Terraform - produced an unexpected new value for resource in aws provider

fran-pastor · December 1, 2022, 10:01pm

Hello community, let me show you some strange behavior I’m having with terraform and aws provider.
Adding a target_group in a load_balancer listener type forward does it correctly but seems doesn’t update the tfstate file.
I show you the data
This is the complete example code, although my idea is to finally use dynamics for target_groups to add several targets_groups, but to reproduce the strange behaviour we can do with this example code:

resource "aws_lb" "loadbalancer" {
  name                             =  "test-lb"
  load_balancer_type     = "application"
  subnets                         = data.aws_subnets.private_ids.ids
  internal                         = true
  enable_cross_zone_load_balancing = true
}

resource "aws_lb_listener" "lb_listener" {
  load_balancer_arn = aws_lb.loadbalancer.arn
  port              = "80"
  protocol          = "HTTP"
  tags              = local.tags
  default_action {
    type = "forward"
    forward {
      target_group {
        arn = aws_lb_target_group.lb_target_group.arn
      }
    }
  }
}

resource "aws_lb_target_group" "lb_target_group" {
  name     = var.name
  port     = 80
  protocol = "HTTP"
  vpc_id   = data.aws_vpc.default.id

  health_check {
    port     = 80
    protocol = "HTTP"
    timeout  = 5
    interval = 10
  }
}

If apply, works correctly, we can check via AWS and all its OK, but if we send another “terraform apply” he suggests me to add another time the target group

  # aws_lb_listener.lb_listener will be updated in-place
  ~ resource "aws_lb_listener" "lb_listener" {
        id                = "arn:aws:elasticloadbalancing:eu-west-1:12345678910:listener/app/test-lb/7a251716cd2e62d3/14f982f493e2146d"
        # (5 unchanged attributes hidden)

      ~ default_action {
          - target_group_arn = "arn:aws:elasticloadbalancing:eu-west-1:12345678910:targetgroup/test-lb/f9b441f1f4207c0f" -> null
            # (2 unchanged attributes hidden)

          + forward {

              + target_group {
                  + arn    = "arn:aws:elasticloadbalancing:eu-west-1:12345678910:targetgroup/test-lb/f9b441f1f4207c0f"
                  + weight = 1
                }
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy

If we check terraform.tfstate we see

      "mode": "managed",
      "type": "aws_lb_listener",
      "name": "lb_listener",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "alpn_policy": null,
            "arn": "arn:aws:elasticloadbalancing:eu-west-1:12345678910:listener/app/test-lb/7a251716cd2e62d3/14f982f493e2146d",
            "certificate_arn": null,
            "default_action": [
              {
                "authenticate_cognito": [],
                "authenticate_oidc": [],
                "fixed_response": [],
                "forward": [],
                "order": 1,
                "redirect": [],
                "target_group_arn": "arn:aws:elasticloadbalancing:eu-west-1:123456789010:targetgroup/test-lb/f9b441f1f4207c0f",
                "type": "forward"
              }
            ],

I dont put any value for target_group_arn, i configurated target group via forward that we can see empty in terraform.tfstate

terraform apply with TF_LOG=DEBUG we can get the next WARN

2022-12-01T18:22:17.233+0100 [WARN]  Provider "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected new value for aws_lb_listener.lb_listener, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .default_action[0].target_group_arn: was null, but now cty.StringVal("arn:aws:elasticloadbalancing:eu-west-1:123456789010:targetgroup/test-lb/f9b441f1f4207c0f")
      - .default_action[0].forward: block count changed from 1 to 0
aws_lb_listener.lb_listener: Modifications complete after 0s [id=arn:aws:elasticloadbalancing:eu-west-1:123456789010:listener/app/test-lb/7a251716cd2e62d3/14f982f493e2146d]
2022-12-01T18:22:17.261+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"

what we can do? this is a bug? our mistake?
Any help is welcome
regards community!

PD: terraform version 1.3.6 (also tested with 1.1.3)
aws provider 0.44.0 (and also tested with 0.36.1)

UPDATE #1: if we add two target_groups the mistake disappears, all works fine, take a look the resutant tfstate file

            "default_action": [
              {
                "authenticate_cognito": [],
                "authenticate_oidc": [],
                "fixed_response": [],
                "forward": [
                  {
                    "stickiness": [
                      {
                        "duration": 0,
                        "enabled": false
                      }
                    ],
                    "target_group": [
                      {
                        "arn": "arn:aws:elasticloadbalancing:eu-west-1:123456789010:targetgroup/potato4/c1fc239d39b13962",
                        "weight": 1
                      },
                      {
                        "arn": "arn:aws:elasticloadbalancing:eu-west-1:123456789010:targetgroup/test-lb/f9b441f1f4207c0f",
                        "weight": 1
                      }
                    ]
                  }
                ],