Terraform: Elastic Beanstalk settings are not sticking
When updating an elastic beanstalk environment resource settings, Terraform does not seem to update the state. Each successive run of terraform plan or terraform apply indicates the resource needs to be updated, despite actually being correct on AWS and unchanged in the terraform code. The output seems to indicate it has to do with the LoadBalancerHttpPort and SSLCertificateId settings.
Terraform Version
0.7.4
Affected Resource(s)
aws_elastic_beanstalk_environment
Terraform Configuration Files
resource "aws_elastic_beanstalk_environment" "mercury_api_develop" {
name = "mercury-api"
application = "${aws_elastic_beanstalk_application.mercury_api.name}"
solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Docker 1.11.2"
tier = "WebServer"
# VPC settings
setting {
namespace = "aws:ec2:vpc"
name = "VPCId"
value = "${var.vpc_id}"
}
setting {
namespace = "aws:ec2:vpc"
name = "Subnets"
value = "${join(",", var.worker_subnets)}"
}
setting {
namespace = "aws:ec2:vpc"
name = "ELBSubnets"
value = "${join(",", var.elb_subnets)}"
}
setting {
namespace = "aws:ec2:vpc"
name = "AssociatePublicIpAddress"
value = "false"
}
setting {
namespace = "aws:ec2:vpc"
name = "ELBScheme"
value = "public"
}
# ELB settings
setting {
namespace = "aws:elb:loadbalancer"
name = "CrossZone"
value = "true"
}
setting {
namespace = "aws:elb:loadbalancer"
name = "SecurityGroups"
value = "${aws_security_group.mercury_api_elb_sg.id}"
}
setting {
namespace = "aws:elb:loadbalancer"
name = "ManagedSecurityGroup"
value = "${aws_security_group.mercury_api_elb_sg.id}"
}
setting {
namespace = "aws:elb:loadbalancer"
name = "LoadBalancerHTTPSPort"
value = "443"
}
setting {
namespace = "aws:elb:loadbalancer"
name = "LoadBalancerHTTPPort"
value = "80"
}
setting {
namespace = "aws:elb:listener"
name = "ListenerProtocol"
value = "HTTPS"
}
setting {
namespace = "aws:elb:listener"
name = "InstanceProtocol"
value = "HTTP"
}
setting {
namespace = "aws:elb:listener"
name = "SSLCertificateId"
value = "${var.elb_cert_arn}"
}
setting {
namespace = "aws:elbv2:loadbalancer"
name = "AccessLogsS3Enabled"
value = "true"
}
setting {
namespace = "aws:elbv2:loadbalancer"
name = "AccessLogsS3Bucket"
value = "${var.access_logs_s3_bucket_name}"
}
# General Beanstalk settings
setting {
namespace = "aws:elasticbeanstalk:command"
name = "BatchSize"
value = "30"
}
setting {
namespace = "aws:elasticbeanstalk:command"
name = "BatchSizeType"
value = "Percentage"
}
setting {
namespace = "aws:elasticbeanstalk:hostmanager"
name = "LogPublicationControl"
value = "true"
}
setting {
namespace = "aws:elasticbeanstalk:environment"
name = "ServiceRole"
value = "${var.service_role_name}"
}
# Auto-scaling (EC2 instance) settings
setting {
namespace = "aws:autoscaling:asg"
name = "Availability Zones"
value = "Any 2"
}
setting {
namespace = "aws:autoscaling:asg"
name = "MinSize"
value = "1"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "IamInstanceProfile"
value = "${var.instance_profile_name}"
}
# TODO: set ec2 instance security groups -ccampo 2016-05-25
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "SecurityGroups"
value = "${aws_security_group.mercury_api_instance_sg.id}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "EC2KeyName"
value = "${var.key}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "InstanceType"
value = "t2.micro"
}
setting {
namespace = "aws:autoscaling:updatepolicy:rollingupdate"
name = "RollingUpdateType"
value = "Health"
}
# Health reporting
setting {
namespace = "aws:elasticbeanstalk:healthreporting:system"
name = "SystemType"
value = "enhanced"
}
tags {
Name = "mercury-api"
Environment = "${var.environment}"
Product = "Mercury"
}
}
Debug Output
~ module.mercury.mercury_api.aws_elastic_beanstalk_environment.mercury_api_develop
setting.#: "22" => "27"
setting.1145997792.name: "SecurityGroups" => "SecurityGroups"
setting.1145997792.namespace: "aws:autoscaling:launchconfiguration" => "aws:autoscaling:launchconfiguration"
setting.1145997792.resource: "" => ""
setting.1145997792.value: "sg-260a9a5c" => "sg-260a9a5c"
setting.1314173431.name: "LoadBalancerHTTPSPort" => "LoadBalancerHTTPSPort"
setting.1314173431.namespace: "aws:elb:loadbalancer" => "aws:elb:loadbalancer"
setting.1314173431.resource: "" => ""
setting.1314173431.value: "443" => "443"
setting.1384328253.name: "ELBScheme" => "ELBScheme"
setting.1384328253.namespace: "aws:ec2:vpc" => "aws:ec2:vpc"
setting.1384328253.resource: "" => ""
setting.1384328253.value: "public" => "public"
setting.1429395430.name: "AssociatePublicIpAddress" => "AssociatePublicIpAddress"
setting.1429395430.namespace: "aws:ec2:vpc" => "aws:ec2:vpc"
setting.1429395430.resource: "" => ""
setting.1429395430.value: "false" => "false"
setting.1489838287.name: "" => "AccessLogsS3Enabled"
setting.1489838287.namespace: "" => "aws:elbv2:loadbalancer"
setting.1489838287.resource: "" => ""
setting.1489838287.value: "" => "true"
setting.1497664210.name: "CrossZone" => "CrossZone"
setting.1497664210.namespace: "aws:elb:loadbalancer" => "aws:elb:loadbalancer"
setting.1497664210.resource: "" => ""
setting.1497664210.value: "true" => "true"
setting.168697961.name: "" => "InstanceProtocol"
setting.168697961.namespace: "" => "aws:elb:listener"
setting.168697961.resource: "" => ""
setting.168697961.value: "" => "HTTP"
setting.1865048766.name: "LogPublicationControl" => "LogPublicationControl"
setting.1865048766.namespace: "aws:elasticbeanstalk:hostmanager" => "aws:elasticbeanstalk:hostmanager"
setting.1865048766.resource: "" => ""
setting.1865048766.value: "true" => "true"
setting.2220815128.name: "VPCId" => "VPCId"
setting.2220815128.namespace: "aws:ec2:vpc" => "aws:ec2:vpc"
setting.2220815128.resource: "" => ""
setting.2220815128.value: "vpc-5752cb30" => "vpc-5752cb30"
setting.2262995125.name: "Availability Zones" => "Availability Zones"
setting.2262995125.namespace: "aws:autoscaling:asg" => "aws:autoscaling:asg"
setting.2262995125.resource: "" => ""
setting.2262995125.value: "Any 2" => "Any 2"
setting.2276893638.name: "RollingUpdateType" => "RollingUpdateType"
setting.2276893638.namespace: "aws:autoscaling:updatepolicy:rollingupdate" => "aws:autoscaling:updatepolicy:rollingupdate"
setting.2276893638.resource: "" => ""
setting.2276893638.value: "Health" => "Health"
setting.2396587397.name: "MinSize" => "MinSize"
setting.2396587397.namespace: "aws:autoscaling:asg" => "aws:autoscaling:asg"
setting.2396587397.resource: "" => ""
setting.2396587397.value: "1" => "1"
setting.2420299722.name: "SystemType" => "SystemType"
setting.2420299722.namespace: "aws:elasticbeanstalk:healthreporting:system" => "aws:elasticbeanstalk:healthreporting:system"
setting.2420299722.resource: "" => ""
setting.2420299722.value: "enhanced" => "enhanced"
setting.2912896423.name: "LoadBalancerHTTPPort" => ""
setting.2912896423.namespace: "aws:elb:loadbalancer" => ""
setting.2912896423.resource: "" => ""
setting.2912896423.value: "OFF" => ""
setting.2972739376.name: "" => "ListenerProtocol"
setting.2972739376.namespace: "" => "aws:elb:listener"
setting.2972739376.resource: "" => ""
setting.2972739376.value: "" => "HTTPS"
setting.3023161937.name: "Subnets" => "Subnets"
setting.3023161937.namespace: "aws:ec2:vpc" => "aws:ec2:vpc"
setting.3023161937.resource: "" => ""
setting.3023161937.value: "subnet-38ffc312,subnet-c4c4288d" => "subnet-38ffc312,subnet-c4c4288d"
setting.3111731957.name: "InstanceType" => "InstanceType"
setting.3111731957.namespace: "aws:autoscaling:launchconfiguration" => "aws:autoscaling:launchconfiguration"
setting.3111731957.resource: "" => ""
setting.3111731957.value: "t2.micro" => "t2.micro"
setting.3180054284.name: "IamInstanceProfile" => "IamInstanceProfile"
setting.3180054284.namespace: "aws:autoscaling:launchconfiguration" => "aws:autoscaling:launchconfiguration"
setting.3180054284.resource: "" => ""
setting.3180054284.value: "mercury-elasticbeanstalk-ec2-role" => "mercury-elasticbeanstalk-ec2-role"
setting.3517974641.name: "" => "AccessLogsS3Bucket"
setting.3517974641.namespace: "" => "aws:elbv2:loadbalancer"
setting.3517974641.resource: "" => ""
setting.3517974641.value: "" => "elasticbeanstalk-us-east-1-927185244192"
setting.3602277136.name: "BatchSize" => "BatchSize"
setting.3602277136.namespace: "aws:elasticbeanstalk:command" => "aws:elasticbeanstalk:command"
setting.3602277136.resource: "" => ""
setting.3602277136.value: "30" => "30"
setting.3665244782.name: "ManagedSecurityGroup" => "ManagedSecurityGroup"
setting.3665244782.namespace: "aws:elb:loadbalancer" => "aws:elb:loadbalancer"
setting.3665244782.resource: "" => ""
setting.3665244782.value: "sg-290a9a53" => "sg-290a9a53"
setting.3895537189.name: "ServiceRole" => "ServiceRole"
setting.3895537189.namespace: "aws:elasticbeanstalk:environment" => "aws:elasticbeanstalk:environment"
setting.3895537189.resource: "" => ""
setting.3895537189.value: "mercury-elasticbeanstalk-service-role" => "mercury-elasticbeanstalk-service-role"
setting.3925075571.name: "ELBSubnets" => "ELBSubnets"
setting.3925075571.namespace: "aws:ec2:vpc" => "aws:ec2:vpc"
setting.3925075571.resource: "" => ""
setting.3925075571.value: "subnet-32ffc318,subnet-d9c42890" => "subnet-32ffc318,subnet-d9c42890"
setting.44009617.name: "EC2KeyName" => "EC2KeyName"
setting.44009617.namespace: "aws:autoscaling:launchconfiguration" => "aws:autoscaling:launchconfiguration"
setting.44009617.resource: "" => ""
setting.44009617.value: "mercury-terraform-key" => "mercury-terraform-key"
setting.478148791.name: "SecurityGroups" => "SecurityGroups"
setting.478148791.namespace: "aws:elb:loadbalancer" => "aws:elb:loadbalancer"
setting.478148791.resource: "" => ""
setting.478148791.value: "sg-290a9a53" => "sg-290a9a53"
setting.747815089.name: "BatchSizeType" => "BatchSizeType"
setting.747815089.namespace: "aws:elasticbeanstalk:command" => "aws:elasticbeanstalk:command"
setting.747815089.resource: "" => ""
setting.747815089.value: "Percentage" => "Percentage"
setting.784312882.name: "" => "LoadBalancerHTTPPort"
setting.784312882.namespace: "" => "aws:elb:loadbalancer"
setting.784312882.resource: "" => ""
setting.784312882.value: "" => "80"
setting.889637335.name: "" => "SSLCertificateId"
setting.889637335.namespace: "" => "aws:elb:listener"
setting.889637335.resource: "" => ""
setting.889637335.value: "" => "arn:aws:iam::REDACTED:server-certificate/REDACTED"
Expected Behavior
After running terraform apply, the next run of terraform plan or terraform apply should have nothing to update, and exit quietly.
Actual Behavior
After running terraform apply, the next run of terraform plan or terraform apply says the elastic beanstalk resource has changed.
Steps to Reproduce
terraform applyterraform planorterraform apply
References
- GH-6890
- GH-8742
ccampo133
All 25 comments
Hi I am experiencing the same but with a different value in Elastic beanstalk. It's the following that terraform always changes despite the change already being applied which slows down our deployment. This has been present from 0.7.2 up to now.
Terraform Version
Terraform v0.7.4
Affected Resource(s)
aws_elastic_beanstalk_environment
Terraform configuration for ElasticBeanstalk
....
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "SSHSourceRestriction"
value = "${var.ssh_instance_access_security_group_rule}"
}
...
### Terraform Plan truncated output
setting.1225841957.name: "SSHSourceRestriction" => ""
setting.1225841957.namespace: "aws:autoscaling:launchconfiguration" => ""
setting.1225841957.resource: "" => ""
setting.1225841957.value: "tcp,22,22,xx.xxx.xxx.0/22" => ""
....
setting.198953806.name: "" => "SSHSourceRestriction"
setting.198953806.namespace: "" => "aws:autoscaling:launchconfiguration"
setting.198953806.resource: "" => ""
setting.198953806.value: "" => "tcp, 22, 22, xx.xx.xx.0/22"
parabolic
on 22 Sep 2016
@parabolic That looks like a normalization issue with the Elastic Beanstalk API. As a temporary workaround, if you have a way to remove the spaces in ${var.ssh_instance_access_security_group_rule} that should prevent this issue.
dharrisio
on 22 Sep 2016
@dharrisio I've just tested it and it works!
Thanks for the fast reply. It now makes perfect sense why it was happening :)
Cheers!
parabolic
on 23 Sep 2016
Hi,
similar to what @parabolic have experienced, but not quite the same:
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "SSHSourceRestriction"
value = "tcp,22,22,${aws_security_group.default.id}"
}
Output we're getting is:
setting.1224657411.name: "SSHSourceRestriction" => ""
setting.1224657411.namespace: "aws:autoscaling:launchconfiguration" => ""
setting.1224657411.resource: "" => ""
setting.1224657411.value: "tcp,22,22,null" => ""
...
setting.1750678775.name: "" => "SSHSourceRestriction"
setting.1750678775.namespace: "" => "aws:autoscaling:launchconfiguration"
setting.1750678775.resource: "" => ""
setting.1750678775.value: "" => "tcp,22,22,sg-XXXXX"
Any idea why the security group isn't being kept correctly in the state (but it is applied correctly in the deployment)?
Thanks for the great work!
cleverbug
on 30 Sep 2016
I had a similar issues but with the setting MonitoringInterval from the aws:autoscaling:launchconfiguration namespace.
In Terraform I used a value of "1" which the Beanstalk API accepted. The problem was with the returned value which was "1 minute", causing Terraform to think that there always had a change to be made.
Maybe this could be solved by changing the way the comparison is done or by applying a more strict validation in Beanstalk settings.
cartolari
on 17 Oct 2016
I have the same issue, but it's from the API returning things in different orders?
1107428000.value: "" => "sg-db7279a1, sg-cd7279b7"
1311926541.name: "RollingUpdateEnabled" => "RollingUpdateEnabled"
1311926541.namespace: "aws:autoscaling:updatepolicy:rollingupdate" => "aws:autoscaling:updatepolicy:rollingupdate"
1311926541.resource: "" => ""
1311926541.value: "true" => "true"
1314173431.name: "" => "LoadBalancerHTTPSPort"
1314173431.namespace: "" => "aws:elb:loadbalancer"
1314173431.resource: "" => ""
1314173431.value: "" => "443"
2705742008.name: "ELBSubnets" => "ELBSubnets"
2705742008.namespace: "aws:ec2:vpc" => "aws:ec2:vpc"
2705742008.resource: "" => ""
2705742008.value: " subnet-ab689397,subnet-2bdb5f62" => "subnet-2bdb5f62, subnet-ab689397"
3495125746.name: "Subnets" => ""
3495125746.namespace: "aws:ec2:vpc" => ""
3495125746.resource: "" => ""
3495125746.value: "subnet-2ddb5f64,subnet-a5689399" => ""
4096723834.name: "" => "Subnets"
4096723834.namespace: "" => "aws:ec2:vpc"
4096723834.resource: "" => ""
4096723834.value: "" => "subnet-2ddb5f64, subnet-a5689399"
477438810.name: "SecurityGroups" => ""
477438810.namespace: "aws:elb:loadbalancer" => ""
477438810.resource: "" => ""
477438810.value: "sg-cd7279b7,sg-db7279a1" => ""
731293825.name: "LoadBalancerHTTPSPort" => ""
731293825.namespace: "aws:elb:loadbalancer" => ""
731293825.resource: "" => ""
731293825.value: "OFF" => ""
Those show changes but they're not actually changes.
My TF looks like:
variable "region" {
default = "us-east-1"
}
provider "aws" {
region = "${var.region}"
}
data "terraform_remote_state" "vpc" {
backend = "s3"
config {
bucket = "xxx"
key = "ops/vpc/terraform.tfstate"
region = "us-east-1"
}
}
resource "aws_elastic_beanstalk_application" "app" {
name = "app"
description = "app"
}
resource "aws_elastic_beanstalk_environment" "app-prod" {
name = "app-prod-1"
application = "${aws_elastic_beanstalk_application.app.name}"
solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Python 2.7"
# VPC
setting {
namespace = "aws:ec2:vpc"
name = "VPCId"
value = "${data.terraform_remote_state.vpc.vpc_id}"
}
setting {
namespace = "aws:ec2:vpc"
name = "Subnets"
value = "${data.terraform_remote_state.vpc.prod_private_subnets.0}, ${data.terraform_remote_state.vpc.prod_private_subnets.1}"
}
# ELB
setting {
namespace = "aws:elb:loadbalancer"
name = "CrossZone"
value = "true"
}
setting {
namespace = "aws:ec2:vpc"
name = "ELBSubnets"
value = "${data.terraform_remote_state.vpc.prod_public_subnets.0}, ${data.terraform_remote_state.vpc.prod_public_subnets.1}"
}
setting {
namespace = "aws:ec2:vpc"
name = "ELBScheme"
value = "external"
}
setting {
namespace = "aws:elb:loadbalancer"
name = "SecurityGroups"
value = "${data.terraform_remote_state.vpc.default_security_group_id}, ${data.terraform_remote_state.vpc.public_security_group_id}"
}
setting {
namespace = "aws:elb:listener:443"
name = "InstancePort"
value = "443"
}
setting {
namespace = "aws:elb:listener:443"
name = "InstanceProtocol"
value = "TCP"
}
setting {
namespace = "aws:elb:listener:443"
name = "ListenerEnabled"
value = "true"
}
setting {
namespace = "aws:elb:listener:443"
name = "ListenerProtocol"
value = "TCP"
}
# Health reporting
setting {
namespace = "aws:elasticbeanstalk:healthreporting:system"
name = "SystemType"
value = "basic"
}
# General Beanstalk settings
setting {
namespace = "aws:elasticbeanstalk:command"
name = "Timeout"
value = "3600"
}
setting {
namespace = "aws:elasticbeanstalk:command"
name = "BatchSize"
value = "30"
}
setting {
namespace = "aws:elasticbeanstalk:command"
name = "BatchSizeType"
value = "Percentage"
}
setting {
namespace = "aws:elasticbeanstalk:hostmanager"
name = "LogPublicationControl"
value = "true"
}
setting {
namespace = "aws:elasticbeanstalk:environment"
name = "ServiceRole"
value = "aws-elasticbeanstalk-service-role"
}
setting {
namespace = "aws:elb:loadbalancer"
name = "LoadBalancerHTTPSPort"
value = "443"
}
# Auto-scaling (EC2 instance) settings
setting {
namespace = "aws:autoscaling:asg"
name = "Availability Zones"
value = "Any 2"
}
setting {
namespace = "aws:autoscaling:asg"
name = "MinSize"
value = "1"
}
setting {
namespace = "aws:autoscaling:asg"
name = "MaxSize"
value = "1"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "IamInstanceProfile"
value = "aws-elasticbeanstalk-ec2-role"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "SecurityGroups"
value = "${data.terraform_remote_state.vpc.default_security_group_id}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "SSHSourceRestriction"
value = "tcp,22,22,${data.terraform_remote_state.vpc.infrastructure_private_subnet_cidr_blocks.0}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "EC2KeyName"
value = "app"
}
setting {
namespace = "aws:autoscaling:updatepolicy:rollingupdate"
name = "RollingUpdateType"
value = "Health"
}
setting {
namespace = "aws:autoscaling:updatepolicy:rollingupdate"
name = "RollingUpdateEnabled"
value = "true"
}
setting {
namespace = "aws:autoscaling:updatepolicy:rollingupdate"
name = "MaxBatchSize"
value = "1"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "InstanceType"
value = "m3.medium"
}
tags {
Name = "app"
Environment = "production"
Managed_by = "terraform"
}
}
myoung34
on 20 Oct 2016
👍 I'm having the exact same problem using version 0.7.8
dev1x
on 3 Nov 2016
This pr seems to help: https://github.com/hashicorp/terraform/pull/5207
Anything we can do to move it along?
myoung34
on 4 Nov 2016
We were having the same problem, managed to workaround the unexpected changes by avoiding deprecated options from aws:elb:loadbalancer and instead use aws:elb:listener as suggested in the AWS documentation: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elbloadbalancer
Not 100% sure whether it has to do with the deprecation but since I spotted those in the terraform configuration I thought I'd mention it:
setting {
namespace = "aws:elb:loadbalancer"
name = "LoadBalancerHTTPSPort"
value = "443"
}
setting {
namespace = "aws:elb:loadbalancer"
name = "LoadBalancerHTTPPort"
value = "80"
}
carhartl
on 16 Jan 2017
I'm having a similar problem with these three options updating beanstalk every time no matter how many times I run terraform apply.
# beanstalk-environment.tf
setting {
namespace = "aws:elbv2:loadbalancer"
name = "AccessLogsS3Enabled"
value = "true"
}
setting {
namespace = "aws:elb:listener"
name = "SSLCertificateId"
value = "${var.qa_elb_cert_arn}"
}
setting {
namespace = "aws:elb:listener"
name = "ListenerProtocol"
value = "HTTPS"
}
# terraform plan
~ aws_elastic_beanstalk_environment.my_environment
...
setting.1489838287.name: "" => "AccessLogsS3Enabled"
setting.1489838287.namespace: "" => "aws:elbv2:loadbalancer"
setting.1489838287.resource: "" => ""
setting.1489838287.value: "" => "true"
...
setting.2128068661.name: "" => "SSLCertificateId"
setting.2128068661.namespace: "" => "aws:elb:listener"
setting.2128068661.resource: "" => ""
setting.2128068661.value: "" => "<cert_arn>"
...
setting.2972739376.name: "" => "ListenerProtocol"
setting.2972739376.namespace: "" => "aws:elb:listener"
setting.2972739376.resource: "" => ""
setting.2972739376.value: "" => "HTTPS"
hardboiled
on 11 Feb 2017
Having the same problem with anything in the "aws:elb:listener:*" namespace. Terraform v0.8.6
::EDIT::
I think this might be a bug in the AWS web UI instead. After using Terraform to set the values for that namespace, the web UI shows that there are no listeners configured, including the default port 80. However, if I pull the env description using the AWS CLI, everything is configured correctly.
ethangunderson
on 20 Feb 2017
I have the issue as well on this:
``` #code
setting {
namespace = "aws:elasticbeanstalk:command"
name = "BatchSizeType"
value = "Fixed"
}
setting {
namespace = "aws:elasticbeanstalk:command"
name = "BatchSize"
value = "1"
}
setting {
# disable port 80 listener
namespace = "aws:elb:listener"
name = "ListenerEnabled"
value = "false"
}
~ module.myapp.aws_elastic_beanstalk_environment.app
setting.#: "37" => "40"
setting.1610162273.name: "" => "BatchSizeType"
setting.1610162273.namespace: "" => "aws:elasticbeanstalk:command"
setting.1610162273.value: "" => "Fixed"
setting.2175068570.name: "" => "BatchSize"
setting.2175068570.namespace: "" => "aws:elasticbeanstalk:command"
setting.2175068570.value: "" => "1"
setting.3805834681.name: "" => "ListenerEnabled"
setting.3805834681.namespace: "" => "aws:elb:listener"
setting.3805834681.value: "" => "false"
```
This bug is really annoying and it make managing multiple beanstalk environments a nuisance.
Currently using the this to show only relevant output:
terraform plan | grep -Ev '"([^"]*)" => "\1"'
mabroor
on 24 Feb 2017
I was having this issue too, and ended up at this GitHub issue. However, after reading this:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.managing.elb.html#environments-cfg-loadbalancer-namespace
..and updating my terraform file to this:
```
Are the load balancers multizone?
setting {
namespace = "aws:elb:loadbalancer"
name = "CrossZone"
value = "true"
}
setting {
namespace = "aws:elb:listener:443"
name = "InstancePort"
value = "80"
}
setting {
namespace = "aws:elb:listener:443"
name = "InstanceProtocol"
value = "HTTP"
}
setting {
namespace = "aws:elb:listener:443"
name = "ListenerEnabled"
value = "true"
}
setting {
namespace = "aws:elb:listener:443"
name = "ListenerProtocol"
value = "HTTPS"
}
setting {
namespace = "aws:elb:listener:443"
name = "SSLCertificateId"
value = "arn:aws:acm:eu-*-1:**:certificate/*-*---**"
}
setting {
namespace = "aws:elb:listener:80"
name = "ListenerEnabled"
value = "false"
}
```
...all is working. Deployed with SSL working as it should, and terraform plan responds with nothing to change.
Notice the ":443" namespace, required for the SSLCertificateId.
HTH
bobbydeveaux
on 28 Feb 2017
FWIW I'm seeing this in aws:autoscaling:launchconfiguration settings too:
$ terraform --version
Terraform v0.8.7
Using the grep from @mabroor (with some redactions)
setting.1365764062.name: "SSHSourceRestriction" => ""
setting.1365764062.namespace: "aws:autoscaling:launchconfiguration" => ""
setting.1365764062.value: "tcp,22,22,XXX.XXX.XXX.XXX/32" => ""
setting.1869294598.name: "" => "SSHSourceRestriction"
setting.1869294598.namespace: "" => "aws:autoscaling:launchconfiguration"
setting.1869294598.value: "" => "tcp, 22, 22, XXX.XXX.XXX.XXX/32"
setting.3189616.value: "subnet-aaaaaaaa,subnet-bbbbbbbb,subnet-cccccccc" => "subnet-bbbbbbbb,subnet-cccccccc,subnet-aaaaaaaa"
setting.770133729.value: "subnet-dddddddd,subnet-eeeeeeee,subnet-ffffffff" => "subnet-eeeeeeee,subnet-ffffffff,subnet-dddddddd"
I'm guessing the ordering of the subnets, which are aws:ec2:vpc settings, gets sorted out later in the process as a no-op.
pmacdougall
on 28 Feb 2017
I am seeing this in aws:elasticbeanstalk:application:
setting.1818064276.name: "" => "Application Healthcheck URL"
setting.1818064276.namespace: "" => "aws:elasticbeanstalk:application"
setting.1818064276.resource: "" => ""
setting.1818064276.value: "" => "HTTP:80/ping"
and aws:elasticbeanstalk:customoption:
setting.1041833200.name: "" => "EBLogGroup"
setting.1041833200.namespace: "" => "aws:elasticbeanstalk:customoption"
setting.1041833200.resource: "" => ""
setting.1041833200.value: "" => "/aws/elasticbeanstalk/myproject/application"
marccardinal
on 10 Mar 2017
@pmacdougall At least for the aws:ec2:vpc/Subnets property, AWS appears to normalize them as sorted in ascending order; I was able to fix Terraform trying to change that after every refresh/plan/apply cycle by sorting them myself in an interpolation:
resource "aws_elastic_beanstalk_environment" "main" {
#...
setting {
namespace = "aws:ec2:vpc"
name = "Subnets"
value = "${join(",", sort(list(aws_subnet.app1.id, aws_subnet.app2.id)))}"
}
#...
}
jffry
on 13 Apr 2017
Thanks @jffry that did help with subnets.
My other issue with SSHSourceRestriction was because I had spaces after the commas in my setting and the API returns it without spaces.
pmacdougall
on 14 Apr 2017
@pmacdougall I thought I would have a fix for the same issue after reading your comment, but removing the spaces between commas didn't do the trick for me. Here's the relevant output:
~ module.foo.aws_elastic_beanstalk_environment.bar
setting.1003115902.name: "" => "SSHSourceRestriction"
setting.1003115902.namespace: "" => "aws:autoscaling:launchconfiguration"
setting.1003115902.resource: "" => ""
setting.1003115902.value: "" => "tcp,22,22,sg-9f9946e4"
setting.1224657411.name: "SSHSourceRestriction" => ""
setting.1224657411.namespace: "aws:autoscaling:launchconfiguration" => ""
setting.1224657411.resource: "" => ""
setting.1224657411.value: "tcp,22,22,null" => ""
Can you confirm that you're not running into this issue anymore?
stuffandthings
on 6 Sep 2017
@stuffandthings I am not running into this anymore, but I am not setting a security group in my SSHSourceRestriction, just a CIDR. Guessing there may be a specific issue with security groups.
pmacdougall
on 6 Sep 2017
Interesting. Thanks for the response!
stuffandthings
on 6 Sep 2017
@stuffandthings just want to say i have the same issue, specifically with just "tcp,22,22,null" to "tcp,22,22,sg-xxxxxxxx"
Any updates?
mkjois
on 13 Oct 2017
regarding every settings in namespace "aws:elb:listener", i confirm that moving to "aws:elb:listener:listener_port" variant works.
ebarault
on 18 Dec 2017
@mkjois sorry I didn't read up on my notifications! yes, pmacdougall's suggestion worked. I replaced the security group id with just the CIDR and this has been an acceptable workaround for me.
stuffandthings
on 21 Dec 2017
I'm trying to restrict SSH to my beanstalk instances to just a specific bastion host. A CIDR might work if it was just one bastion with one private IP, but it would break down with multiple bastion hosts.
This isn't really high priority for me right now, I've just lived with the plan output always showing the SG difference.
mkjois
on 21 Dec 2017
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 5 Apr 2020
Related issues
thebenwaters
·
3Comments
pawelsawicz
·
3Comments
rkulagowski
·
3Comments
shanmugakarna
·
3Comments
ronnix
·
3Comments
Most helpful comment
@pmacdougall At least for the
aws:ec2:vpc/Subnetsproperty, AWS appears to normalize them as sorted in ascending order; I was able to fix Terraform trying to change that after everyrefresh/plan/applycycle by sorting them myself in an interpolation: