Terraform: Creating multiple TXT `aws_route53_record` resources reports success but fails

Created on 6 Jul 2015 · 5Comments · Source: hashicorp/terraform

Using terraform to create Route 53 hosted zones and records, I have the following resources declared:

resource "aws_route53_record" "txt-ms-geteventstore-com" {
    zone_id = "${aws_route53_zone.geteventstore-com.id}"
    name    = "geteventstore.com"
    type    = "TXT"
    records = ["MS=ms18260796"]
    ttl     = "900"
}

resource "aws_route53_record" "txt-v-include-geteventstore-com" {
    zone_id = "${aws_route53_zone.geteventstore-com.id}"
    name    = "geteventstore.com"
    type    = "TXT"
    records = ["v=spf1", "include:spf.protection.outlook.com -all"]
    ttl     = "900"
}

(Multiple records may not be strictly necessary but is taken from the Office 365 documentation so was natural to attempt).

According to this post in the AWS forums, multiple TXT records are not allowed, however Terraform reports that they have been successfully created, silently dropping the second. The terraform.tfstate file backs this up:

...
                "aws_route53_record.txt-ms-geteventstore-com": {
                    "type": "aws_route53_record",
                    "depends_on": [
                        "aws_route53_zone.geteventstore-com"
                    ],
                    "primary": {
                        "id": "ZAKV2QDGADOMD_geteventstore.com_TXT",
                        "attributes": {
                            "fqdn": "geteventstore.com",
                            "id": "ZAKV2QDGADOMD_geteventstore.com_TXT",
                            "name": "geteventstore.com",
                            "records.#": "1",
                            "records.368052641": "MS=ms18260796",
                            "ttl": "900",
                            "type": "TXT",
                            "zone_id": "ZAKV2QDGADOMD"
                        }
                    }
                },
                "aws_route53_record.txt-v-include-geteventstore-com": {
                    "type": "aws_route53_record",
                    "depends_on": [
                        "aws_route53_zone.geteventstore-com"
                    ],
                    "primary": {
                        "id": "ZAKV2QDGADOMD_geteventstore.com_TXT",
                        "attributes": {
                            "fqdn": "geteventstore.com",
                            "id": "ZAKV2QDGADOMD_geteventstore.com_TXT",
                            "name": "geteventstore.com",
                            "records.#": "2",
                            "records.2047514737": "v=spf1",
                            "records.4000180378": "include:spf.protection.outlook.com -all",
                            "ttl": "900",
                            "type": "TXT",
                            "zone_id": "ZAKV2QDGADOMD"
                        }
                    }
                },
...

However, the management console UI confirms that only the first record has been created. Should this be considered a bug in terraform's handling of multiple TXT records for the same hosted zone?

bug provideaws

Source

jen20

All 5 comments

Hey @jen20 thanks for writing in –

Should this be considered a bug in terraform's handling of multiple TXT records for the same hosted zone?

I'm not really sure, so I'll default to "yes, but..."

Route 53 doesn't have an update endpoint, strictly speaking. They have a PUT, so that explains why this "works"... the second creation overwrites the first. From their vantage, we create it then immediately update it, since all other attributes are the same.

I'm curious though, why two aws_route53_record records here if all the attributes are identical? Can you use ["v=spf1", "include:spf.protection.outlook.com -all", "MS=ms18260796"]

catsby on 8 Jul 2015

Following up: Route 53 will do an UPSERT on records (think our aws_route53_record records) that have the same name and type:

http://docs.aws.amazon.com/Route53/latest/APIReference/API_ChangeResourceRecordSets.html

You can however combine those into one records list like I mentioned, under a single aws_route53_record resource:

resource "aws_route53_record" "txt-v-include-geteventstore-com" {
    zone_id = "${aws_route53_zone.foo.id}"
    name    = "geteventstore.com"
    type    = "TXT"
    records = ["v=spf1", "include:spf.protection.outlook.com -all", "MS=ms18260796"]
    ttl     = "900"
}

Having said all that, I'm going to close this issue. Unfortunately, Terraform can't do much about this. We can't detect any error here because there is none, according to the API.

Hopefully this helps. Let me know if you have further questions.

catsby on 8 Jul 2015

🎉1

I originally had two records because that's what Microsoft claimed to be necessary (it turns out it isn't, of course).

What would be more helpful than silent failure here is an indication that two resources which are effectively mutually exclusive have been declared - in a much larger deployment than this it would be easy for this to go unnoticed as the plan and run report it was carried out successfully (i.e. you should expect to see two records).

jen20 on 8 Jul 2015

👍1

We had the exact same problem -- & there are MANY recommended setups that just tell you to add extra TXT records on your root domain, as some (most?) DNS providers do support this.

Totally agree with @jen20 that specific requirements of specific providers like this should at least generate an error. I only caught this because nothing had changed and plan was swapping these records each time... !

@catsby: Any chance these types of warnings or errors would be supported?

cayleyh on 30 Nov 2016

👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.