New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_ses_receipt_rule.s3store: aws_ses_receipt_rule.s3store: diffs didn't match during apply #6741

Open
iMilnb opened this Issue Dec 6, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@iMilnb

iMilnb commented Dec 6, 2018

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.10

  • provider.aws v1.51.0
  • provider.null v1.0.0

Affected Resource(s)

  • aws_ses_receipt_rule

Terraform Configuration Files

$ cat route53.tf

provider "aws" {
  profile = "${var.profile}"
  region = "${var.region}"
}

# first create zone if it does not exists
resource "aws_route53_zone" "data_zone" {
  name = "${var.data_host}${var.root_zone}"
}

# record object to add NS if needed
data "aws_route53_zone" "root_zone" {
  name = "${var.root_zone}"
}

# if zone does not exist, add NS records to parent zone
resource "aws_route53_record" "ns" {
  count = "${var.data_host != "" ? 1 : 0}"
  name = "${aws_route53_zone.data_zone.name}"
  zone_id = "${data.aws_route53_zone.root_zone.zone_id}"
  type = "NS"
  ttl = "${var.ttl}"
  records = ["${aws_route53_zone.data_zone.name_servers}"]
}

resource "aws_route53_record" "ses_verification_record" {
  zone_id = "${aws_route53_zone.data_zone.zone_id}"

  name    = "_amazonses.${aws_route53_zone.data_zone.name}"
  type    = "TXT"
  ttl     = "${var.ttl}"
  records = ["${aws_ses_domain_identity.ses_domain_identity.verification_token}"]
}

# create MX record
resource "aws_route53_record" "data_zone_mx" {
  zone_id = "${aws_route53_zone.data_zone.zone_id}"
  name = "${aws_route53_zone.data_zone.name}"
  type = "MX"
  ttl = "${var.ttl}"

  records = ["5 inbound-smtp.${var.region}.amazonaws.com."]
}

$ cat s3.tf

resource "aws_s3_bucket" "bucket_name" {
  bucket = "${var.bucket_name}"

  force_destroy = true
}

data "aws_caller_identity" "current" {}

# inspited from https://github.com/tuxpower/tf_aws_ses/blob/master/main.tf
resource "aws_s3_bucket_policy" "ses_inbox" {
  bucket = "${aws_s3_bucket.bucket_name.id}"

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "${aws_s3_bucket.bucket_name.arn}/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "${data.aws_caller_identity.current.account_id}"
                }
            }
        }
    ]
}
POLICY
}

resource "aws_s3_bucket_notification" "bucket_notification" {
    bucket = "${aws_s3_bucket.bucket_name.id}"
    lambda_function {
        lambda_function_arn = "${aws_lambda_function.lambda_function.arn}"
        events = ["s3:ObjectCreated:*"]
        filter_prefix = "${var.mail_folder}"
    }
}

$ cat ses.tf

resource "aws_ses_domain_identity" "ses_domain_identity" {
  domain = "${aws_route53_zone.data_zone.name}"
}

resource "aws_ses_receipt_rule_set" "rule_set" {
  rule_set_name = "${var.data_host}${var.root_zone}-rule_set"
}

resource "aws_ses_active_receipt_rule_set" "rule_set" {
  rule_set_name = "${aws_ses_receipt_rule_set.rule_set.id}"
}

resource "aws_ses_receipt_rule" "s3store" {
  depends_on    = ["aws_s3_bucket_policy.ses_inbox", "aws_route53_record.data_zone_mx"]

  name          = "mailtos3"
  rule_set_name = "${aws_ses_receipt_rule_set.rule_set.id}"

  recipients = ["${var.recipient}@${aws_route53_zone.data_zone.name}"]
  enabled      = true
  scan_enabled = false
  s3_action {
    bucket_name = "${aws_s3_bucket.bucket_name.id}"
    object_key_prefix = "${var.mail_folder}"
    position    = 1
  }
}

resource "null_resource" "delete_email" {
  provisioner "local-exec" {
    when = "destroy"
      command = "aws ses delete-identity --identity ${aws_ses_receipt_rule.s3store.recipients[0]} --profile ${var.profile}"
  }
}

output "warning" {
  value = "Wait until you receive domain verification success email."
}

output "recipient" {
  value = "${aws_ses_receipt_rule.s3store.recipients[0]}"
}

output "s3path" {
  value = "${var.bucket_name}/${var.mail_folder}"
}

Debug Output

https://gist.github.com/iMilnb/3039cb586af94adb097551d13ec707b4

Panic Output

Expected Behavior

Apply complete! Resources: 17 added, 0 changed, 0 destroyed.

Actual Behavior

Error: Error applying plan:                                                                 
                                                                                            
1 error(s) occurred:                                                                        
                                                                                            
* aws_ses_receipt_rule.s3store: aws_ses_receipt_rule.s3store: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.

Steps to Reproduce

  1. terraform apply

Important Factoids

This misbehavior starts with version 1.42, everything work as intended until v1.41. I read the Changelog, I have no reference to vpc_id or vpc_region in my tf files.

References

Found no reference to a similar issue.

@bflad

This comment has been minimized.

Contributor

bflad commented Dec 6, 2018

Just leaving some notes from briefly looking at this. From the debug logs:

Mismatch reason: attribute mismatch: recipients.2794196360

"recipients.2794196360":*terraform.ResourceAttrDiff{Old:"", New:"test@neovia.red.nbs-aws.com"
"recipients.3977340253":*terraform.ResourceAttrDiff{Old:"", New:"test@neovia.red.nbs-aws.com."

Seems to be related to: (the change, which made the trailing period consistent) #6299, (similar downstream behavior change) #6533 and #6535

My two comments here summarize the problem as it now exists: #6535 (comment)

For this specific issue, a workaround for the diffs didn't match issue would be to strip the trailing period:

resource "aws_ses_receipt_rule" "s3store" {
  # ... other configuration ...

  recipients = ["${var.recipient}@${replace(aws_route53_zone.data_zone.name, "/\\.$/", "")}"]

The fix will likely be to just always strip the trailing period from the attribute when saving it in the Terraform state. This will likely have to wait until 2.0.0 of the AWS provider since it is a major breaking change.

@iMilnb

This comment has been minimized.

iMilnb commented Dec 6, 2018

Dang... I spent 3 hours my eyes stuck on this trace without seeing the trailing '.'. Thanks a lot, this fixes the issue.

@bflad bflad added this to the v2.0.0 milestone Dec 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment