Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After manually deleting an aws_apprunner_custom_domain_association, recreation fails with unexpected state #20222

Closed
lsorber opened this issue Jul 17, 2021 · 9 comments · Fixed by #22569
Closed

After manually deleting an aws_apprunner_custom_domain_association, recreation fails with unexpected state #20222

lsorber opened this issue Jul 17, 2021 · 9 comments · Fixed by #22569
Labels
bug Addresses a defect in current functionality. service/apprunner Issues and PRs that pertain to the apprunner service.
Milestone
v3.73.0

Comments

@lsorber
Copy link

lsorber commented Jul 17, 2021

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.2
+ provider registry.terraform.io/hashicorp/aws v3.50.0

Affected Resource(s)

  • aws_apprunner_custom_domain_association

Terraform Configuration Files

Relevant part of our App Runner service module:

# Associate a domain name with the App Runner service.
resource "aws_apprunner_custom_domain_association" "domain_association" {
  count = var.domain_name == null ? 0 : 1
  domain_name = var.domain_name
  enable_www_subdomain = false
  service_arn = aws_apprunner_service.service.arn
}

# Validate the domain name with DNS validation records.
resource "aws_route53_record" "domain_name_validation" {
  count           = var.domain_name == null ? 0 : 2
  allow_overwrite = true
  name            = element(aws_apprunner_custom_domain_association.domain_association[0].certificate_validation_records[*].name, count.index)
  records         = [element(aws_apprunner_custom_domain_association.domain_association[0].certificate_validation_records[*].value, count.index)]
  ttl             = 60
  type            = element(aws_apprunner_custom_domain_association.domain_association[0].certificate_validation_records[*].type, count.index)
  zone_id         = var.hosted_zone_id
}

# Associate the domain name with the App Runner service.
resource "aws_route53_record" "dns_target" {
  count           = var.domain_name == null ? 0 : 1
  allow_overwrite = true
  name            = var.domain_name
  records         = [aws_apprunner_custom_domain_association.domain_association[0].dns_target]
  ttl             = 3600
  type            = "CNAME"
  zone_id         = var.hosted_zone_id
}

Debug Output

│ Error: error waiting for App Runner Custom Domain Association (example.com,arn:aws:apprunner:eu-west-1:XXX:service/example-api/9c508a42c5ad45e7a19f8cb388077180) creation: unexpected state 'binding_certificate', wanted target 'pending_certificate_dns_validation'. last error: %!s(<nil>)
│ 
│   with module.app_runner_service.aws_apprunner_custom_domain_association.domain_association[0],
│   on modules/app_runner_service/main.tf line 136, in resource "aws_apprunner_custom_domain_association" "domain_association":
│  136: resource "aws_apprunner_custom_domain_association" "domain_association" {

Expected Behavior

aws_apprunner_custom_domain_association resource should be created.

Actual Behavior

aws_apprunner_custom_domain_association resource is not created because of unexpected state.

Steps to Reproduce

  1. Create an aws_apprunner_custom_domain_association with Terraform.
  2. Create the DNS records required by (1).
  3. Delete the custom domain association resource manually in AWS Console.
  4. Ask Terraform to recreate the custom domain association resource again and Terraform will produce an error.
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/apprunner Issues and PRs that pertain to the apprunner service. service/route53 Issues and PRs that pertain to the route53 service. labels Jul 17, 2021
@anGie44 anGie44 added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. service/route53 Issues and PRs that pertain to the route53 service. labels Jul 19, 2021
@shutupflanders
Copy link

I had this last night, pulled my hair our for hours on it.

I don't think it's a Terraform bug, but more of an AWS bug - if you try to recreate the custom domain link manually in the AWS app runner console, it gives you an empty list of validation records to add.

In the end I had to change the subdomain I was using in aws_apprunner_custom_domain_association.domain_name for it to work.

@nathanblair
Copy link

For the record, I am getting this when creating a domain association from scratch. The domain association ends up being created on AWS App Runner, and the certifcates actually do end up verified. The tf state file even shows the validation records marked as SUCCESS.

@benkraus
Copy link

Any workaround? Does changing the subdomain and changing it back work? I've completely destroyed everything and recreated it, and still hitting this :(

@johnraz johnraz mentioned this issue Jan 13, 2022
Merged
@johnraz
Copy link
Contributor

johnraz commented Jan 13, 2022

Hi everyone,
I opened a PR with a fix that seems to fix it --> #22569 - couldn't find any other way to solve the issue...
As I explained on the PR's description, it seems that for some blurry reason the returned state is not always the same and the app_runner module is not able to deal with that...

@jvisker
Copy link

jvisker commented Jan 14, 2022
edited
Loading

@johnraz this will make the terraform work, but does the custom domain work? Even when I do it manually in the console the DNS doesn't work.

@johnraz
Copy link
Contributor

johnraz commented Jan 15, 2022

@jvisker it does result in a correct terraform state and a functioning custom domain association, yes.
You might be facing another issue different from the one I’m getting because on my side the custom domain was always added (even without my fix) but terraform couldn’t validate the resource’s state and update the terraform state accordingly. Also deleting / adding the custom domain association manually always worked too.

@jvisker
Copy link

jvisker commented Jan 15, 2022

@johnraz I tried it again and I realized I can get it to work manually, just not with terraform on recreation. Great work.

@github-actions github-actions bot added this to the v3.73.0 milestone Jan 18, 2022
@github-actions
Copy link

This functionality has been released in v3.73.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/apprunner Issues and PRs that pertain to the apprunner service.
Projects
None yet
Milestone
v3.73.0
Development

Successfully merging a pull request may close this issue.

fix AppRunner custom domain association after manual delete johnraz/terraform-provider-aws
7 participants
@johnraz @benkraus @shutupflanders @lsorber @jvisker @anGie44 @nathanblair