Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Can't change AWS provider region with existing state #3454
I'm having a little complicated issue with terraform about multi region.
In fact I've created a template to depoy an AWS VPC with several resources such as security groups, iam roles, instances, s3 buckets,....
But I have to create one VPC per region with same configuration (eu-west-1(Ireland) and us-west-2(Oregon)).
However there are aws resources wich are multi-region (means they are not limited to one region) like iam rôle, s3 bucket, cloudfront an so on.
Then, I ran terraform apply successfully first time in "eu-west-1"". Now I changed the region to "us-west-2", expecting terraform to create new resources smartly, leaving global/unchanged resources like iam roles, and routeR3 registrations..., but the terraform plan and terraform refresh** command fail, trying to access resources not present in the new region. Typically I got this :
For me terraform is trying to access the eu-west-1 dhcpOtion in us-west-2 while I thought i would create a new vpc in us-west-2 with its own attributes.
In the meanwhile it's trying to access (maybe to destroy) the s3 bucket present in Ireland (**eu-west-1) and got an 301 error.
I hope you're getting what I mean here and someone has already faced with that, and I would like the best way achieve I'm trying to achieve, without duplicate resources and mistakenly detroy resources.
It's a limitation of Terraform right now that it doesn't track the provider settings, like region, on the resources it creates. The Terraform state tracks only the resource ids and not the region they belong to, so the provider configuration is necessary to know the resource where the resources were created.
Therefore it is unfortunately not currently possible to change the AWS region once resources are created, and doing so is likely to result in undesirable behavior since it will (as you saw) attempt to refresh resources from the wrong region. To switch regions it's necessary either to first run
This is a frustrating and counter-intuitive behavior that's tripped me up before too, so I'm going to leave this issue open as a prompt to discuss how Terraform could better support this use-case.
I've got an idea to achieve my need that I would like you to confirm or correct me.
This is my idea :
I know it's not easy, please let me know if you don't understand what I mean.
Thanks a lot for you collaboration.
This is definitely something you can implement provider side. For the Google code I made
@papiveron at work right now we do something like what you described, with a separate Terraform config per region and then one "global" config which creates non-region-specific things like Route53 zones.
The only difference is that we treat each as a completely separate Terraform config that has to be planned and applied separately, rather than using
It's not the most ideal thing but it's been working reasonably well for us so far for things that don't change very often, like our shared network infrastructure (VPCs, etc) and DNS zones.
The idea of allowing the resources themselves to specify/override the region is one I had too. I think it can make sense, but should ideally be implemented in a way that results in minimum duplicated code between resources, and also when the default, provider-level region is used it should still get saved explicitly in the resource so that users can seamlessly switch between provider-level region and resource-level region, without Terraform wanting to recreate the resource.
I think I may be looking at a similar issue, trying to build things in different regions, for me the architecture I need to provision is exactly the same in each region.. after struggling with each team member appending the same
Does this sound like a sensible approach? (I'm favoring 2 atm)
This is likely a feature request rather than a bug, depending how you look at it. I consider this a feature request. This isn't a priority for us right now and because it been over a year I'm going to close this.
In a future world (enhancement), I can imagine Terraform detecting changed provider configs and giving you some sort of message. But the provider configs themselves have semantics that Terraform will need to understand: changing a region changes a target and thus a whole new state, but changing access keys might be just fine... Also: do we delete the old items? Do we leave them? Do we create a new state?
Due to the magnitude of such questions, I'd consider this a whole new feature.
The point of the state is to track the resources you created with the configured provider. By changing the target of that provider, Terraform will still believe the resources should be there. This is the current behavior and I believe it is correct.
Like I said, this can probably be improved upon but its a pretty large undertaking and I don't think the demand is quite there to prioritize this. Sorry!