When a ELB policy uses Reference-Security-Policy, the policy_attributes change every time

[b-dean]

Terraform Version

0.9.9

Affected Resource(s)

• aws_load_balancer_policy

Terraform Configuration Files

variable "subnets" {
  type = "list"
}

variable "aws_account_id" {}

variable "cert-elb" {}

resource "aws_elb" "example" {
  name = "example"
  subnets = ["${var.subnets}"]
  internal = true

  listener {
    instance_port = "8443"
    instance_protocol = "https"
    lb_port = "443"
    lb_protocol = "https"
    ssl_certificate_id = "arn:aws:iam::${var.aws_account_id}:server-certificate/${var.cert-elb}"
  }
}

resource "aws_load_balancer_policy" "example-ssl" {
  load_balancer_name = "${aws_elb.example.name}"
  policy_name = "ssl-policy"
  policy_type_name = "SSLNegotiationPolicyType"

  policy_attribute {
    name = "Reference-Security-Policy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
  }

  // annoying workaround
  //lifecycle {
  //  ignore_changes = ["policy_attribute"]
  //}
}

resource "aws_load_balancer_listener_policy" "example" {
  load_balancer_name = "${aws_elb.example.name}"
  load_balancer_port = 443

  policy_names = [
    "${aws_load_balancer_policy.example-ssl.policy_name}",
  ]
}

Expected Behavior

The ELB policy should be created and subsequent plans shouldn't show it changing (unless it actually changed)

Actual Behavior

After applying a plan will show policy attributes that are from the referenced policy being removed. I would think that the terraform.tfstate should've known about those as the result of the first apply.

~ aws_load_balancer_policy.example-ssl
    policy_attribute.#:                "15" => "1"
    policy_attribute.1157710355.name:  "ECDHE-RSA-AES128-SHA256" => ""
    policy_attribute.1157710355.value: "true" => ""
    policy_attribute.1162508121.name:  "ECDHE-RSA-AES128-GCM-SHA256" => ""
    policy_attribute.1162508121.value: "true" => ""
    policy_attribute.1374486838.name:  "ECDHE-ECDSA-AES256-GCM-SHA384" => ""
    policy_attribute.1374486838.value: "true" => ""
    policy_attribute.1401804560.name:  "ECDHE-ECDSA-AES256-SHA384" => ""
    policy_attribute.1401804560.value: "true" => ""
    policy_attribute.1636262000.name:  "ECDHE-ECDSA-AES128-GCM-SHA256" => ""
    policy_attribute.1636262000.value: "true" => ""
    policy_attribute.1648049300.name:  "ECDHE-RSA-AES256-SHA384" => ""
    policy_attribute.1648049300.value: "true" => ""
    policy_attribute.1958193559.name:  "ECDHE-ECDSA-AES128-SHA256" => ""
    policy_attribute.1958193559.value: "true" => ""
    policy_attribute.1965037087.name:  "ECDHE-RSA-AES256-GCM-SHA384" => ""
    policy_attribute.1965037087.value: "true" => ""
    policy_attribute.2179956068.name:  "Protocol-TLSv1.2" => ""
    policy_attribute.2179956068.value: "true" => ""
    policy_attribute.2223865434.name:  "AES128-SHA256" => ""
    policy_attribute.2223865434.value: "true" => ""
    policy_attribute.3306698813.name:  "AES256-GCM-SHA384" => ""
    policy_attribute.3306698813.value: "true" => ""
    policy_attribute.3371002872.name:  "Server-Defined-Cipher-Order" => ""
    policy_attribute.3371002872.value: "true" => ""
    policy_attribute.3454672421.name:  "AES256-SHA256" => ""
    policy_attribute.3454672421.value: "true" => ""
    policy_attribute.3802307018.name:  "Reference-Security-Policy" => "Reference-Security-Policy"
    policy_attribute.3802307018.value: "ELBSecurityPolicy-TLS-1-2-2017-01" => "ELBSecurityPolicy-TLS-1-2-2017-01"
    policy_attribute.4117911931.name:  "AES128-GCM-SHA256" => ""
    policy_attribute.4117911931.value: "true" => ""

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply
2. terraform plan

Workaround

If I uncomment the lifecycle section, then it ignores further changes to the policy_attributes. The downside being that if I actually change them, I have to taint the resource for it to take effect.

References

I ran into this issue as part of solution to the problem described in #822

[yogin]

I have the same issue using Terraform v0.9.11
Thanks for the workaround, that works for me.

[hegyre]

Still having this issue, the workaround however sounds great

[007]

Please use something like #1669 (comment) instead, lifecycle.ignore_changes is sweeping the problem under the rug instead of addressing it. It also won't help to fix the policy if it gets changed out from under you, accidentally or intentionally.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[JshWright]

I am experiencing this issue as well (not generally a fan of this sort of comment, but since this is still very much an active bug, I didn't want to get automatically closed).

[zampettim]

Also seeing this issue. Any ideas when this can be resolved?

[haidangwa]

This appears to be discussed here, as well: #2867

[jason-o-matic]

+1

[lisfo4ka]

+1
The same for:

terraform v0.14.10
aws provider 3.40.0

[github-actions]

This functionality has been released in v3.73.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.