Backup plan fails to apply updated recovery point tags

[missioncloud]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.13

• provider.aws v2.7.0

Affected Resource(s)

• aws_backup_plan

Terraform Configuration Files

resource "aws_backup_plan" "backup" {
  name = "lance-testing-aws"

  rule {
    rule_name = "lance-testing-aws"
    target_vault_name = "${aws_backup_vault.backup.name}"
    schedule = "cron(0 * * * ? *)"
    recovery_point_tags  {
        Application = "example"
        Environment = "rnd"
    }
    lifecycle {
      cold_storage_after = 0
      delete_after = 3
    }
  }
  tags {
    CreatedBy = "lance"
  }
}

Debug Output

Expected Behavior

Apply should have updated the tags

Actual Behavior

1 error(s) occurred:

* module.aws-backup.aws_backup_plan.backup: 1 error(s) occurred:

* aws_backup_plan.backup: error updating Backup Plan: InvalidParameter: 2 validation error(s) found.
- missing required field, UpdateBackupPlanInput.BackupPlan.Rules[0].RuleName.
- missing required field, UpdateBackupPlanInput.BackupPlan.Rules[0].TargetBackupVaultName.

Steps to Reproduce

1. Launch a new aws_backup_plan resource (terraform apply)
2. Modify the recovery_point_tags attributes - add/change/remove a tag
3. Run terraform apply again

References

This same issue was mentioned in another issue, but it's different from that issue. #8193 (comment)

[ewbankkit]

It looks like resourceAwsPlanRuleHash() doesn't take into account recovery_point_tags values and so changes in this attribute won't be detected.

[caiohasouza]

+1

[alexismosquera]

👍
Facing the same issue.

[zaneeee]

The issue description does not quite capture the severity of the issue. As of AWS provider 2.23.0, if you recovery_point_tags is specified (either via Terraform, the console, or AWS CLI), every single apply to your infrastructure fails, regardless of whether you have modified the recovery_point_tags attribute. Applies even fail if you manually specify the attribute in the console and then apply a Terraform resource that does not have the recovery_point_tags attribute specified!

So here's another way to create the bug:

1. Launch an aws_backup_plan resource without the recovery_point_tags attribute
2. Add the recovery_point_tags attribute to your backup plan in the console or via CLI
3. Run Terraform apply again.

In this case, Terraform should have removed the tags, but the apply still fails with the same error message posted above.

At my organization, tagging snapshots is a requirement, so I cannot use Terraform for AWS backup until this bug is fixed.

[querry43]

I am encountering this with:

Terraform v0.12.12
provider.aws ~> 2.33

I agree with the priority assessment. It is not currently possible to apply any changes. In my case, my org is requiring tagging changes that I cannot provide via terraform.

[ewbankkit]

PR submitted to fix: #10641.

[bflad]

The fixes for these issues has been merged and will release with version 2.34.0 of the Terraform AWS Provider, on Thursday. Thanks to @ewbankkit for the implementation.

[bflad]

This has been released in version 2.34.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!