HTTP",
"HealthCheckTimeoutSeconds": 5,
"TargetType": "instance",
"HealthCheckProtocol": "HTTP",
"LoadBalancerArns": [
"****"
],
"UnhealthyThresholdCount": 2,
"HealthyThresholdCount": 4,
"TargetGroupArn": "*******",
"Matcher": {
"HttpCode": "200"
},
"HealthCheckPort": "traffic-port",
"Port": 80,
"TargetGroupName": "****"
}
]
}
```
hegyre
All 7 comments
So... I finally wanted to check if it changed something to the resources.
So I applied the config, and the answer is no, at least using AWS provider 1.25.0.
So my understanging is we can 'ignore' the fact terraform is telling us it will update the ressource
Edit:
However, it effectively adds:
"proxy_protocol_v2": "false",
to the tfsate file.
But the resource on AWS seems untouched (or maybe it re-applied the config ?)
There is no proxy_protocol_v2 key using aws elbv2 describe-target-groups --names (which is fine for my case)
To me it should just update the tfstate file, but without telling us it wants to update the resource on AWS
hegyre
on 19 Jul 2018
@hegyre it was vital it told me this, as I had TF created LBs that had proxy_protocol_v2 enabled. When I upgraded to v1.22, like you it planned to set those to false, and add them to the tfstate as false! I had to update the TF configuration files to include proxy_protocol_v2 as true and the apply it, to prevent the upgrade breaking the infrastructure.
To me it should just update the tfstate file, but without telling us it wants to update the resource on AWS
Where as to me it was utterly vital to told me it wanted to ruin my day 馃槃
whereisaaron
on 19 Jul 2018
@whereisaaron ok I agree with you, in this case it's useful.
However you told that you created LBs with Terraform, so then how did you enabled the proxy_protocol_v2 before 1.22 ? I assume it was manually ?
hegyre
on 23 Jul 2018
@hegyre yes, before there was support, I created the LBs with Terraform and then separately enabled proxy_protocol_v2. It would be nice if Terraform attempted to bootstrap missing values from AWS, but I wasn't upset it defaulted to 'false' - because at least it told me it was about to apply those defaults.
whereisaaron
on 23 Jul 2018
Yes for your case, Terraform should have showed true => false, because Terraform refresh the states during the plan.
In this case this is helpful.
But for my case, it was "" => false, which is non-sense
hegyre
on 23 Jul 2018
Some information that may be useful from the docs:
The following attributes are supported by only Network Load Balancers:
- proxy_protocol_v2.enabled - Indicates whether Proxy Protocol version 2 is enabled. The value is true or false. The default is false.
If you run aws elbv2 describe-target-group-attributes against an ALB you will not see anything about proxy_protocol_v2 in the output. Given this information and the conversation above I suspect @hegyre is using ALBs while @whereisaaron is using NLBs.
Perhaps this should only be set on Network Load Balancers?
donovan
on 22 Aug 2018
Temporary workaround
Adding a lifecycle block with ignore_changes for proxy_protocol_v2 in the aws_alb_target_group resource will stop prompting for the change when terraform plan or terraform apply are executed.
lifecycle {
ignore_changes = ["proxy_protocol_v2"]
}
virtualbeck
on 27 Mar 2019
Related issues
hashibot
路
3Comments
hashibot
路
3Comments
hashibot
路
3Comments
hashibot
路
3Comments
modax
路
3Comments
Most helpful comment
Some information that may be useful from the docs:
If you run
aws elbv2 describe-target-group-attributesagainst an ALB you will not see anything aboutproxy_protocol_v2in the output. Given this information and the conversation above I suspect @hegyre is using ALBs while @whereisaaron is using NLBs.Perhaps this should only be set on Network Load Balancers?