Error tagging resources #12427
Comments
ghost
mentioned this issue
github-actions
bot
added
the
needs-triage
|
We've started seeing the same thing within the past few days. We tried reverting the aws provider version back a couple versions, no help. |
|
I'm also seeing this issue after switching to terraform AWS provider v2.54 for security groups and KMS keys: |
|
My team has also observed tagging errors after switching to terraform AWS provider v2.52 (we also switched from terraform 0.12.18 to 0.12.23) We often get errors when tagging internet gateways or security groups. See samples below:
We drilled into security group scenario, searched CloudTrail and found that security group and tags are created at exactly the same time (seconds precision) . So it may be that create tag is started before create security group is completed with success (race condition), according to AWS docs it takes some time for security group to propagate. Unfortunately this results in flaky test so it would be great to have it fixed |
bflad
added
bug
…CreateEc2Tags implementation Reference: #11060 Reference: #12427 Reference: https://github.com/terraform-providers/terraform-provider-aws/blob/0c56c9bea1291e77f28ae99c79748251a2e23517/aws/tags.go#L198 The EC2 service has special considerations during resource creation to retry for eventual consistency within the API itself on "NotFound" errors. This switches Terraform resources that cannot tag-on-create due to the lack of EC2 API support to the keyvaluetags implementation that handles this eventual consistency automatically for 5 minutes (or max retries if API is throttling). This retry logic was present prior to the service refactoring to keyvaluetags (although errantly retrying on "NotFound" errors on every update, which may never succeed) and was still present in the `aws_vpc` and `aws_subnet` resources manually in the logic after the refactoring. This refactor also catches cases where the resource `Create` function was depending on the `Update` logic to handle tagging on creation logic. We discourage the usage of `Update` after `Create` for new resources, but this refactor only guards against running the tag update logic rather than bundling more complex resource refactoring into this changeset. Now all EC2 resources are consolidated to similar tagging on creation logic. Output from acceptance testing: ``` ```
…creation Reference: #9953 Reference: #11781 Reference: #12427 (comment) This refactors the resource logic to prevent `Update` after `Create` type logic errors with duplicate API calls (potential error points for eventual consistency): - Setting `description` on creation previously was done once during the `CreateKey` call and again via a separate `UpdateKeyDescription` call - Setting `policy` on creation previously was done once during the `CreateKey` call and again via a separate `PutKeyPolicy` call - Setting `tags` on creation previously was done once during the `CreateKey` call and again via a separate `TagResource` call This also adds eventual consistency retries for reading tags on resource creation and removes the resource `Exists` function, which can be another source of issues and required for the upcoming Terraform Plugin SDK v2. Previously from operator error reports: ``` Error: error listing tags for KMS Key (***): NotFoundException: Key 'arn:aws:kms:***:key/***' does not exist Error: error updating KMS Key (key-123) tags: error tagging resource (key-123): NotFoundException: Key 'arn:aws:kms:us-east-1:1234567890:key/key-123' does not exist ``` Output from acceptance testing: ``` --- PASS: TestAccAWSKmsKey_disappears (14.50s) --- PASS: TestAccAWSKmsKey_asymmetricKey (40.34s) --- PASS: TestAccAWSKmsKey_basic (43.60s) --- PASS: TestAccAWSKmsKey_policy (58.38s) --- PASS: TestAccAWSKmsKey_tags (59.07s) --- PASS: TestAccAWSKmsKey_isEnabled (324.81s) ```
|
This has been released in version 2.57.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
This issue was originally opened by @vmorkunas as hashicorp/terraform#24395. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
Terraform v0.12.23
provider.aws v2.53.0
Terraform Configuration Files
Root module
Peering module
Debug Output
Crash Output
error updating EC2 VPC Peering Connection (pcx-0c090a18f48d63647) tags: error tagging resource (pcx-0c090a18f48d63647): InvalidVpcPeeringConnectionID.NotFound: The vpcPeeringConnection ID 'pcx-0c090a18f48d63647' does not exist
Expected Behavior
Resource should be tagged
Actual Behavior
No taggs added and execution stops with error message above
Steps to Reproduce
Issue doesn't occur all the time.
terraform initterraform applyAdditional Context
Many resources, started failing on Tagging step in the resources with the same error - resource not found
The text was updated successfully, but these errors were encountered: