resource_aws_route53_zone should force a new record when switching from public to private

[blckct]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8

• provider.aws v1.50.0

Affected Resource(s)

• aws_route53_zone

Steps to Reproduce

1. Create a zone as public by accident:

resource "aws_route53_zone" "local" {
  name = "example.local"
}

2. terraform apply

3. Add vpc

resource "aws_route53_zone" "local" {
name = "example.local"
vpc {
vpc_id = "${var.vpc_id}"
}
}

4. terraform apply

• aws_route53_zone.local: error associating Route53 Hosted Zone (xxxx) to VPC (xxxx: PublicZoneVPCAssociation: Attempting to associate public zone: xxx with vpc: xxxx
  status code: 400, request id: xxxx

Expected output

Terraform should force a new resource when switching from public to private. It used to do that with vpc_id parameter but that got depraciated.

[bflad]

Hi @blckct 👋 Thanks for reporting this. We will plan on fixing this with the removal of the deprecated argument in the next major version update of the Terraform AWS Provider and I have marked this for tracking with that release.

[bflad]

Prerequisite: Issue #7693 / PR #7695

I was hoping to address this at the same time as above, but Terraform 0.11 is having some unexpected behavior with CustomizeDiff (not uncommon 🙁):

Attempted implementation:

// aws/resource_aws_route53_zone.go schema

    CustomizeDiff: customdiff.All(
      customdiff.ForceNewIfChange("vpc", func(old, new, meta interface{}) bool {
        // "vpc" can only be in-place updated if already specified
        return len(old.(*schema.Set).List()) == 0 || len(new.(*schema.Set).List()) == 0
      }),
    ),

// aws/resource_aws_route53_zone_test.go

// Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/7614
func TestAccAWSRoute53Zone_VPC_ForceNewIfChange(t *testing.T) {
  var zone1, zone2, zone3 route53.GetHostedZoneOutput

  rName := acctest.RandomWithPrefix("tf-acc-test")
  resourceName := "aws_route53_zone.test"
  vpcResourceName := "aws_vpc.test1"
  zoneName := fmt.Sprintf("%s.terraformtest.com", rName)

  resource.ParallelTest(t, resource.TestCase{
    PreCheck:     func() { testAccPreCheck(t) },
    Providers:    testAccProviders,
    CheckDestroy: testAccCheckRoute53ZoneDestroy,
    Steps: []resource.TestStep{
      {
        Config: testAccRoute53ZoneConfig(zoneName),
        Check: resource.ComposeTestCheckFunc(
          testAccCheckRoute53ZoneExists(resourceName, &zone1),
          resource.TestCheckResourceAttr(resourceName, "vpc.#", "0"),
        ),
      },
      {
        Config: testAccRoute53ZoneConfigVPCSingle(rName, zoneName),
        Check: resource.ComposeTestCheckFunc(
          testAccCheckRoute53ZoneExists(resourceName, &zone2),
          resource.TestCheckResourceAttr(resourceName, "vpc.#", "1"),
          testAccCheckRoute53ZoneAssociatesWithVpc(vpcResourceName, &zone2),
        ),
      },
      {
        Config: testAccRoute53ZoneConfig(zoneName),
        Check: resource.ComposeTestCheckFunc(
          testAccCheckRoute53ZoneExists(resourceName, &zone3),
          resource.TestCheckResourceAttr(resourceName, "vpc.#", "0"),
        ),
      },
    },
  })
}

Acceptance testing error:

--- FAIL: TestAccAWSRoute53Zone_VPC_ForceNewIfChange (52.34s)
    testing.go:538: Step 1 error: Error applying: 1 error occurred:
        	* aws_route53_zone.test: aws_route53_zone.test: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.

        Please include the following information in your report:

            Terraform Version: 0.11.9
            Resource ID: aws_route53_zone.test
            Mismatch reason: attribute mismatch: vpc.2118463170.vpc_id
            Diff One (usually from plan): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"name_servers.#":*terraform.ResourceAttrDiff{Old:"4", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc.~2118463170.vpc_region":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc.2118463170.vpc_id":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc.2118463170.vpc_region":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "force_destroy":*terraform.ResourceAttrDiff{Old:"false", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"tf-acc-test-6356618791358131134.terraformtest.com.", New:"tf-acc-test-6356618791358131134.terraformtest.com.", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "comment":*terraform.ResourceAttrDiff{Old:"Managed by Terraform", New:"Managed by Terraform", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc.#":*terraform.ResourceAttrDiff{Old:"0", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "vpc.~2118463170.vpc_id":*terraform.ResourceAttrDiff{Old:"", New:"${aws_vpc.test1.id}", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "zone_id":*terraform.ResourceAttrDiff{Old:"Z1AT08GB5RV06G", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}
            Diff Two (usually from apply): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"vpc.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "zone_id":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"", New:"tf-acc-test-6356618791358131134.terraformtest.com.", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "comment":*terraform.ResourceAttrDiff{Old:"", New:"Managed by Terraform", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc.3803688031.vpc_region":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc.3803688031.vpc_id":*terraform.ResourceAttrDiff{Old:"", New:"vpc-0406819a6dadcf2a0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "name_servers.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "force_destroy":*terraform.ResourceAttrDiff{Old:"", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}

        Also include as much context as you can about your config, state, and the steps you performed to trigger this error.

The replacement for the Terraform 0.11 diffs didn't match during apply error has much better diagnostic information in Terraform 0.12 so hopefully it can be more easily triaged and resolved after upgrading our upstream Terraform Provider SDK dependency, which is currently slated for after we release version 2.0.0.

The maintainers are trying to remain focused on shipping Terraform AWS Provider version 2.0.0 the next few days and unfortunately this type of bug would not be considered a blocker for the major version release, but we will intend to investigate this afterwards as time permits.

[bflad]

Unfortunately, the Terraform 0.12 Provider SDK still does not handle this specific CustomizeDiff usage as expected, but does yield the newer error messaging:

--- FAIL: TestAccAWSRoute53Zone_VPC_ForceNewIfChange (55.58s)
    testing.go:568: Step 1 error: errors during apply:

        Error: Provider produced inconsistent final plan

        When expanding the plan for aws_route53_zone.test to include new values
        learned so far during apply, provider "aws" produced an invalid new value for
        .vpc: planned set element cty.Value{ty:
        cty.Object(map[string]cty.Type{"vpc_id":cty.String, "vpc_region":cty.String}),
        v: map[string]interface {}{"vpc_id":"", "vpc_region":cty.unknown}} does not
        correlate with any element in actual.

        This is a bug in the provider, which should be reported in the provider's own
        issue tracker.

It may be that setting ForceNew on a configuration block attribute requires additional shims in the Provider SDK or that Terraform Providers are expected for perform extra work for this situation. I submitted an upstream bug report here: https://github.com/hashicorp/terraform/issues/21072

[invidian]

I described possible workaround in https://github.com/hashicorp/terraform/issues/21072#issuecomment-494549431, maybe you could try it?

[bytes-commerce]

I experiencing the same issue. I started working with Terraform when first creating the R53 zones for moving my domain, then creating subnets to connect Redis with the EC2 instance.

Now I cannot assign the new VPC from the default VPC the custom VPC. Might it has something to do with the exposed NS servers that I remember can be configured also on the VPC level?