Terraform-provider-aws: v2.63 and above amending ASG tags when not changed

Created on 5 Jun 2020 · 14Comments · Source: hashicorp/terraform-provider-aws

I've just noticed that when using any provider above v2.62 a plan is reporting changes to auto scaling group tags when no changes are necessary.

v2.62 reports "No changes. Infrastructure is up-to-date."

Update the provider and make no other TF changes

v2.63 reports...
~ aws_autoscaling_group.build_release_agents
tags.0.key: "Environment" => "Name"
tags.0.propagate_at_launch: "true" => "1"
tags.0.value: "build/release" => "cd-ec2-build_release_agent"
tags.1.key: "Name" => "Environment"
tags.1.propagate_at_launch: "true" => "1"
tags.1.value: "cd-ec2-build_release_agent" => "build/release"
tags.2.propagate_at_launch: "true" => "1"

Both v2.64 and v2.65 report...
~ aws_autoscaling_group.build_release_agents
tags.1177997400.%: "0" => "3"
tags.1177997400.key: "" => "Project"
tags.1177997400.propagate_at_launch: "" => "1"
tags.1177997400.value: "" => "Azure DevOps Continuous Delivery"
tags.1427379085.%: "0" => "3"
tags.1427379085.key: "" => "Name"
tags.1427379085.propagate_at_launch: "" => "1"
tags.1427379085.value: "" => "cd-ec2-build_release_agent"
tags.2875147149.%: "3" => "0"
tags.2875147149.key: "Environment" => ""
tags.2875147149.propagate_at_launch: "true" => ""
tags.2875147149.value: "build/release" => ""
tags.3059725845.%: "3" => "0"
tags.3059725845.key: "Project" => ""
tags.3059725845.propagate_at_launch: "true" => ""
tags.3059725845.value: "Azure DevOps Continuous Delivery" => ""
tags.4203851964.%: "3" => "0"
tags.4203851964.key: "Name" => ""
tags.4203851964.propagate_at_launch: "true" => ""
tags.4203851964.value: "cd-ec2-build_release_agent" => ""
tags.877694087.%: "0" => "3"
tags.877694087.key: "" => "Environment"
tags.877694087.propagate_at_launch: "" => "1"
tags.877694087.value: "" => "build/release"

If I apply changes using 2.63/2.64/2.65 they apply ok but the next plan still reports the same changes are required.

Anyone found similar?

bug regression servicautoscaling

Source

andydix

👍9 👀3

All 14 comments

ewbankkit on 5 Jun 2020

👀1 👍1

@andydix Thanks for raising this issue.
Which version of Terraform are you using?

ewbankkit on 5 Jun 2020

I'm still using 0.11.14 at the moment.

andydix on 5 Jun 2020

@andydix Is your configuration something like:

  tags = [
    {
      key                 = "Project"
      value               = "Azure DevOps Continuous Delivery"
      propagate_at_launch = 1
    },
    {
      key                 = "Name"
      value               = "cd-ec2-build_release_agent"
      propagate_at_launch = 1
    },
    {
      key                 = "Environment"
      value               = "build/release"
      propagate_at_launch = 1
    },
  ]

with propagate_at_launch a number or numeric string (e.g. "1") rather than a boolean (true)?

ewbankkit on 5 Jun 2020

I'm actually using a concat/list/map combo like this...

  tags = [
    "${concat(
      list(
        map("key", "Name", "value", "${var.project_tag_acronym}-ec2-build_release_agent", "propagate_at_launch", true)
      ),
      local.asg_common_tags)}",
  ]

andydix on 5 Jun 2020

Oh and the "common" is defined as this...

  asg_common_tags = [
    {
      key                 = "Environment"
      value               = "build/release"
      propagate_at_launch = true
    },
    {
      key                 = "Project"
      value               = "Azure DevOps Continuous Delivery"
      propagate_at_launch = true
    },
  ]

andydix on 5 Jun 2020

This may be due to some of the quirky pre-Terraform 0.12 behavior with types, does it still show differences if you quote true in any configuration going into the tags argument ("true")?

bflad on 5 Jun 2020

Verified that changing true to "true" results in no diff.

resource "aws_autoscaling_group" "test" {
  tags = [
    "${concat(
      list(
        map("key", "Name", "value", "cd-ec2-build_release_agent", "propagate_at_launch", "true")
      ),
      local.asg_common_tags)}",
  ]
}

locals {
  asg_common_tags = [
    {
      key                 = "Environment"
      value               = "build/release"
      propagate_at_launch = "true"
    },
    {
      key                 = "Project"
      value               = "Azure DevOps Continuous Delivery"
      propagate_at_launch = "true"
    },
  ]
}

ewbankkit on 7 Jun 2020

👀1

any movement on this issue @bflad @ewbankkit @andydix ?

muthu-vgh on 22 Jun 2020

Not that I know of.

I've also just noticed something similar happening for security groups on an RDS instance...

vpc_security_group_ids.#:          "1" => "2"
vpc_security_group_ids.0:          "" => ""
vpc_security_group_ids.3547069620: "sg-081da9a6ec834b4b0" => "sg-081da9a6ec834b4b0"

The group hasn't changed in the config and looks like the provider is evaluating a change to ids where none is required.

And this is using v2.67.0 for reference.

andydix on 23 Jun 2020

Fix submitted for the aws_autoscaling_group resource tags handling: https://github.com/terraform-providers/terraform-provider-aws/pull/13912

If there are issues with other attributes in the resource, please file a separate bug report for triage. Thanks.

bflad on 23 Jun 2020

👀1

The fix for this specific scenario has been merged and will release with version 2.69.0 of the Terraform AWS Provider, likely on Thursday. Unfortunately these cases involving Terraform 0.11 and earlier behaviors are harder to test (since our acceptance testing inherently runs using Terraform 0.12's mock handling of the older version), so please do reach out in followup bug reports there are still lingering issues and we will try to address them.

bflad on 1 Jul 2020

👀1

This has been released in version 2.69.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!