Error: Cycle: - Unsolved Mystery?

Hello, I am currently seeing a Error: Cycle: message after making some additions to an application load balancer module to create access logs. We are using a remote backend of Terraform Cloud. The error cycle message of dependencies is too large to view in a terraform graph.

The error has been seen locally during a plan, and also in Terraform Cloud during a CLI plan and apply. However this error only happens “sometimes” other times the plan and applies are healthy. And sometimes, after receiving the cycle error in Terraform Cloud via CLI , it will still plan and apply successfully via the UI. I looking for some possible solutions to try.

Any help and guidance would be greatly appreciated, thank you!

the Error Cycle error is attached via document because it is too long to post.
Terraform-Cycle-Error.txt (22.3 KB)

Here is the terraform configuration:
The two arguments and references that are unique to our infrastructure are the calling of the s3 module to create the bucket and the data sources to call the aws region identity and to create the iam policy. We typically do not use data sources.

#alb-access-logs-bucket
module "access_logs_bucket" {
  source  = "app.terraform.io/MyApplication/s3-module/aws"
  version = "~> 1.1.1"

  count = var.access_logs ? 1 : 0

  name        = "${var.project}-access-logs"
  environment = var.environment
}

#alb-access-logs-aws-caller-identity
data "aws_caller_identity" "current" {}

#alb-access-logs-service-account
data "aws_elb_service_account" "elb_account_id" {}

#alb-access-logs-iam-policy-document
data "aws_iam_policy_document" "allow_lb" {
  count = var.access_logs ? 1 : 0
  statement {
    effect = "Allow"
    resources = [
      "${module.access_logs_bucket[0].bucket_arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
    ]
    actions = ["s3:PutObject", "s3:PutObjectAcl"]
    principals {
      type        = "AWS"
      identifiers = [data.aws_elb_service_account.elb_account_id.arn]
    }
  }

  statement {
    effect = "Allow"
    resources = [
      "${module.access_logs_bucket[0].bucket_arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
    ]
    actions = ["s3:PutObject"]
    principals {
      type        = "Service"
      identifiers = ["delivery.logs.amazonaws.com"]
    }
    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
  }

  statement {
    effect    = "Allow"
    resources = ["${module.access_logs_bucket[0].bucket_arn}"]
    actions   = ["s3:GetBucketAcl"]
    principals {
      type        = "Service"
      identifiers = ["delivery.logs.amazonaws.com"]
    }
  }
}

#alb-access-logs-iam-policy-to-s3
resource "aws_s3_bucket_policy" "lb_logs" {
  count  = var.access_logs ? 1 : 0
  bucket = element(module.access_logs_bucket.*.bucket_name, 0)
  policy = data.aws_iam_policy_document.allow_lb[0].json
}

resource "aws_alb" "environment_lb" {
  name     = "${var.project}-${var.environment}"
  internal = var.internal

  access_logs {
    bucket  = var.access_logs ? module.access_logs_bucket[0].bucket_name : ""
    enabled = var.access_logs
  }

Hi @quiwest

There are a lot more resources involved in that cycle than you are showing in the example configuration here, so there’s no way to trace out what may be causing the problem from the information shown.

The best clue may be to start from whatever was changed in the configuration which triggered the cycle and work backwards from there. I do see a couple deposed resource instances in the error output. A guess could be that you changed the order of some dependencies in the configuration, while simultaneously causing some of them to be replaced. The instances being replaced could have the old dependencies stored causing the cycle.

Hey @jbardin thanks for the reply!

Upon reaching out to HasiCorp support and providing trace logs, as you mentioned the deposed objects were pointed out, the following alb_target_group resources.

module.app-module.module.ecs-service.module.alb.aws_alb_target_group.backend (destroy deposed 599b20fa)
module.app-module.module.ecs-service.module.alb.aws_alb_target_group.frontend (destroy deposed d9c132df)

They have been set as “deposed” since a previous operation to “create before destroy them has failed”. Based on the create_before_destroy documentation: Unique name requirements or other constraints which must be accommodated for both a new and an old object to exist concurrently.

However it was pointed the name argument in the aws_alb is not given a unique ID as such in the target groups. It has to figure out how to introduce new target groups and remove old ones while also dealing with an update to the ALB that both target groups depend on. This complexity apparently can lead to Terraform detecting a cycle it cannot resolve.

This might be apparent from the following (abbreviated) configuration below where the targets groups depend on the actual alb updates.

resource "aws_alb" "environment_lb" {
  name     = "${var.project}-${var.environment}"
  internal = var.internal

  access_logs {
    bucket  = var.access_logs ? module.access_logs_bucket[0].bucket_name : ""
    enabled = var.access_logs
  }

  tags = {
    Project   = var.project
    Terraform = "true"
  }
}

resource "aws_alb_target_group" "backend" {
  lifecycle {
    create_before_destroy = true
    ignore_changes        = [name]
  }

  name        = "${var.project}-${local.backend}-${var.environment}-${substr(uuid(), 0, 3)}"

  depends_on = [aws_alb.environment_lb]
}

resource "aws_alb_target_group" "frontend" {
  lifecycle {
    create_before_destroy = true
    ignore_changes        = [name]
  }

  name        = "${var.project}-${local.frontend}-${var.environment}-${substr(uuid(), 0, 3)}"

  depends_on = [aws_alb.environment_lb]
}

A potential fix might be appending a random string to the value like the name field in both target groups. Possibly using the uuid() function in Terraform, which generates a new UUID each time Terraform runs, and then taking the first 3 characters of this UUID with substr(uuid(), 0, 3) . This should ensure that the name of the ALB will be unique for each deployment, allowing the new ALB to be created before the old one is destroyed without naming conflicts.

For example:

resource "aws_lb" "environment_lb" {
  name     = "${var.project}-${var.environment}-${substr(uuid(), 0, 3)}"
  internal = var.internal

This is happening exclusively in a production apply and not during the plan or in any apply for our lower environments, which is odd. Would you agree on this thesis and potentially adding this random string as a solution?

I would not suggest using the uuid() function here, since that would impose a change in value for every plan. The aws_lb has a name_prefix attribute specifically for this case, which will generate a unique name for each instance.

That may be enough to avoid the issue most of the time, by preventing unnecessary replacement of the alb instances. Preventing the extra replacements however does not fix whatever the underlying problem was causing the cycle.

Good point. Adjusting the name_prefix argument is a good suggestion. This is an interesting case since it is only happening in select environments with the same configuration.

However we were able to solve the problem today.

Overall, we may have had one too many changes happening at once for the “prod” environment to handle, too many dependencies, since our prod is not auto applied in terraform cloud, it can become backed up with changes if not manually confirmed to run.

Knowing from the deposed objects, the alb was a culprit to the cycle error. We first did a terraform refresh, in terraform cloud that command is terraform apply -refresh-only Then, after that was successful we isolated the alb module sate resource with a target applied terraform apply -target=module.app-module.module.ecs-service.module.alb.aws_alb.environment_lb After that was successful, we applied the remaining resources successfully. Cycle:error is no longer to be found.

Let’s pray it stays that way, and maybe this helps someone else in the future.

Thank you for your help today @jbardin