AWS loadbalancer- change region

[ghost]

This issue was originally opened by @rafaelmarques7 as hashicorp/terraform#20304. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Hello,

I have a Terraform module that provisions an Auto-Scaling group and all the necessary infrastructure to support it on AWS. Usually, Terraform is quite good at detecting changes in the infrastructure code. However, today I noticed that, if Terraform is managing a load-balancer, a change in the region will lead to an error.

I constructed a minimal example to replicate the error (this example requires a valid AWS profile).
Below I provide all the necessary information to reproduce and debug the error. I will also be available to provide any other information or anything else.

Terraform Version

Terraform v0.11.10
+ provider.aws v1.58.0

Terraform Configuration Files

#                 PROVIDER

provider "aws" {
  region  = "${var.aws-region}"
  profile = "${var.aws-profile}"
}

# =========================================================================================
#                 VARIABLES

variable "aws-region" {
  description = "The AWS region"
  type        = "string"
  default = "eu-west-2"
}

variable "aws-profile" {
  description = "The name of the AWS shared credentials account."
  type        = "string"
  default     = "ds-web-products-prod"
}

# =========================================================================================
#                 LOAD BALANCER

resource "aws_lb" "alb" {
  name                       = "load-balancer"
  internal                   = false
  load_balancer_type         = "application"
  enable_deletion_protection = false
  subnets                    = ["${aws_subnet.subnet-1.id}", "${aws_subnet.subnet-2.id}"]

}

# =========================================================================================
#                 NETWORKING

resource "aws_vpc" "vpc" {
  cidr_block           = "10.0.0.0/16"
}

resource "aws_subnet" "subnet-1" {
  vpc_id            = "${aws_vpc.vpc.id}"
  cidr_block        = "10.0.0.0/24"
  availability_zone = "${var.aws-region}a"
}

resource "aws_subnet" "subnet-2" {
  vpc_id            = "${aws_vpc.vpc.id}"
  cidr_block        = "10.0.1.0/24"
  availability_zone = "${var.aws-region}b"
}


resource "aws_internet_gateway" "ig" {
  vpc_id = "${aws_vpc.vpc.id}"
}

Debug Output

link: https://gist.github.com/rafaelmarques7/8cab664b14bf9d540252b36b3a000436

Crash Output

Error:

Error: Error refreshing state: 1 error(s) occurred:

* aws_lb.alb: 1 error(s) occurred:

* aws_lb.alb: aws_lb.alb: Error retrieving ALB: ValidationError: 'arn:aws:elasticloadbalancing:eu-west-2:199344973012:loadbalancer/app/load-balancer/6f66de944f6a3699' is not a valid load balancer ARN
        status code: 400, request id: 8c80ce07-2ec4-11e9-a690-1f9798154b2c

Expected Behavior

I would expect Terraform to migrate all the infrastructure to the new region.

Actual Behavior

Terraform throws an error. Nothing happens.

Steps to Reproduce

To replicate the error:

1) run terraform init; terraform apply
2) change the region
3) repeat step 1) which will lead to an error

Additional Context

References

There is an open ticket on stackoverflow: https://stackoverflow.com/questions/54650350/aws-load-balancer-change-region-with-terraform

[tomelliff]

This was also asked at https://stackoverflow.com/questions/54650350/aws-load-balancer-change-region-with-terraform but, as mentioned in my comment there, I'm not sure what Terraform should really do in this situation.

In this particular case it's failing because Terraform, during the refresh, is attempting to find the load balancer by an ARN that includes the previous region which is not valid at the AWS API side so it errors out hard.

I'd expect the same behaviour for any other resource where the Read/Describe call is done by ARN and the ARN includes the region (eg not global resources).

I'm less confident what the behaviour is for every other resource. Does it just say it can't find eg an instance with id i-123456789 and so propose creating it and leaving the old resource in the old region orphaned from the state file? This feels like a much worse side effect of using the wrong region than the refresh failing to me but equally I'm not sure what the best way to handle this is short of explicitly marking regional resources in the state with the region they were created in and erroring if things have changed.

[rafaelmarques7]

In this particular case it's failing because Terraform, during the refresh, is attempting to find the load balancer by an ARN that includes the previous region which is not valid at the AWS API side so it errors out hard.

I believe this explanation does make sense.

I'm less confident what the behaviour is for every other resource

I hadn't even thought of that before, so I created another minimal terraform script that just deploys an instance. Your suspicions were correct. Terraform does create a completly new instance on the new region, without deleting the instance in the old region. After verifying this, I checked the state file, and I noticed that it contains only one instance (in the new region).

[tomelliff]

I'm leaning towards thinking Terraform shouldn't do anything different in this scenario largely because the same argument could be said for running with credentials for a different AWS account or any number of things that Terraform would need to detect the drift on.

That said it is a bit of a footgun and I don't know the best way to educate people on this or to protect around it happening. In my case I call Terraform through some simple shell scripts and hard-code regions for different areas where I'm applying changes to so the region configuration is in code and we protect against different AWS account usage by using the allowed_account_ids parameter on the provider.

[rafaelmarques7]

I understand and, to some degree, I even share the same opinion.

This is an edge case that I doubt happens often. I simply found it by accident, and I was curious about the reasons that led to this behaviour, as it is not what I originally expected.

In any case, I appreciate your support :).

[tracypholmes]

Thank you for using Terraform and for opening up this question! It looks appears @tomelliff has provided an answer to your question. Issues on GitHub are intended to be related to bugs or feature requests with the provider codebase. If you'd like additional feedback, please use https://discuss.hashicorp.com/c/terraform-providers for community discussions, and questions around Terraform.

If you believe that your issue was miscategorized as a question or closed in error, please create a new issue using one of the following provided templates: bug report or feature request. Please make sure to provide us with the appropriate information so we can best determine how to assist with the given issue.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!