-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plan-Time Resource Uniqueness Errors #14394
Comments
3 years now and all of those major issues linked to this and closed have no answers |
Keen on finding out the status of this too. We're looking at adding this feature in to our own provider and it doesn't look possible right now. |
This issue also impacts creation of aws_route resources. aws_route resources should be unique for combination of destination CIDR & rtbl ID. AWS API doesnt catch this, either, which can result in deletion of default routes. |
Feeling the pain with The plan output looks like this (with names/ids redacted).
When I try to combine both into a single
When I try to separate |
I followed a link here from #10824, and it just caused a pretty big headache. We had an sqs queue "created" with the same name as another queue because of a copy/paste error. The when the name mistake was noticed, it was corrected. Once the name was corrected, the original queue was destroyed, breaking the stack. |
Community Note
Description
In any sufficiently large Terraform environment, there is potential for multiple resources to be planned for creation that cannot be successfully applied due to API uniqueness constraints. Operators have repeatedly asked for enhancements to Terraform and Terraform AWS Provider to provide this type of validation at plan-time. This issue serves as a meta-enhancement request to collect community interest around this for prioritization and prevent further issue sprawl with individual resource requests that are harder to collectively prioritize as part of the same effort.
An example Terraform configuration that should generate one of these types of errors:
Resource uniqueness constraints are almost exclusively resource type dependent and in the case of AWS service APIs, may include any number of the following as potential constraints:
Some examples of these uniqueness constraints:
aws_backup_vault
(1name
value per AWS Region per AWS Partition per AWS Account ID)aws_dynamodb_table
(1name
value per AWS Region per AWS Partition per AWS Account ID)aws_ebs_default_kms_key
(1 per AWS Region per AWS Partition per AWS Account ID)aws_ebs_encryption_by_default
(1 per AWS Region per AWS Partition per AWS Account ID)aws_iam_account_alias
(1 per AWS Partition per AWS Account ID)aws_iam_account_password_policy
(1 per AWS Partition per AWS Account ID)aws_iam_group_policy
(1name
value pergroup
value per AWS Partition per AWS Account ID)aws_iam_role_policy
(1name
value perrole
value per AWS Partition per AWS Account ID)aws_iam_user_policy
(1name
value peruser
value per AWS Partition per AWS Account ID)aws_s3_bucket
(1bucket
value per AWS Partition)aws_s3_bucket_notification
(1bucket
value per AWS Partition)aws_s3_bucket_policy
(1bucket
value per AWS Partition)aws_sns_topic
(1name
value per AWS Region per AWS Partition per AWS Account ID)These uniqueness constraints must be checked in various lifecycles of two conflicting resources including:
Only comparing resources in the new, expected Terraform state of any planning operation should cover these cases.
While a provider, such as the Terraform AWS Provider, could implement its own framework for handling this type of issue, it would require some additional amount effort due how Terraform core interoperates with provider resource planning today. Essentially, each provider instance would need to cache (in the
meta
) resource uniqueness keys for individual resources (per resource type) in theirCustomizeDiff
handling and return an error if the cached key already exists. Another consideration is thatCustomizeDiff
does not know about a resource's type, so this would need to be manually synthesized into the resource uniqueness handling.A small effort could be done as a proof of concept implementation in the Terraform AWS Provider, however the Terraform Plugin SDK seems a much better fit to standardize the implementation into resource definitions and for standardizing the error handling. Given this, operators are encouraged to also 👍 the Terraform Plugin SDK issue below, if interested.
References
Related Terraform AWS Provider feature requests:
The text was updated successfully, but these errors were encountered: