AWS::Route53 perpetually changing

[voltechs]

Terraform v0.7.7
macOS El Capitan 10.11.6
Homebrew 1.0.8

Terraform Configuration Files

resource "aws_elb" "client-api" {
    name = "${var.namespace}client-api-elb"
    internal = false

    security_groups = ["${aws_security_group.client-api-elb.id}"]
    subnets = ["${aws_subnet.us-west-2a-public.id}", "${aws_subnet.us-west-2b-public.id}"]


    listener {
        instance_port = 80
        instance_protocol = "http"
        lb_port = 80
        lb_protocol = "http"
    }

    listener {
        instance_port = 80
        instance_protocol = "http"
        lb_port = 443
        lb_protocol = "https"
        ssl_certificate_id = "${aws_iam_server_certificate.client-api.arn}"
    }

    health_check {
        healthy_threshold = 4
        unhealthy_threshold = 4
        timeout = 5
        target = "HTTP:80/health"
        interval = 10
    }

    cross_zone_load_balancing = true
    connection_draining = true
    connection_draining_timeout = 300

    tags {
        Name = "${var.environment}-client-api-elb"
        Environment = "${var.environment}"
        Role = "elb"
    }
}

resource "aws_route53_record" "api" {
    zone_id = "${aws_route53_zone.primary.id}"
    name = "api"
    type = "A"

    alias {
        name = "${aws_elb.client-api.dns_name}"
        zone_id = "${aws_elb.client-api.zone_id}"
        evaluate_target_health = true
    }
}

Debug Output

N/A

Expected Behavior

> tf plan
no changes...

Actual Behavior

> tf plan
    alias.3026843650.evaluate_target_health: "true" => "false"
    alias.3026843650.name:                   "dualstack.alpha-client-api-elb-[aws_id].us-west-2.elb.amazonaws.com" => ""
    alias.3026843650.zone_id:                "Z1H1FL5HABSF5" => ""
    alias.912019456.evaluate_target_health:  "" => "true"
    alias.912019456.name:                    "" => "alpha-client-api-elb-[aws_id].us-west-2.elb.amazonaws.com"
    alias.912019456.zone_id:                 "" => "Z33MTJ483KN6FU"

Steps to Reproduce

I'm not quite sure how to reproduce this. All I know is that there seems to be no change to the record but TF insists that there is. I suspect it has something to do with the dualstack prependation. (That's a word now)

Even after a terraform apply, these changes do not stick (it "completes successfully") because next time around it insists on changing them again, or at least trying to.

[stack72]

Hi @voltechs

Thanks for opening the issue here. I have been looking into this this morning (due to the fact that I was the last to change the alias in route53_record). So I have found that this config works as expected:

aws_elb.elb:
  id = 9828-recreation
  access_logs.# = 0
  availability_zones.# = 2
  availability_zones.2050015877 = us-west-2c
  availability_zones.2487133097 = us-west-2a
  connection_draining = true
  connection_draining_timeout = 300
  cross_zone_load_balancing = true
  dns_name = 9828-recreation-1979092307.us-west-2.elb.amazonaws.com
  health_check.# = 1
  health_check.0.healthy_threshold = 4
  health_check.0.interval = 10
  health_check.0.target = HTTP:80/health
  health_check.0.timeout = 5
  health_check.0.unhealthy_threshold = 4
  idle_timeout = 60
  instances.# = 0
  internal = false
  listener.# = 1
  listener.3057123346.instance_port = 80
  listener.3057123346.instance_protocol = http
  listener.3057123346.lb_port = 80
  listener.3057123346.lb_protocol = http
  listener.3057123346.ssl_certificate_id =
  name = 9828-recreation
  security_groups.# = 1
  security_groups.3706565365 = sg-69b2d010
  source_security_group = 187416307283/allow_all
  source_security_group_id = sg-69b2d010
  subnets.# = 2
  subnets.3670202022 = subnet-d981e781
  subnets.4019870460 = subnet-98331bee
  tags.% = 0
  zone_id = Z1H1FL5HABSF5
aws_internet_gateway.foo:
  id = igw-a974f7cd
  tags.% = 0
  vpc_id = vpc-0af51e6d
aws_route53_record.alias:
  id = ZK3M526EV8RVI_api_A
  alias.# = 1
  alias.3455832265.evaluate_target_health = true
  alias.3455832265.name = 9828-recreation-1979092307.us-west-2.elb.amazonaws.com
  alias.3455832265.zone_id = Z1H1FL5HABSF5
  fqdn = api.notexample.com
  health_check_id =
  name = api
  records.# = 0
  set_identifier =
  ttl = 0
  type = A
  zone_id = ZK3M526EV8RVI
aws_route53_zone.main:
  id = ZK3M526EV8RVI
  comment = Managed by Terraform
  force_destroy = false
  name = notexample.com
  name_servers.# = 4
  name_servers.0 = ns-1269.awsdns-30.org
  name_servers.1 = ns-1732.awsdns-24.co.uk
  name_servers.2 = ns-417.awsdns-52.com
  name_servers.3 = ns-633.awsdns-15.net
  tags.% = 0
  zone_id = ZK3M526EV8RVI
aws_security_group.allow_all:
  id = sg-69b2d010
  description = Allow all inbound traffic
  egress.# = 1
  egress.482069346.cidr_blocks.# = 1
  egress.482069346.cidr_blocks.0 = 0.0.0.0/0
  egress.482069346.from_port = 0
  egress.482069346.prefix_list_ids.# = 0
  egress.482069346.protocol = -1
  egress.482069346.security_groups.# = 0
  egress.482069346.self = false
  egress.482069346.to_port = 0
  ingress.# = 1
  ingress.482069346.cidr_blocks.# = 1
  ingress.482069346.cidr_blocks.0 = 0.0.0.0/0
  ingress.482069346.from_port = 0
  ingress.482069346.protocol = -1
  ingress.482069346.security_groups.# = 0
  ingress.482069346.self = false
  ingress.482069346.to_port = 0
  name = allow_all
  owner_id = 187416307283
  tags.% = 0
  vpc_id = vpc-0af51e6d
aws_subnet.bar:
  id = subnet-98331bee
  availability_zone = us-west-2a
  cidr_block = 10.50.10.0/24
  map_public_ip_on_launch = false
  tags.% = 0
  vpc_id = vpc-0af51e6d
aws_subnet.foo:
  id = subnet-d981e781
  availability_zone = us-west-2c
  cidr_block = 10.50.1.0/24
  map_public_ip_on_launch = false
  tags.% = 0
  vpc_id = vpc-0af51e6d
aws_vpc.foo:
  id = vpc-0af51e6d
  cidr_block = 10.50.0.0/16
  default_network_acl_id = acl-d14692b6
  default_route_table_id = rtb-e743f580
  default_security_group_id = sg-c1acceb8
  dhcp_options_id = dopt-11ac7e74
  enable_classiclink = false
  enable_dns_hostnames = false
  enable_dns_support = true
  instance_tenancy = default
  main_route_table_id = rtb-e743f580
  tags.% = 0

Terraform plans don't show anything perpetual diffs.

% terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.

aws_vpc.foo: Refreshing state... (ID: vpc-0af51e6d)
aws_route53_zone.main: Refreshing state... (ID: ZK3M526EV8RVI)
aws_subnet.bar: Refreshing state... (ID: subnet-98331bee)
aws_subnet.foo: Refreshing state... (ID: subnet-d981e781)
aws_security_group.allow_all: Refreshing state... (ID: sg-69b2d010)
aws_internet_gateway.foo: Refreshing state... (ID: igw-a974f7cd)
aws_elb.elb: Refreshing state... (ID: 9828-recreation)
aws_route53_record.alias: Refreshing state... (ID: ZK3M526EV8RVI_api_A)

No changes. Infrastructure is up-to-date. This means that Terraform
could not detect any differences between your configuration and
the real physical resources that exist. As a result, Terraform
doesn't need to do anything.

###So what is DualStack?

DualStack is actually added to an ELB by the AWS Console. Dualstack is a way to support both IPV4 and IPV6 addresses. If i go to the console and go in and rechose the alias target and save the results set. it then does the following:

Terraform plan then does the following:

~ aws_route53_record.alias
    alias.3455832265.evaluate_target_health: "" => "true"
    alias.3455832265.name:                   "" => "9828-recreation-1979092307.us-west-2.elb.amazonaws.com"
    alias.3455832265.zone_id:                "" => "Z1H1FL5HABSF5"
    alias.814260431.evaluate_target_health:  "true" => "false"
    alias.814260431.name:                    "dualstack.9828-recreation-1979092307.us-west-2.elb.amazonaws.com" => ""
    alias.814260431.zone_id:                 "Z1H1FL5HABSF5" => ""


Plan: 0 to add, 1 to change, 0 to destroy.

Which is exactly what you are seeing!

This comes from the AWS Docs:

ELB Load Balancers
For ELB load balancers, do one of the following:

If you used the same account to create your Amazon Route 53 hosted zone and your load balancer – Choose Alias Target and choose a load balancer from the list. If you have a lot of load balancers, you can type the first few characters of the DNS name to filter the list.
If you used different accounts to create your Amazon Route 53 hosted zone and your load balancer – Enter the value that you got in the procedure Getting the DNS Name for an ELB Load Balancer.
If you used one AWS account to create the current hosted zone and a different account to create a load balancer, the load balancer will not appear in the Alias Targets list.
If you used one account to create the current hosted zone and one or more different accounts to create all of your load balancers, the Alias Targets list shows No Targets Available under Elastic Load Balancers.
In either case, the console prepends dualstack. to the DNS name.

I am looking into a solution

[emk]

I've noticed that one possible cause of perpetually-dirty alias records is a name field with a trailing .. Depending on what other system is producing the name values for the alias record, this can cause the symptoms that you're seeing.

[bdruth]

I'm seeing this as well. I doesn't appear that my name values have a '.' at the end, but I'm using a reference to the dns_name from a terraform aws_elb resource.

Also, not all of my thrash seems to have dualstack addresses references, but some do, which is strange - they're all created the same way. I'm also 99.9% sure that nobody has manually messed with them in the AWS console.

[stack72]

Linked to #9298

[shrinathaithal]

This also seems to happen if you have @ in the name field - which Route53 doesn't recommend. I made this mistake and the . one while moving DNS from Google to Route53, so was getting a bucketful of changes.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.