aws_lb_target_group - ValidationError: You cannot specify tags on creation of a GENEVE target group

[tbugfinder]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

0.14.11
AWS Provider 3.49.0

Affected Resource(s)

• aws_lb_target_group

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
resource "aws_vpc" "security" {
  cidr_block           = "192.168.1.0/24"
  enable_dns_support   = true
  enable_dns_hostnames = true

  tags = {Name = "aws_lb_target_group_test_case"}
}



resource "aws_lb_target_group" "gwlb" {
  name                 = "gwlb"
  port                 = 6081
  protocol             = "GENEVE"
  vpc_id               = aws_vpc.security.id
  target_type          = "instance"
  deregistration_delay = "20"
  health_check {
    interval = 10
    port     = 80
    protocol = "TCP"
  }
  tags = {Name = "aws_lb_target_group_test_case"}
}

Debug Output

Panic Output

Expected Behavior

Resource should be created successfully as it was applied before.

Actual Behavior

Error Message:

       Error: error creating LB Target Group: ValidationError: You cannot specify tags on creation of a GENEVE target group
        status code: 400, request id: dddddddddddddddddddddddddddddd

I didn't get the error when using provider version 3.48.0.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #add tags when create target group in aws #20079 - This PR added default_tags handling. IMHO it's the root cause: b0a239d

[tbugfinder]

While playing with the demo-case I also got:

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_lb_target_group.gwlb: Modifying... [id=arn:aws:elasticloadbalancing:eu-west-1:xxxxxxxxxxxxxxxxxx:targetgroup/gwlb/4444440b1e]

Error: error modifying Target Group Attributes: ValidationError: Target group attribute key 'stickiness.enabled' is not recognized
        status code: 400, request id: ddddddddddddddddddddddd

  on main.tf line 27, in resource "aws_lb_target_group" "gwlb":
  27: resource "aws_lb_target_group" "gwlb" {

[madhu2852]

I'm also seeing the same error. I think AWS api might have updated very recently. I'm unable to create a TG with GENEVE with tags.

[tbugfinder]

Hi @madhu2852,
which provider did you use?

I still see an error with 3.49 but success with 3.48, so I though it doesn't depend on AWS API but terraform provider version.

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v3.49.0...
- Installed hashicorp/aws v3.49.0 (signed by HashiCorp)


$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_lb_target_group.gwlb will be created
  + resource "aws_lb_target_group" "gwlb" {
      + arn                                = (known after apply)
      + arn_suffix                         = (known after apply)
      + deregistration_delay               = 20
      + id                                 = (known after apply)
      + lambda_multi_value_headers_enabled = false
      + load_balancing_algorithm_type      = (known after apply)
      + name                               = "gwlb"
      + port                               = 6081
      + preserve_client_ip                 = (known after apply)
      + protocol                           = "GENEVE"
      + protocol_version                   = (known after apply)
      + proxy_protocol_v2                  = false
      + slow_start                         = 0
      + tags                               = {
          + "Name" = "aws_lb_target_group_test_case"
        }
      + tags_all                           = {
          + "Name" = "aws_lb_target_group_test_case"
        }
      + target_type                        = "instance"
      + vpc_id                             = (known after apply)

      + health_check {
          + enabled             = true
          + healthy_threshold   = 3
          + interval            = 10
          + matcher             = (known after apply)
          + path                = (known after apply)
          + port                = "80"
          + protocol            = "TCP"
          + timeout             = (known after apply)
          + unhealthy_threshold = 3
        }

      + stickiness {
          + cookie_duration = (known after apply)
          + cookie_name     = (known after apply)
          + enabled         = (known after apply)
          + type            = (known after apply)
        }
    }

  # aws_vpc.security will be created
  + resource "aws_vpc" "security" {
      + arn                              = (known after apply)
      + assign_generated_ipv6_cidr_block = false
      + cidr_block                       = "192.168.1.0/24"
      + default_network_acl_id           = (known after apply)
      + default_route_table_id           = (known after apply)
      + default_security_group_id        = (known after apply)
      + dhcp_options_id                  = (known after apply)
      + enable_classiclink               = (known after apply)
      + enable_classiclink_dns_support   = (known after apply)
      + enable_dns_hostnames             = true
      + enable_dns_support               = true
      + id                               = (known after apply)
      + instance_tenancy                 = "default"
      + ipv6_association_id              = (known after apply)
      + ipv6_cidr_block                  = (known after apply)
      + main_route_table_id              = (known after apply)
      + owner_id                         = (known after apply)
      + tags                             = {
          + "Name" = "aws_lb_target_group_test_case"
        }
      + tags_all                         = {
          + "Name" = "aws_lb_target_group_test_case"
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_vpc.security: Creating...
aws_vpc.security: Still creating... [10s elapsed]
aws_vpc.security: Creation complete after 15s [id=vpc-1111111111192]
aws_lb_target_group.gwlb: Creating...
╷
│ Error: error creating LB Target Group: ValidationError: You cannot specify tags on creation of a GENEVE target group
│ 	status code: 400, request id: xxxxxxxx-xxxx-xxxx-a4b9-66939cac4bf4
│ 
│   with aws_lb_target_group.gwlb,
│   on main.tf line 11, in resource "aws_lb_target_group" "gwlb":
│   11: resource "aws_lb_target_group" "gwlb" {
│ 
╵

===>> Error

version 3.48:

$ terraform providers

Providers required by configuration:
.
└── provider[registry.terraform.io/hashicorp/aws] 3.48.0

╷



$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_lb_target_group.gwlb will be created
  + resource "aws_lb_target_group" "gwlb" {
      + arn                                = (known after apply)
      + arn_suffix                         = (known after apply)
      + deregistration_delay               = 20
      + id                                 = (known after apply)
      + lambda_multi_value_headers_enabled = false
      + load_balancing_algorithm_type      = (known after apply)
      + name                               = "gwlb"
      + port                               = 6081
      + preserve_client_ip                 = (known after apply)
      + protocol                           = "GENEVE"
      + protocol_version                   = (known after apply)
      + proxy_protocol_v2                  = false
      + slow_start                         = 0
      + tags                               = {
          + "Name" = "aws_lb_target_group_test_case"
        }
      + tags_all                           = {
          + "Name" = "aws_lb_target_group_test_case"
        }
      + target_type                        = "instance"
      + vpc_id                             = (known after apply)

      + health_check {
          + enabled             = true
          + healthy_threshold   = 3
          + interval            = 10
          + matcher             = (known after apply)
          + path                = (known after apply)
          + port                = "80"
          + protocol            = "TCP"
          + timeout             = (known after apply)
          + unhealthy_threshold = 3
        }

      + stickiness {
          + cookie_duration = (known after apply)
          + cookie_name     = (known after apply)
          + enabled         = (known after apply)
          + type            = (known after apply)
        }
    }

  # aws_vpc.security will be created
  + resource "aws_vpc" "security" {
      + arn                              = (known after apply)
      + assign_generated_ipv6_cidr_block = false
      + cidr_block                       = "192.168.1.0/24"
      + default_network_acl_id           = (known after apply)
      + default_route_table_id           = (known after apply)
      + default_security_group_id        = (known after apply)
      + dhcp_options_id                  = (known after apply)
      + enable_classiclink               = (known after apply)
      + enable_classiclink_dns_support   = (known after apply)
      + enable_dns_hostnames             = true
      + enable_dns_support               = true
      + id                               = (known after apply)
      + instance_tenancy                 = "default"
      + ipv6_association_id              = (known after apply)
      + ipv6_cidr_block                  = (known after apply)
      + main_route_table_id              = (known after apply)
      + owner_id                         = (known after apply)
      + tags                             = {
          + "Name" = "aws_lb_target_group_test_case"
        }
      + tags_all                         = {
          + "Name" = "aws_lb_target_group_test_case"
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.
╷
│ Warning: Version constraints inside provider configuration blocks are deprecated
│ 
│   on version.tf line 2, in provider "aws":
│    2:   version = "3.48"
│ 
│ Terraform 0.13 and earlier allowed provider version constraints inside the provider configuration block, but that is now deprecated and will be removed in a
│ future version of Terraform. To silence this warning, move the provider version constraint into the required_providers block.
╵

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_vpc.security: Creating...
aws_vpc.security: Still creating... [10s elapsed]
aws_vpc.security: Creation complete after 14s [id=vpc-11111111111b]
aws_lb_target_group.gwlb: Creating...
aws_lb_target_group.gwlb: Creation complete after 2s [id=arn:aws:elasticloadbalancing:eu-west-1:xxxxxxxxxxx:targetgroup/gwlb/006deb32401adc7501]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

[tbugfinder]

According to AWS API docs, the API call is correct but the tags feature isn't implemented on AWS side.
I'll open an AWS Support Case.

Ref: https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_CreateTargetGroup.html

[ewbankkit]

Relates: #19888.

[bferris413]

We're experiencing this as well. Any updates?

[junior-expert]

same here. Please let us know if there is any update on this. Is there anyway to exclude resources from getting default tag from the provider?

[rogerscuall]

I also have the same problem.

[srikanthgoud1]

Any update on the issue , as I am still having issues with provider version 3.74.1

[github-actions]

This functionality has been released in v4.26.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.