Can't change subnet on ELB

[hashibot]

This issue was originally opened by @FransUrbo as hashicorp/terraform#14072. It was migrated here as part of the provider split. The original body of the issue is below.

---

I'm converting a ELB to be an external (internal = false) one. That was done in a previous run, but I also realised I need to put it on the/a public network.

So changing the subnet doesn't seem to work.

Terraform Version

0.9.1

Affected Resource(s)

• aws_elb

Terraform Configuration Files

From

  subnets                       = [ # One per AZ
    "${aws_subnet.vpc_subnet_0.id}"
    "${aws_subnet.vpc_subnet_1.id}"
    "${aws_subnet.vpc_subnet_2.id}"
  ]

to

  subnets                       = [
    "${aws_subnet.vpc_subnet_public.id}"
  ]

Gives me:

module.mymodule.aws_elb.myelb: Modifying... (ID: myelb)
  subnets.#:          "3" => "1"
  subnets.12345678902: "subnet-abcdefghi" => ""
  subnets.23456789012: "subnet-bcdefghij" => ""
  subnets.34567890123:  "subnet-cdefghijk" => ""
  subnets.45678901234:  "" => "subnet-defghijkl"
Error applying plan:

1 error(s) occurred:

* module.mymodule.aws_elb.myelb: 1 error(s) occurred:

* aws_elb.myelb: Failure removing ELB subnets: InvalidConfigurationRequest: Requested configuration change for LoadBalancer "myelb" is invalid because you attempted to detach all the subnets for this LoadBalancer and a LoadBalancer cannot be attached to zero subnets in VPC.
        status code: 409, request id: adeeeb86-2c0e-11e7-93ae-92361f002671

Expected Behavior

ELB subnet should be created without failing. ALTERNATIVELY (?) destroyed and created again with the new settings.

Actual Behavior

TF error out.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Setup ELB with subnet (more than one?)
2. Apply (create) ELB
3. Change subnet (remove all, add another?)
4. Apply (modify) ELB

[ckyoog]

Any update for this issue? I seem to run into it.

[bclodius]

I'm still facing this issue on below versions.

terraform 0.11.1
aws-provider 1.5.0

Edit: I will take a look if this is easy to modify/fix.

Edit 2: I took a stab at reordering Removal and Addition for elb resource. The new problem is that now I get an error regarding Multiple Subnets in same AZ.

Failure adding ELB subnets: InvalidConfigurationRequest: ELB cannot be attached to multiple subnets in the same AZ.

[sebandres]

This still happens on the following versions:

terraform 0.11.6
aws-provider 1.20.0

[zdevi]

Still happens for me too with last version

[icicimov]

Same error:

* aws_elb.my-elb: Failure removing ELB subnets: InvalidConfigurationRequest: Requested configuration change for LoadBalancer "my-elb" is invalid because you attempted to detach all the subnets for this LoadBalancer and a LoadBalancer cannot be attached to zero subnets in VPC.

for terraform v0.11.11 and provider.aws v1.56.0.

Is it that difficult to remove and attach the subnets one-by-one?

[giantryansaul]

I don't expect this will happen to me often, but wouldn't the solution here be to switch Terraform from modifying the ELB to making this a "force replace" scenario?

Another thread recommended just deleting the ELBs in the console and re-running terraform, which seems like a good workaround here.

[aprice]

Another thread recommended just deleting the ELBs in the console and re-running terraform, which seems like a good workaround here.

That sounds like downtime to me. Given that you can change subnets in console without causing any downtime, this seems like an unacceptable workaround.

[giantryansaul]

Fair enough, my situation was moving the ELB from private to public, I wasn't considering that many are likely just switching the same type of subnet. In any case I'd rather have terraform orchestrate this move.

[hackeraks]

Facing the same issue, was there a fix made in later versions?

[going2thecloud]

I am running into similar issue on following version. Any recommendation on how to address this issue?
Terraform v0.12.20

• provider.aws v3.37.0
• provider.okta v3.11.0
• provider.template v2.2.0

Here is the entire plan with error:
[ec2-user@ip-10-15-36-160 jenkins_global_us_west_2]$ terraform apply -target=module.jenkins_server.aws_elb.jenkins
module.jenkins_server.data.aws_subnet.jenkins_subnets[1]: Refreshing state...
module.jenkins_server.data.aws_subnet.jenkins_subnets[2]: Refreshing state...
module.jenkins_server.data.aws_acm_certificate.jenkins: Refreshing state...
module.jenkins_server.data.aws_security_group.jenkins_elb: Refreshing state...
module.jenkins_server.data.aws_subnet.jenkins_subnets[0]: Refreshing state...
module.jenkins_server.aws_elb.jenkins: Refreshing state... [id=some-service-global]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place

Terraform will perform the following actions:

module.jenkins_server.aws_elb.jenkins will be updated in-place
~ resource "aws_elb" "jenkins" {
arn = "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/some-service-global"
availability_zones = [
"us-west-2a",
"us-west-2b",
"us-west-2c",
]
connection_draining = true
connection_draining_timeout = 120
cross_zone_load_balancing = true
dns_name = "internal-some-service-global-803337645.us-west-2.elb.amazonaws.com"
id = "some-service-global"
idle_timeout = 60
instances = [
“i-0123456789”,
]
internal = true
name = "some-service-global"
security_groups = [
"sg-09da6626d8cc8ad0e",
]
source_security_group = "123456789012/Jenkins [Access to ELB from Internal]"
source_security_group_id = "sg-09da6626d8cc8ad0e"
~ subnets = [

• "subnet-01ff7b83ffd4d87c1",
• "subnet-028d23162daffa2ba",
• "subnet-02c8f31e7b2469ebe",

• "subnet-09896d524dee84017",
• "subnet-0c646e5831213f8fd",
• "subnet-0ca0a52a1a23386f5",
  ]

zone_id = "Z1H1FL5HABSF5"

health_check {
healthy_threshold = 6
interval = 30
target = "HTTPS:8443/login"
timeout = 5
unhealthy_threshold = 6
}

• listener {
• instance_port = 8443
• instance_protocol = "https"
• lb_port = 443
• lb_protocol = "https"
• ssl_certificate_id = "arn:aws:acm:us-west-2:123456789012:certificate/f07a7118-b479-4bfa-a1af-98d92f6eae9f"
  }

• listener {
• instance_port = 8443 -> null
• instance_protocol = "https" -> null
• lb_port = 443 -> null
• lb_protocol = "https" -> null
• ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/jenkins-wildcard.aws.fico.com" -> null
  }
  }

Plan: 0 to add, 1 to change, 0 to destroy.

Enter a value: yes

module.jenkins_server.aws_elb.jenkins: Modifying... [id=some-service-global]

Error: Failure removing ELB subnets: InvalidConfigurationRequest: Requested configuration change for LoadBalancer "some-service-global" is invalid because you attempted to detach all the subnets for this LoadBalancer and a LoadBalancer cannot be attached to zero subnets in VPC.
status code: 409, request id: fe51e8df-db40-4590-95a2-c45e65aeed2d

[github-actions]

This functionality has been released in v5.4.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.